does ANYBODY even know what bots.txt even DOES? bots.txt should look like this: accept all reject altaVista look at virussin.com/bots.txt to see what it SHOULD do... its for SEARCH EINGINES. the bot grabs it, looks at it, and it its on the white list of eingines, it caches the site, if its on the blacklist (reject), it sulks away into a corner...
This particular bots.txt is downloaded from tehboob.be and then is run (somehow) from /.
This bots.txt is a perl program that connects to irc servers and sends out apache access_log information.
A few other clues... when I run ps, it shows the processes as "syslogd -m 0", but really when looked at with the "real" name it simply shows perl. It's just running the perl interpreter as nobody (since apache runs as nobody). When I look at lsof, it shows that the cwd is /. So how apache is able to download a program, and run it, from /, I don't understand.
How can I block apache from being able to do such a thing? Again, here's the output from the error_log that shows the download happening, and then I have no idea how, after downloaded, the program is run.
--11:51:13-- http://tehboob.be/bots.txt => `bots.txt' Resolving tehboob.be... done. Connecting to tehboob.be[72.20.8.243]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 29,378 [text/plain]0K .......... .......... ........ 100% 683.08 KB/s
My guess is that maybe the hackers installed a program that is performing this download. But I've searched the joomla installation for any file containing "bots.txt" to no success.
Can someone explain why this is logged in the error_log and not in the access_log?
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx