Apologies for the size of this log snippet, but has anyone seen a shell script be executed from the node temp dir during the creation of a new account? I have highlighted the concerning lines at the end of the log snippet. Is this a hack or something benign?

I have tried to recreate it by uploading files during the sysop feedback message (this is the time where the concerning shell file is executed during account creation), but couldn't recreate the log entries as they are below... nor could I find an xfer.sh file on the drive as is executed in the log.

Hopefully, someone else has seen this... and hopefully Mystic BBS's are not being hacked... Thanks, for any help!


------------------- Node 2 (Mystic v1.12 A48 2022/07/15)
2022.10.18 13:30:46 Connect from 135.148.161.187 (ip187.ip-135-148-161.us) 2022.10.18 13:30:46 Country: United States of America
2022.10.18 13:30:47 Set time left 30
2022.10.18 13:30:47 MPL execute: /mystic/themes/default/scripts/connect.mpx 2022.10.18 13:30:47 Connect begin *********************************
2022.10.18 13:30:47 Connect end ***********************************
2022.10.18 13:30:52 MPL execute: /mystic/themes/default/scripts/startup.mpx 2022.10.18 13:30:52 Startup begin *********************************
2022.10.18 13:30:52 INFO: bbslock begin
2022.10.18 13:31:07 INFO: bbslock end
2022.10.18 13:31:07 INFO: threatsentry begin
2022.10.18 13:31:07 MPL execute: /mystic/themes/default/scripts/threatsen.mpx 2022.10.18 13:31:07 Executing: /mystic/themes/default/scripts/threatsentry/threa
tsentry-api.sh /mystic/temp2/ 135.148.161.187 2
2022.10.18 13:31:07 Execution complete: 0
2022.10.18 13:31:07 INFO: User coordinates are: 37.750999450683594, -97.82199859
61914
2022.10.18 13:31:07 INFO: API request count is: 7
2022.10.18 13:31:07 MPL execute: /mystic/themes/default/scripts/threatsen.mpx 2022.10.18 13:31:07 MPL execute: /mystic/themes/default/scripts/threatsen.mpx 2022.10.18 13:31:07 INFO: User is calling from country: United States 2022.10.18 13:31:07 INFO: User local time is: 2022-10-18 13:31:07.860993-04:00 2022.10.18 13:31:07 INFO: User IP has no threat indicators
2022.10.18 13:31:12 INFO: threatsentry end
2022.10.18 13:31:12 INFO: runfirst begin
2022.10.18 13:31:12 MPL execute: /mystic/themes/default/scripts/openseq.mpx 2022.10.18 13:31:12 MPL execute: /mystic/themes/default/scripts/ansilines.mpx 2022.10.18 13:31:18 MPL execute: /mystic/rcspause/rcspause.mpx
2022.10.18 13:31:20 INFO: runfirst end
2022.10.18 13:31:20 Startup end ***********************************
2022.10.18 13:31:20 MPL execute: /mystic/themes/default/scripts/anim.mpx 2022.10.18 13:31:20 INFO: anim.mpx login begin
2022.10.18 13:31:29 INFO: anim.mpx login end
2022.10.18 13:31:30 INFO: Read backstory
2022.10.18 13:31:34 MPL execute: /mystic/rcspause/rcspause.mpx
2022.10.18 13:31:35 MPL execute: /mystic/themes/default/scripts/anim.mpx 2022.10.18 13:31:35 INFO: anim.mpx login begin
2022.10.18 13:31:46 INFO: anim.mpx login end
2022.10.18 13:32:22 INFO: Apply for access
2022.10.18 13:32:25 New user application
2022.10.18 13:34:16 MPL execute: /mystic/rcspause/rcspause.mpx
2022.10.18 13:34:52 Created Account: bibnk #34
2022.10.18 13:34:52 MPL execute: /mystic/rcspause/rcspause.mpx
-------->> start concerning entries <<------------
2022.10.18 13:36:06 Executing: sh /mystic/temp2/xfer.sh
2022.10.18 13:36:06 Execution complete: 32512
-------->> end concerning entries <<--------------
2022.10.18 13:36:06 Saved draft message: E-mail
2022.10.18 13:36:06 Setting start menu: qlogin
2022.10.18 13:36:06 Shutting down

|07-|15seeLive|08─|15{ "|07Sysop|15": ["|07oNyX bBs|15"] }

|15onyxbbs.mywire.org:2300-tel / :2200-ssh / onyxwww.mywire.org-web
|07fsxnet / fidonet / tqwnet / dovenet / gamenet / sfnet|14

--- Mystic BBS v1.12 A48 2022/07/15 (Raspberry Pi/32)
* Origin: oNyX bBs - onyxbbs.mywire.org:2300/2200 (1:142/104)

On 18 Oct 2022 at 07:18p, Clive Reuben pondered and said...

