The best place to start is your logs. The attack vector was most like found by trial and error. Look through your error logs to find source IP addresses that have frequent errors, and then go back and see what requests they successfully recieved. Look for requests that have URLs appended to them. These are typically remote file includes. Sometimes they are written to the file system and sometimes they are launched and deleted. See if you can duplicate the behavior. It's tedious, but it'll help you find how those files got there.
If you have any common open source web apps installed, check to make sure that your site is at the current recommended revision level. Apply any patches or work-arounds for known issues. For your custom code, make sure that you validate all form inputs.
|