Subj : concerning log entry...
To   : All
From : Clive Reuben
Date : Tue Oct 18 2022 07:18 pm

Apologies for the size of this log snippet, but has anyone seen a shell script be executed from the node temp dir during the creation of a new account? I have highlighted the concerning lines at the end of the log snippet. Is this a hack or something benign?

I have tried to recreate it by uploading files during the sysop feedback message (this is the time where the concerning shell file is executed during account creation), but couldn't recreate the log entries as they are below... nor could I find an xfer.sh file on the drive as is executed in the log.

Hopefully, someone else has seen this... and hopefully Mystic BBS's are not being hacked... Thanks, for any help!


------------------- Node 2 (Mystic v1.12 A48 2022/07/15)
2022.10.18 13:30:46 Connect from 135.148.161.187 (ip187.ip-135-148-161.us)
2022.10.18 13:30:46 Country: United States of America
2022.10.18 13:30:47 Set time left 30
2022.10.18 13:30:47 MPL execute: /mystic/themes/default/scripts/connect.mpx
2022.10.18 13:30:47 Connect begin *********************************
2022.10.18 13:30:47 Connect end ***********************************
2022.10.18 13:30:52 MPL execute: /mystic/themes/default/scripts/startup.mpx
2022.10.18 13:30:52 Startup begin *********************************
2022.10.18 13:30:52 INFO: bbslock begin
2022.10.18 13:31:07 INFO: bbslock end
2022.10.18 13:31:07 INFO: threatsentry begin
2022.10.18 13:31:07 MPL execute: /mystic/themes/default/scripts/threatsen.mpx
2022.10.18 13:31:07 Executing: /mystic/themes/default/scripts/threatsentry/threa
tsentry-api.sh /mystic/temp2/ 135.148.161.187 2
2022.10.18 13:31:07 Execution complete: 0
2022.10.18 13:31:07 INFO: User coordinates are: 37.750999450683594, -97.82199859
61914
2022.10.18 13:31:07 INFO: API request count is: 7
2022.10.18 13:31:07 MPL execute: /mystic/themes/default/scripts/threatsen.mpx
2022.10.18 13:31:07 MPL execute: /mystic/themes/default/scripts/threatsen.mpx
2022.10.18 13:31:07 INFO: User is calling from country: United States
2022.10.18 13:31:07 INFO: User local time is: 2022-10-18 13:31:07.860993-04:00
2022.10.18 13:31:07 INFO: User IP has no threat indicators
2022.10.18 13:31:12 INFO: threatsentry end
2022.10.18 13:31:12 INFO: runfirst begin
2022.10.18 13:31:12 MPL execute: /mystic/themes/default/scripts/openseq.mpx
2022.10.18 13:31:12 MPL execute: /mystic/themes/default/scripts/ansilines.mpx
2022.10.18 13:31:18 MPL execute: /mystic/rcspause/rcspause.mpx
2022.10.18 13:31:20 INFO: runfirst end
2022.10.18 13:31:20 Startup end ***********************************
2022.10.18 13:31:20 MPL execute: /mystic/themes/default/scripts/anim.mpx
2022.10.18 13:31:20 INFO: anim.mpx login begin
2022.10.18 13:31:29 INFO: anim.mpx login end
2022.10.18 13:31:30 INFO: Read backstory
2022.10.18 13:31:34 MPL execute: /mystic/rcspause/rcspause.mpx
2022.10.18 13:31:35 MPL execute: /mystic/themes/default/scripts/anim.mpx
2022.10.18 13:31:35 INFO: anim.mpx login begin
2022.10.18 13:31:46 INFO: anim.mpx login end
2022.10.18 13:32:22 INFO: Apply for access
2022.10.18 13:32:25 New user application
2022.10.18 13:34:16 MPL execute: /mystic/rcspause/rcspause.mpx
2022.10.18 13:34:52 Created Account: bibnk #34
2022.10.18 13:34:52 MPL execute: /mystic/rcspause/rcspause.mpx
-------->> start concerning entries <<------------
2022.10.18 13:36:06 Executing: sh /mystic/temp2/xfer.sh
2022.10.18 13:36:06 Execution complete: 32512
-------->> end concerning entries <<--------------
2022.10.18 13:36:06 Saved draft message: E-mail
2022.10.18 13:36:06 Setting start menu: qlogin
2022.10.18 13:36:06 Shutting down

|07-|15seeLive|08�|15{ "|07Sysop|15": ["|07oNyX bBs|15"] }

|15onyxbbs.mywire.org:2300-tel / :2200-ssh / onyxwww.mywire.org-web
     |07fsxnet / fidonet / tqwnet / dovenet / gamenet / sfnet|14

--- Mystic BBS v1.12 A48 2022/07/15 (Raspberry Pi/32)
* Origin: oNyX bBs - onyxbbs.mywire.org:2300/2200 (1:142/104)