Ricardo Kleemann schrieb:
does ANYBODY even know what bots.txt even DOES?
bots.txt should look like this:
accept all
reject altaVista
look at virussin.com/bots.txt to see what it SHOULD do... its for
SEARCH EINGINES. the bot grabs it, looks at it, and it its on the
white list of eingines, it caches the site, if its on the blacklist
(reject), it sulks away into a corner...
This particular bots.txt is downloaded from tehboob.be and then is run
(somehow) from /.
This bots.txt is a perl program that connects to irc servers and sends
out apache access_log information.
I don't think it sends access_log information. The open file handles for
"access_log" you mentioned has been inherited from the parent Apache
process.
A few other clues... when I run ps, it shows the processes as "syslogd
-m 0", but really when looked at with the "real" name it simply shows
perl. It's just running the perl interpreter as nobody (since apache
runs as nobody). When I look at lsof, it shows that the cwd is /. So how
apache is able to download a program, and run it, from /, I don't
understand.
Thats exactly what bots.txt does:
my $processo = 'syslogd -m 0';
chdir("/");
$0="$processo"."\0"x16;;
How can I block apache from being able to do such a thing? Again, here's
the output from the error_log that shows the download happening, and
then I have no idea how, after downloaded, the program is run.
I expect that you are using an insecure php-configuration allowing
include() to fetch php-scripts via HTTP (allow_url_fopen) and executing
commands via the php-functions exec, system, popen, passthrugh ..
That may be the way how a foreign attacker invoke the perl interpreter
on you machine.
--11:51:13-- http://tehboob.be/bots.txt
=> `bots.txt'
Resolving tehboob.be... done.
Connecting to tehboob.be[72.20.8.243]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,378 [text/plain]
0K .......... .......... ........ 100% 683.08
KB/s
My guess is that maybe the hackers installed a program that is
performing this download. But I've searched the joomla installation for
any file containing "bots.txt" to no success.
Can someone explain why this is logged in the error_log and not in the
access_log?
Wget writes status information when retrieving files to STDERR and so
they get passed to the error_log.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
