does ANYBODY even know what bots.txt even DOES?
bots.txt should look like this:
accept all
reject altaVista
look at virussin.com/bots.txt to see what it SHOULD do... its for
SEARCH EINGINES. the bot grabs it, looks at it, and it its on the
white list of eingines, it caches the site, if its on the blacklist
(reject), it sulks away into a corner...
This particular bots.txt is downloaded from tehboob.be and then is run
(somehow) from /.
This bots.txt is a perl program that connects to irc servers and sends out
apache access_log information.
A few other clues... when I run ps, it shows the processes as "syslogd -m
0", but really when looked at with the "real" name it simply shows perl.
It's just running the perl interpreter as nobody (since apache runs as
nobody). When I look at lsof, it shows that the cwd is /. So how apache is
able to download a program, and run it, from /, I don't understand.
How can I block apache from being able to do such a thing? Again, here's the
output from the error_log that shows the download happening, and then I have
no idea how, after downloaded, the program is run.
--11:51:13-- http://tehboob.be/bots.txt
=> `bots.txt'
Resolving tehboob.be... done.
Connecting to tehboob.be[72.20.8.243]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,378 [text/plain]
0K .......... .......... ........ 100% 683.08
KB/s
My guess is that maybe the hackers installed a program that is performing
this download. But I've searched the joomla installation for any file
containing "bots.txt" to no success.
Can someone explain why this is logged in the error_log and not in the
access_log?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
