Ricardo Kleemann schrieb:
Hi,I'm running an older version of apache 1.3.28 under a Suse install. Today I noticed that somehow a bots.txt perl program is being run, yet it is not run from the filesystem. Somehow this script is being downloaded and run. Yesterday the server was also a victim of an attack from PSYCH@ mass defacement. I don't know if these 2 attacks are related in any way, but I certainly need help to figure out what to do! Does anyone know anything related to running this bots.txt? Here's what I have in my error_log: --11:51:13-- http://tehboob.be/bots.txt=> `bots.txt' Resolving tehboob.be... done. Connecting to tehboob.be[72.20.8.243]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 29,378 [text/plain]0K .......... .......... ........ 100% 683.08 KB/s
A first look shows that the script "bots.txt" currently available targets vulnerable installation of "Joomla" and "Mambo". There are some vulnerabilities reported for the included phpBB and an extension called perForms.
The bot seems to join a specific IRC-chan waiting for commands and looking for new vulnerable installations via google-searches.
Perhaps you want to replace any wget-binaries with a shell script logging environment and command-line switches to identify the document used to retrieve the script.
PLEASE HELP...
You should stop your Apache! :D .max --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx