httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ricardo Kleemann" <rica...@americasnet.com>
Subject Re: [users@httpd] Please help... apache hacked?
Date Sat, 15 Jul 2006 18:13:31 GMT
>
> does ANYBODY even know what bots.txt even DOES?
>
> bots.txt should look like this:
>
> accept all
> reject altaVista
>
> look at virussin.com/bots.txt to see what it SHOULD do... its for
> SEARCH EINGINES. the bot grabs it, looks at it, and it its on the
> white list of eingines, it caches the site, if its on the blacklist
> (reject), it sulks away into a corner...
>

This particular bots.txt is downloaded from tehboob.be and then is run 
(somehow) from /.

This bots.txt is a perl program that connects to irc servers and sends out 
apache access_log information.

A few other clues... when I run ps, it shows the processes as "syslogd -m 
0", but really when looked at with the "real" name it simply shows perl. 
It's just running the perl interpreter as nobody (since apache runs as 
nobody). When I look at lsof, it shows that the cwd is /. So how apache is 
able to download a program, and run it, from /, I don't understand.

How can I block apache from being able to do such a thing? Again, here's the 
output from the error_log that shows the download happening, and then I have 
no idea how, after downloaded, the program is run.

--11:51:13--  http://tehboob.be/bots.txt
           => `bots.txt'
Resolving tehboob.be... done.
Connecting to tehboob.be[72.20.8.243]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,378 [text/plain]

    0K .......... .......... ........                        100%  683.08 
KB/s

My guess is that maybe the hackers installed a program that is performing 
this download. But I've searched the joomla installation for any file 
containing "bots.txt" to no success.

Can someone explain why this is logged in the error_log and not in the 
access_log?



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message