Re: [users@httpd] Please help... apache hacked?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] Please help... apache hacked?
From: Dave Henderson <dhenderson@xxxxxxxxxxxxxxxx>
Date: Sun, 16 Jul 2006 12:02:35 -0700 (PDT)
Delivered-to: apmail-httpd-users-archive@xxxxxxxxxxxxxx
Delivered-to: apmail-httpd-users-archive@xxxxxxxxxxxxxxxx
Delivered-to: mailing list users@xxxxxxxxxxxxxxxx
In-reply-to: <003801c6a829$e08f48d0$6400a8c0@Ricardo>
Mailing-list: contact users-help@xxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: users@xxxxxxxxxxxxxxxx

Ricardo Kleemann <ricardo@xxxxxxxxxxxxxxx> wrote:

Thanks Max.

> A first look shows that the script "bots.txt" currently available targets
> vulnerable installation of "Joomla" and "Mambo". There are some
> vulnerabilities reported for the included phpBB and an extension called
> perForms.

But how in the first place, is apache even downloading the bots.txt, and
then, running it? Is it running in-memory, since it's not anywhere in the
filesystem ?

And what commands can be run on port 80 to do the download/run of the
script?

>
> The bot seems to join a specific IRC-chan waiting for commands and looking
> for new vulnerable installations via google-searches.
>
> Perhaps you want to replace any wget-binaries with a shell script logging
> environment and command-line switches to identify the document used to
> retrieve the script.
>
>> PLEASE HELP...
>>
>
> You should stop your Apache! :D
>
> .max
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Just my two cents (which are probably wrong :) ), but have your checked any cron jobs that may be running?

Dave

References:
- Re: [users@httpd] Please help... apache hacked?
  - From: Ricardo Kleemann

Prev by Date: [users@httpd] how to compile apache with out depending on the mechine name (UNIX)
Next by Date: Re: [users@httpd] Please help... apache hacked?
Previous by thread: [users@httpd] Re: Please help... apache hacked?
Next by thread: [users@httpd] Apache2 vhost log
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]