[users@httpd] Please help... apache hacked? (Apache Users)

Hi,

I'm running an older version of apache 1.3.28 under a Suse install.

Today I noticed that somehow a bots.txt perl program is being run, yet it is not run from the filesystem. Somehow this script is being downloaded and run.

Yesterday the server was also a victim of an attack from PSYCH@ mass defacement. I don't know if these 2 attacks are related in any way, but I certainly need help to figure out what to do!

Does anyone know anything related to running this bots.txt? Here's what I have in my error_log:

--11:51:13-- http://tehboob.be/bots.txt
           => `bots.txt'
Resolving tehboob.be... done.
Connecting to tehboob.be[72.20.8.243]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,378 [text/plain]

    0K .......... .......... ........                        100% 683.08 KB/s

11:51:13 (683.08 KB/s) - `bots.txt' saved [29378/29378]

--12:15:55-- http://tehboob.be/bots.txt
           => `bots.txt'
Resolving tehboob.be... done.
Connecting to tehboob.be[72.20.8.243]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,378 [text/plain]

    0K .......... .......... ........                        100% 683.08 KB/s

12:15:55 (683.08 KB/s) - `bots.txt' saved [29378/29378]

--12:22:25-- http://tehboob.be/bots.txt
           => `bots.txt'
Resolving tehboob.be... done.
Connecting to tehboob.be[72.20.8.243]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,378 [text/plain]

    0K .......... .......... ........                        100% 652.03 KB/s

12:22:25 (652.03 KB/s) - `bots.txt' saved [29378/29378]

--12:44:05-- http://tehboob.be/bots.txt
           => `bots.txt'
Resolving tehboob.be... done.
Connecting to tehboob.be[72.20.8.243]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,378 [text/plain]

    0K .......... .......... ........                        100% 652.03 KB/s

I have blocked traffic to prevent retrieving this script from tehboob.be, but that is only a temporary work-around. How is this program being run? This is the top level error_log and I don't understand how a perl program is being downloaded and then run.

As far as the mass defacement "By PSYch@ AYYILDIZ-TIM" anyone know anything about that? Basically all of the index.html, index.htm, index.php (in all sites) were replaced.

One thing I was able to tell via lsof is that the program running bots.txt was accessing all of the /var/log/httpd/* logs, so I'm guessing that they were collecting website information?

PLEASE HELP...

Thanks

Ricardo