I have the Suhosin extension installed for PHP and have received the following alert a few times over the past few days:
Code: Select all
Feb 24 10:16:55 server suhosin[23852]: ALERT - function within blacklist called: popen() (attacker 'xxx.xxx.xxx.xxx', file '/usr/share/psa-pear/Mail/sendmail.php', line 146)
My question is: how do I go about tracing where the function call came from?
I don't believe anything should be using the function and it's making me think something is trying to use it that shouldn't.
The IP address (which i've removed) looks a genuine one (i.e. Not mapping to a Taiwan or other ISP), but searching for things like POP connections from it to try to deduce the VHOST has turned up nothing.
Any ideas?
Thanks