Hi,
I'm running an older version of apache 1.3.28 under
a Suse install.
Today I noticed that somehow a bots.txt perl
program is being run, yet it is not run from the filesystem. Somehow this script
is being downloaded and run.
Yesterday the server was also a victim of an attack
from PSYCH@ mass defacement. I don't know if these 2 attacks are related in any
way, but I certainly need help to figure out what to do!
Does anyone know anything related to running this
bots.txt? Here's what I have in my error_log:
--11:51:13-- http://tehboob.be/bots.txt
= `bots.txt'Resolving tehboob.be... done.Connecting to
tehboob.be[72.20.8.243]:80... connected.HTTP request sent, awaiting
response... 200 OKLength: 29,378
[text/plain]
0K .. ..
100% 683.08
KB/s
11:51:13 (683.08 KB/s) - `bots.txt' saved
[29378/29378]
--12:15:55-- http://tehboob.be/bots.txt
= `bots.txt'Resolving tehboob.be... done.Connecting to
tehboob.be[72.20.8.243]:80... connected.HTTP request sent, awaiting
response... 200 OKLength: 29,378
[text/plain]
0K .. ..
100% 683.08
KB/s
12:15:55 (683.08 KB/s) - `bots.txt' saved
[29378/29378]
--12:22:25-- http://tehboob.be/bots.txt
= `bots.txt'Resolving tehboob.be... done.Connecting to
tehboob.be[72.20.8.243]:80... connected.HTTP request sent, awaiting
response... 200 OKLength: 29,378
[text/plain]
0K .. ..
100% 652.03
KB/s
12:22:25 (652.03 KB/s) - `bots.txt' saved
[29378/29378]
--12:44:05-- http://tehboob.be/bots.txt
= `bots.txt'Resolving tehboob.be... done.Connecting to
tehboob.be[72.20.8.243]:80... connected.HTTP request sent, awaiting
response... 200 OKLength: 29,378
[text/plain]
0K .. ..
100% 652.03
KB/s
I have blocked traffic to prevent retrieving this
script from tehboob.be, but that is only a temporary work-around. How is this
program being run? This is the top level error_log and I don't understand how a
perl program is being downloaded and then run.
As far as the mass defacement "By PSYch@
AYYILDIZ-TIM" anyone know anything about that? Basically all of the index.html,
index.htm, index.php (in all sites) were replaced.
One thing I was able to tell via lsof is that the
program running bots.txt was accessing all of the /var/log/httpd/* logs, so I'm
guessing that they were collecting website information?
PLEASE HELP...
Thanks
Ricardo