scanbot.ru perl apache server hacked

[pera]

I can not find anything on this forum ... and noting I can use on google....

In my firwall I have block ip for scanbot.ru

in my apache error log I am getting:

........................................................................

--2010-06-21 23:56:19-- (try:13) http://scanbot.ru/bot.txt
Connecting to scanbot.ru|85.159.63.185|:80... --2010-06-21 23:56:24-- (try:16) http://scanbot.ru/bot.txt
Connecting to scanbot.ru|85.159.63.185|:80... [Mon Jun 21 23:56:40 2010] [error] [client 78.69.76.145] File does not exist: /var/www/html/favicon.ico
[Mon Jun 21 23:56:40 2010] [error] [client 78.69.76.145] File does not exist: /var/www/html/404.shtml
failed: Connection timed out.
Retrying.

--2010-06-21 23:57:12-- (try: 9) http://scanbot.ru/bot.txt
Connecting to scanbot.ru|85.159.63.185|:80... failed: Connection timed out.
Retrying.

--2010-06-21 23:57:26-- (try:18) http://scanbot.ru/bot.txt
Connecting to scanbot.ru|85.159.63.185|:80... failed: Connection timed out.
Retrying.

--2010-06-21 23:57:49-- (try:12) http://scanbot.ru/bot.txt
Connecting to scanbot.ru|85.159.63.185|:80...
...................................................................

how can I found out from where is the request coming?


so I can find the infected user, site, page...

thankz

 

[localhost]

try to do a

grep -r 'scanbot' /home

Also I think your server could be hacked hard. Send my a PM, maybe I can help you out.

 

[pera]

Thank you for the advice, i am running

grep -lir "scanbot.ru/bot.txt" *

in the home folder...

but there is about 1.2 TB :-(

so I am going to sleep now.... 01:30 in Sweden.

Localhost I send you 2 mails.... and thankz...