Apologies for the size of this log snippet, but has anyone seen a shell script
be executed from the node temp dir during the creation of a new account? I have
highlighted the concerning lines at the end of the log snippet. Is this a hack
or something benign?

I have tried to recreate it by uploading files during the sysop feedback
message (this is the time where the concerning shell file is executed during
account creation), but couldn't recreate the log entries as they are below...
nor could I find an xfer.sh file on the drive as is executed in the log.

Hopefully, someone else has seen this... and hopefully Mystic BBS's are not
being hacked... Thanks, for any help!

------------------- Node 2 (Mystic v1.12 A48 2022/07/15)
2022.10.18 13:30:46 Connect from 135.148.161.187 (ip187.ip-135-148-161.us)
2022.10.18 13:30:46 Country: United States of America
2022.10.18 13:30:47 Set time left 30
2022.10.18 13:30:47 MPL execute: /mystic/themes/default/scripts/connect.mpx
2022.10.18 13:30:47 Connect begin *********************************
2022.10.18 13:30:47 Connect end ***********************************
2022.10.18 13:30:52 MPL execute: /mystic/themes/default/scripts/startup.mpx
2022.10.18 13:30:52 Startup begin *********************************
2022.10.18 13:30:52 INFO: bbslock begin
2022.10.18 13:31:07 INFO: bbslock end
2022.10.18 13:31:07 INFO: threatsentry begin
2022.10.18 13:31:07 MPL execute: /mystic/themes/default/scripts/threatsen.mpx
2022.10.18 13:31:07 Executing: /mystic/themes/default/scripts/threatsentry/
threa
tsentry-api.sh /mystic/temp2/ 135.148.161.187 2
2022.10.18 13:31:07 Execution complete: 0
2022.10.18 13:31:07 INFO: User coordinates are: 37.750999450683594,
-97.82199859
61914
2022.10.18 13:31:07 INFO: API request count is: 7
2022.10.18 13:31:07 MPL execute: /mystic/themes/default/scripts/threatsen.mpx
2022.10.18 13:31:07 MPL execute: /mystic/themes/default/scripts/threatsen.mpx
2022.10.18 13:31:07 INFO: User is calling from country: United States
2022.10.18 13:31:07 INFO: User local time is: 2022-10-18 13:31:07.860993-04:00
2022.10.18 13:31:07 INFO: User IP has no threat indicators
2022.10.18 13:31:12 INFO: threatsentry end
2022.10.18 13:31:12 INFO: runfirst begin
2022.10.18 13:31:12 MPL execute: /mystic/themes/default/scripts/openseq.mpx
2022.10.18 13:31:12 MPL execute: /mystic/themes/default/scripts/ansilines.mpx
2022.10.18 13:31:18 MPL execute: /mystic/rcspause/rcspause.mpx
2022.10.18 13:31:20 INFO: runfirst end
2022.10.18 13:31:20 Startup end ***********************************
2022.10.18 13:31:20 MPL execute: /mystic/themes/default/scripts/anim.mpx
2022.10.18 13:31:20 INFO: anim.mpx login begin
2022.10.18 13:31:29 INFO: anim.mpx login end
2022.10.18 13:31:30 INFO: Read backstory
2022.10.18 13:31:34 MPL execute: /mystic/rcspause/rcspause.mpx
2022.10.18 13:31:35 MPL execute: /mystic/themes/default/scripts/anim.mpx
2022.10.18 13:31:35 INFO: anim.mpx login begin
2022.10.18 13:31:46 INFO: anim.mpx login end
2022.10.18 13:32:22 INFO: Apply for access
2022.10.18 13:32:25 New user application
2022.10.18 13:34:16 MPL execute: /mystic/rcspause/rcspause.mpx
2022.10.18 13:34:52 Created Account: bibnk #34
2022.10.18 13:34:52 MPL execute: /mystic/rcspause/rcspause.mpx
-------->> start concerning entries <<------------
2022.10.18 13:36:06 Executing: sh /mystic/temp2/xfer.sh
2022.10.18 13:36:06 Execution complete: 32512
-------->> end concerning entries <<--------------
2022.10.18 13:36:06 Saved draft message: E-mail
2022.10.18 13:36:06 Setting start menu: qlogin
2022.10.18 13:36:06 Shutting down

|07-|15seeLive|08�|15{ "|07Sysop|15": ["|07oNyX bBs|15"] }

|15onyxbbs.mywire.org:2300-tel / :2200-ssh / onyxwww.mywire.org-web
|07fsxnet / fidonet / tqwnet / dovenet / gamenet / sfnet|14

