Re: [EMAIL PROTECTED] Please help... apache hacked?

2006-07-15 Thread Ricardo Kleemann 

Thanks Max.

A first look shows that the script bots.txt currently available targets 
vulnerable installation of Joomla and Mambo. There are some 
vulnerabilities reported for the included phpBB and an extension called 
perForms.


But how in the first place, is apache even downloading the bots.txt, and 
then, running it? Is it running in-memory, since it's not anywhere in the 
filesystem ?


And what commands can be run on port 80 to do the download/run of the 
script?




The bot seems to join a specific IRC-chan waiting for commands and looking 
for new vulnerable installations via google-searches.


Perhaps you want to replace any wget-binaries with a shell script logging 
environment and command-line switches to identify the document used to 
retrieve the script.



 PLEASE HELP...



You should stop your Apache! :D

.max


-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
 from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
 from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[EMAIL PROTECTED] Please help... apache hacked?

2006-07-14 Thread Ricardo Kleemann 



Hi,

I'm running an older version of apache 1.3.28 under 
a Suse install.

Today I noticed that somehow a bots.txt perl 
program is being run, yet it is not run from the filesystem. Somehow this script 
is being downloaded and run.

Yesterday the server was also a victim of an attack 
from PSYCH@ mass defacement. I don't know if these 2 attacks are related in any 
way, but I certainly need help to figure out what to do!

Does anyone know anything related to running this 
bots.txt? Here's what I have in my error_log:

--11:51:13-- http://tehboob.be/bots.txt 
= `bots.txt'Resolving tehboob.be... done.Connecting to 
tehboob.be[72.20.8.243]:80... connected.HTTP request sent, awaiting 
response... 200 OKLength: 29,378 
[text/plain] 
 0K .. .. 
 
100% 683.08 
KB/s 
11:51:13 (683.08 KB/s) - `bots.txt' saved 
[29378/29378] 
--12:15:55-- http://tehboob.be/bots.txt 
= `bots.txt'Resolving tehboob.be... done.Connecting to 
tehboob.be[72.20.8.243]:80... connected.HTTP request sent, awaiting 
response... 200 OKLength: 29,378 
[text/plain] 
 0K .. .. 
 
100% 683.08 
KB/s 
12:15:55 (683.08 KB/s) - `bots.txt' saved 
[29378/29378] 
--12:22:25-- http://tehboob.be/bots.txt 
= `bots.txt'Resolving tehboob.be... done.Connecting to 
tehboob.be[72.20.8.243]:80... connected.HTTP request sent, awaiting 
response... 200 OKLength: 29,378 
[text/plain] 
 0K .. .. 
 
100% 652.03 
KB/s 
12:22:25 (652.03 KB/s) - `bots.txt' saved 
[29378/29378] 
--12:44:05-- http://tehboob.be/bots.txt 
= `bots.txt'Resolving tehboob.be... done.Connecting to 
tehboob.be[72.20.8.243]:80... connected.HTTP request sent, awaiting 
response... 200 OKLength: 29,378 
[text/plain] 
 0K .. .. 
 
100% 652.03 
KB/s 

I have blocked traffic to prevent retrieving this 
script from tehboob.be, but that is only a temporary work-around. How is this 
program being run? This is the top level error_log and I don't understand how a 
perl program is being downloaded and then run.

As far as the mass defacement "By PSYch@ 
AYYILDIZ-TIM" anyone know anything about that? Basically all of the index.html, 
index.htm, index.php (in all sites) were replaced. 

One thing I was able to tell via lsof is that the 
program running bots.txt was accessing all of the /var/log/httpd/* logs, so I'm 
guessing that they were collecting website information?

PLEASE HELP...

Thanks
Ricardo