httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Max Dittrich <max.dittr...@t-online.de>
Subject Re: [users@httpd] Please help... apache hacked?
Date Sat, 15 Jul 2006 12:23:04 GMT
Ricardo Kleemann schrieb:
> Hi,
>  
> I'm running an older version of apache 1.3.28 under a Suse install.
>  
> Today I noticed that somehow a bots.txt perl program is being run, yet 
> it is not run from the filesystem. Somehow this script is being 
> downloaded and run.
>  
> Yesterday the server was also a victim of an attack from PSYCH@ mass 
> defacement. I don't know if these 2 attacks are related in any way, but 
> I certainly need help to figure out what to do!
>  
> Does anyone know anything related to running this bots.txt? Here's what 
> I have in my error_log:
>  
> --11:51:13--  http://tehboob.be/bots.txt
>            => `bots.txt'
> Resolving tehboob.be... done.
> Connecting to tehboob.be[72.20.8.243]:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 29,378 [text/plain]
>                                                                                     
                                                              
> 
>     0K .......... .......... ........                        100%  
> 683.08 KB/s

A first look shows that the script "bots.txt" currently available 
targets vulnerable installation of "Joomla" and "Mambo". There are some 
vulnerabilities reported for the included phpBB and an extension called 
perForms.

The bot seems to join a specific IRC-chan waiting for commands and 
looking for new vulnerable installations via google-searches.

Perhaps you want to replace any wget-binaries with a shell script 
logging environment and command-line switches to identify the document 
used to retrieve the script.

>  
> PLEASE HELP...
>  

You should stop your Apache! :D

.max


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message