Apache mysteriously downloading malicious files

Discussion in 'Server Operation' started by Tipem, Sep 9, 2009.

  1. Tipem

    Tipem New Member

    Here's a message from my Apache error log (/etc/httpd/logs/error_log):

    --13:47:57--  http://www.SITENAMEHERE.org/blog/directory/.blogpt/sobx.txt
    Resolving www.SITENAMEHERE.org...
    Connecting to www.SITENAMEHERE.org||:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 29720 (29K) [text/plain]
    Saving to: `/tmp/bxbov.pl'
    I viewed the script downloaded and it's a "shell bot" that allows the user to run shell commands, all under wraps (quietly, without detection). I am very concerned. I have deleted the file. I have noticed that there's been other files in /tmp as well and, as I scroll through the logs, more of these kinds of "auto download requests" are occurring. The downloads are random (at no apparent set time).

    Could somebody here give me a list of "security checkpoints" I should go over? How could something like this be called? I have searched my sites and have seemingly secured every script and admin panel. We were hacked 6 months ago due to an insecure script though (which has been patched)... so could something be leftover from that hacking that causes this?

    Most importantly -- why would this type of request appear in an APACHE error log? My sites are all PHP, so it's weird to me that this error would be logged here (I have never seen a PHP request/process logged to the Apache error log). So, does it have anything to do with my scripts since it's appearing in an Apache error log? Or something deeper at the server level?

    Let me know... soon.
  2. falko

    falko Super Moderator ISPConfig Developer

    Did you check the server with chkrootkit and rkhunter?
  3. Tipem

    Tipem New Member

    Surprisingly, they come up clean.
  4. falko

    falko Super Moderator ISPConfig Developer

    Then I guess that you have some vulnerable web applications on your server. Did you install the latest updates?

Share This Page