Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Apache hacks (./atac, d0s.txt)
From: Chris Umphress <umphress () gmail com>
Date: Sat, 30 Apr 2005 00:46:37 -0700

Looks like it ignores all the `kill` signals, not sure how I can actually
kill it...

SIGKILL (Signal 9) cannot be blocked, so try:

kill -s SIGKILL <pid>
-or-
killall -KILL atac


my @canais=("#bots ddos");
my $nick='b0t';
my $ircname = 'b0t';
$servidor='irc.gigachat.net' unless $servidor;

It's an IRC bot, should be obvious, but just commenting...


$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';

Again, there is no way to block SIGKILL (signal 9) for any program


# DCC
package DCC;

This is where things get really scary for you. DCC is the ability to
send files over IRC. The bot could have sent almost anything (within
certain permission ranges, we hope). Now is a very good time to
disconnect the server from the internet if you have not already done
so.

notice("$pn", "\001Bot powered by DDOS TEAM\001");

This line seems to indicate that this bot is only designed to be part
of a larger "bot-net" to DoS someone, but those DCC capabilities are
worrysome. So, in addition to investigating how this got into your
server, it would also be a good idea to check what might have gotten
out.

Good luck, and apologies if you already knew all of this.

-- 
Chris Umphress <http://daga.dyndns.org/>


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]