Hopefully, someone else has seen this... and hopefully Mystic BBS's are not being hacked... Thanks, for any help!

[snip]

-------->> start concerning entries <<------------
2022.10.18 13:36:06 Executing: sh /mystic/temp2/xfer.sh
2022.10.18 13:36:06 Execution complete: 32512

I think it is created by a Mystic process but g00r00 will be able to confirm.

Kerr Avon [Blake's 7] 'I'm not expendable, I'm not stupid and I'm not going' avon[at]bbs.nz | bbs.nz | fsxnet.nz

--- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

On 18 Oct 2022 at 07:18p, Clive Reuben pondered and said...

-------->> start concerning entries <<------------
2022.10.18 13:36:06 Executing: sh /mystic/temp2/xfer.sh
2022.10.18 13:36:06 Execution complete: 32512
-------->> end concerning entries <<--------------

Here we go, found it. It's mentioned in whatsnew.txt from back in the development of 1.08

[snip]

+ Added the ability to execute an MPL program instead of the command line
for a protocol. By starting your command line with a !, you can have
Mystic run a MPE program. For example:

send Command: !test %1 %2 %3

The above would execute test.mpe from your scripts directory and pass
the results of the %1 %2 %3 protocol MCI codes as command parameters to
the MPL program. Keep in mind that if you do use this to execute some
type of protocol, you must set the DSZLOG environment variable yourself
and have it point to the current node's temp directory as xfer.log. Mystic
will also create an xfer.bat or xfer.sh (depending on operating system) which
can also be executed.

[snip]

Kerr Avon [Blake's 7] 'I'm not expendable, I'm not stupid and I'm not going' avon[at]bbs.nz | bbs.nz | fsxnet.nz

--- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)

On 21 Oct 2022, Paul Hayton said the following...

On 18 Oct 2022 at 07:18p, Clive Reuben pondered and said...

-------->> start concerning entries <<------------
2022.10.18 13:36:06 Executing: sh /mystic/temp2/xfer.sh
2022.10.18 13:36:06 Execution complete: 32512
-------->> end concerning entries <<--------------

Here we go, found it. It's mentioned in whatsnew.txt from back in the development of 1.08

[snip]

+ Added the ability to execute an MPL program instead of the command line
for a protocol. By starting your command line with a !, you can have
Mystic run a MPE program. For example:

send Command: !test %1 %2 %3

The above would execute test.mpe from your scripts directory and pass
the results of the %1 %2 %3 protocol MCI codes as command parameters
to the MPL program. Keep in mind that if you do use this to execute some type of protocol, you must set the DSZLOG environment variable yourself and have it point to the current node's temp directory as xfer.log. Mystic will also create an xfer.bat or xfer.sh (depending
on operating system) which
can also be executed.

Ok... So, it really is just a normal system function then? I could not find it anywhere else in the logs and couldn't recreate it... Thanks, very much for letting me know!!! Much appreciated!

|07-|15seeLive|08─|15{ "|07Sysop|15": ["|07oNyX bBs|15"] }

|15onyxbbs.mywire.org:2300-tel / :2200-ssh / onyxwww.mywire.org-web
|07fsxnet / fidonet / tqwnet / dovenet / gamenet / sfnet|14

--- Mystic BBS v1.12 A48 2022/07/15 (Raspberry Pi/32)
* Origin: oNyX bBs - onyxbbs.mywire.org:2300/2200 (1:142/104)

On 21 Oct 2022 at 01:11p, Clive Reuben pondered and said...

Ok... So, it really is just a normal system function then? I could not find it anywhere else in the logs and couldn't recreate it... Thanks,
very much for letting me know!!! Much appreciated!

No prob, glad I could help :)

Kerr Avon [Blake's 7] 'I'm not expendable, I'm not stupid and I'm not going' avon[at]bbs.nz | bbs.nz | fsxnet.nz

--- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (3:770/100)