Here's a message from my Apache error log (/etc/httpd/logs/error_log):
Resolving www.SITENAMEHERE.org... 220.127.116.11
Connecting to www.SITENAMEHERE.org|18.104.22.168|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29720 (29K) [text/plain]
Saving to: `/tmp/bxbov.pl'
I viewed the script downloaded and it's a "shell bot" that allows the user to run shell commands, all under wraps (quietly, without detection). I am very
concerned. I have deleted the file. I have noticed that there's been other files in /tmp as well and, as I scroll through the logs, more of these kinds of "auto download requests" are occurring. The downloads are random (at no apparent set time).
Could somebody here give me a list of "security checkpoints" I should go over? How could something like this be called? I have searched my sites and have seemingly secured every script and admin panel. We were hacked 6 months ago due to an insecure script though (which has been patched)... so could something be leftover from that hacking that causes this?
Most importantly -- why would this type of request appear in an APACHE error log? My sites are all PHP, so it's weird to me that this error would be logged here (I have never seen a PHP request/process logged to the Apache error log). So, does it have anything to do with my scripts since it's appearing in an Apache error log? Or something deeper at the server level?
Let me know... soon.