On 18 Oct 2022 at 07:18p, Clive Reuben pondered and said...
CR> -------->> start concerning entries <<------------
CR> 2022.10.18 13:36:06 Executing: sh /mystic/temp2/xfer.sh
CR> 2022.10.18 13:36:06 Execution complete: 32512
CR> -------->> end concerning entries <<--------------

Here we go, found it. It's mentioned in whatsnew.txt from back in the
development of 1.08

[snip]

+ Added the ability to execute an MPL program instead of the command line
for a protocol. By starting your command line with a !, you can have
Mystic run a MPE program. For example:

send Command: !test %1 %2 %3

The above would execute test.mpe from your scripts directory and pass
the results of the %1 %2 %3 protocol MCI codes as command parameters to
the MPL program. Keep in mind that if you do use this to execute some
type of protocol, you must set the DSZLOG environment variable yourself
and have it point to the current node's temp directory as xfer.log. Mystic
will also create an xfer.bat or xfer.sh (depending on operating system)
which
can also be executed.

[snip]

Kerr Avon [Blake's 7] 'I'm not expendable, I'm not stupid and I'm not going'
avon[at]bbs.nz | bbs.nz | fsxnet.nz

On 18 Oct 2022 at 07:18p, Clive Reuben pondered and said...
CR> Hopefully, someone else has seen this... and hopefully Mystic BBS's are
CR> not being hacked... Thanks, for any help!

[snip]

CR> -------->> start concerning entries <<------------
CR> 2022.10.18 13:36:06 Executing: sh /mystic/temp2/xfer.sh
CR> 2022.10.18 13:36:06 Execution complete: 32512

I think it is created by a Mystic process but g00r00 will be able to confirm.

Kerr Avon [Blake's 7] 'I'm not expendable, I'm not stupid and I'm not going'
avon[at]bbs.nz | bbs.nz | fsxnet.nz

On 21 Oct 2022, Paul Hayton said the following...
PH> On 18 Oct 2022 at 07:18p, Clive Reuben pondered and said...
PH>
PH> CR> -------->> start concerning entries <<------------
PH> CR> 2022.10.18 13:36:06 Executing: sh /mystic/temp2/xfer.sh
PH> CR> 2022.10.18 13:36:06 Execution complete: 32512
PH> CR> -------->> end concerning entries <<--------------
PH>
PH> Here we go, found it. It's mentioned in whatsnew.txt from back in the
PH> development of 1.08
PH>
PH> [snip]
PH>
PH> + Added the ability to execute an MPL program instead of the command line
PH> for a protocol. By starting your command line with a !, you can have
PH> Mystic run a MPE program. For example:
PH>
PH> send Command: !test %1 %2 %3
PH>
PH> The above would execute test.mpe from your scripts directory and pass
PH> the results of the %1 %2 %3 protocol MCI codes as command parameters
PH> to the MPL program. Keep in mind that if you do use this to execute
PH> some type of protocol, you must set the DSZLOG environment variable
PH> yourself and have it point to the current node's temp directory as
PH> xfer.log. Mystic will also create an xfer.bat or xfer.sh (depending
PH> on operating system) which
PH> can also be executed.

Ok... So, it really is just a normal system function then? I could not find it
anywhere else in the logs and couldn't recreate it... Thanks, very much for
letting me know!!! Much appreciated!

|07-|15seeLive|08�|15{ "|07Sysop|15": ["|07oNyX bBs|15"] }

|15onyxbbs.mywire.org:2300-tel / :2200-ssh / onyxwww.mywire.org-web
|07fsxnet / fidonet / tqwnet / dovenet / gamenet / sfnet|14

On 21 Oct 2022 at 01:11p, Clive Reuben pondered and said...
CR> Ok... So, it really is just a normal system function then? I could not
CR> find it anywhere else in the logs and couldn't recreate it... Thanks,
CR> very much for letting me know!!! Much appreciated!

No prob, glad I could help :)

Kerr Avon [Blake's 7] 'I'm not expendable, I'm not stupid and I'm not going'
avon[at]bbs.nz | bbs.nz | fsxnet.nz