People exploit Apache all the time, so I know it's possible. For example in Absolute FreeBSD 2nd edition the author said the attacker can get around not having a home directory by using /tmp which is world writable.
I suspect a way to detect an attack on Apache running as user 'www' where perhaps the attacker hasn't yet gotten full access would be to check /tmp for files owned by www.
It just seems like there has to be more sophisticated ways to detect something like that on the host level. Such as the Kernel realizing and logging commands that the user www is trying to carry out.
|