Security Basics mailing list archives

Re: Strange found in apache error.log

From: "Security" <security () yakboy org>
Date: Mon, 5 Dec 2005 18:07:03 -0000

BNC is a bouncer for connecting to IRC with ... and the bot9 is probably a
bot script for the above ... looks like someone tried to set your system
into a drone for a botnet.

----- Original Message -----From: <kc () mikrobit pl>

To: <security-basics () securityfocus com>
Sent: Sunday, December 04, 2005 12:39 AM
Subject: Strange found in apache error.log


Hi
I found something like this in my apapche error.log

[Sat Dec 03 00:16:18 2005] [error] an unknown filter was not added: includes
[Sat Dec 03 00:16:18 2005] [error] an unknown filter was not added: includes
[Sat Dec 03 00:16:18 2005] [error] an unknown filter was not added: includes

[Sat Dec 03 00:32:30 2005] [error] [client 218.156.221.22] client denied byserver configuration: /v

irtual/mikrobit/_http/

[Sat Dec 03 00:34:10 2005] [error] [client 81.219.172.109] client denied byserver configuration: /v

irtual/mikrobit/_http/
--00:42:14--  http://www.geocities.com/ikanlagasiam/bot9.txt
          => `bot9.txt'
Resolving www.geocities.com... 66.218.77.68
Connecting to www.geocities.com|66.218.77.68|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,552 (19K) [text/plain]

   0K .......... .........                                  100% 46.0K

00:42:15 (45.94 KB/s) - `bot9.txt' saved [19552/19552]

--00:42:15--  http://www.geocities.com/ikanlagasiam/bnc.txt
          => `bnc.txt'
Resolving www.geocities.com... 66.218.77.68
Connecting to www.geocities.com|66.218.77.68|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21,090 (21K) [text/plain]

   0K .......... ..........                                 100% 48.8K

00:42:16 (48.78 KB/s) - `bnc.txt' saved [21090/21090]

--00:42:16--  http://bot9.txt.*/
          => `index.html'
Resolving bot9.txt.*... failed: Unknown host.


And when I look in /tmp I found those 2 perl scripts: bot9.txt and bnc.txt
After that I look here #ps ax
and I found 2 alien proccesses ..
How could they get and run that scripts ??

I use Apache: 2.0.54-r7
mod_php: 4.4.0-r1
OS: gentoo 2005.1

Current thread:

Strange found in apache error.log kc (Dec 05)
- Re: Strange found in apache error.log ascii (Dec 05)
- Re: Strange found in apache error.log Security (Dec 05)
- Re: Strange found in apache error.log Gaddis, Jeremy L. (Dec 06)
- Root kits and host.deny Frynge.com Support (Dec 08)
  - Re: Root kits and host.deny Scott B (Dec 08)
  - Re: Root kits and host.deny Jeff Davis (Dec 08)
  - Re: Root kits and host.deny Edward Krack (Dec 12)
  - Re: Root kits and host.deny Gaddis, Jeremy L. (Dec 12)
    - Message not available
    - Re: Root kits and host.deny Gaddis, Jeremy L. (Dec 13)
- <Possible follow-ups>
- Re: Strange found in apache error.log arron (Dec 05)
- RE: Strange found in apache error.log Miguel Dilaj (Dec 06)