httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ricardo Kleemann" <>
Subject Re: [users@httpd] Please help... apache hacked?
Date Sat, 15 Jul 2006 18:13:31 GMT
> does ANYBODY even know what bots.txt even DOES?
> bots.txt should look like this:
> accept all
> reject altaVista
> look at to see what it SHOULD do... its for
> SEARCH EINGINES. the bot grabs it, looks at it, and it its on the
> white list of eingines, it caches the site, if its on the blacklist
> (reject), it sulks away into a corner...

This particular bots.txt is downloaded from and then is run 
(somehow) from /.

This bots.txt is a perl program that connects to irc servers and sends out 
apache access_log information.

A few other clues... when I run ps, it shows the processes as "syslogd -m 
0", but really when looked at with the "real" name it simply shows perl. 
It's just running the perl interpreter as nobody (since apache runs as 
nobody). When I look at lsof, it shows that the cwd is /. So how apache is 
able to download a program, and run it, from /, I don't understand.

How can I block apache from being able to do such a thing? Again, here's the 
output from the error_log that shows the download happening, and then I have 
no idea how, after downloaded, the program is run.

           => `bots.txt'
Resolving done.
Connecting to[]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,378 [text/plain]

    0K .......... .......... ........                        100%  683.08 

My guess is that maybe the hackers installed a program that is performing 
this download. But I've searched the joomla installation for any file 
containing "bots.txt" to no success.

Can someone explain why this is logged in the error_log and not in the 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message