Re: [users@httpd] Please help... apache hacked?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




does ANYBODY even know what bots.txt even DOES?

bots.txt should look like this:

accept all
reject altaVista

look at virussin.com/bots.txt to see what it SHOULD do... its for
SEARCH EINGINES. the bot grabs it, looks at it, and it its on the
white list of eingines, it caches the site, if its on the blacklist
(reject), it sulks away into a corner...


This particular bots.txt is downloaded from tehboob.be and then is run (somehow) from /.

This bots.txt is a perl program that connects to irc servers and sends out apache access_log information.

A few other clues... when I run ps, it shows the processes as "syslogd -m 0", but really when looked at with the "real" name it simply shows perl. It's just running the perl interpreter as nobody (since apache runs as nobody). When I look at lsof, it shows that the cwd is /. So how apache is able to download a program, and run it, from /, I don't understand.

How can I block apache from being able to do such a thing? Again, here's the output from the error_log that shows the download happening, and then I have no idea how, after downloaded, the program is run.

--11:51:13--  http://tehboob.be/bots.txt
          => `bots.txt'
Resolving tehboob.be... done.
Connecting to tehboob.be[72.20.8.243]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,378 [text/plain]

0K .......... .......... ........ 100% 683.08 KB/s

My guess is that maybe the hackers installed a program that is performing this download. But I've searched the joomla installation for any file containing "bots.txt" to no success.

Can someone explain why this is logged in the error_log and not in the access_log?



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux