mailing list archives
Re: Apache hacks (./atac, d0s.txt)
From: Nick Bright <nick-tech () terraworld net>
Date: Mon, 02 May 2005 16:35:15 -0500
I have also had two servers compromised in a similar manner. Both
machines were running White Box Enterprise Linux 3.0 (RedHat EL clone,
for those not familier), and both were up to date with all the latest
patches (I update weekly, except for the kernel).
On the first machine, about two or three weeks ago, I discovered a shell
running a perl script out of /tmp which was a UDP DDoS zombie program.
As far as I could tell, it got in through PHP somewhere, but I couldn't
tell where for sure. It's possible it came in through a vulnerable
phpBB2 installation, but I can not say for sure.
The second machine, which has been the subject of DDoS attacking for the
past week (about 40 megabits of inbound UDP traffic hitting the machine
for around 30 to 40 minutes, at random periods), ended up being a DDoS
zombie as well - sevearly effecting my systems by consuming all of my
bandwidth. This one definately got in through php, as I found several
php files containing a "phpshell" program which was obviously used to
execute the shell commands which started a "sh -c ./stealth <ip
address>" process which DOS'd the target host. However, I really have no
idea /how/ this happened.
I have also heard from other people 'round the net and IRC that this is
happening to a lot of servers. Is this a security vulnerability in
Apache2/PHP, or simply a case of an exploitable configuration that many
Some notes I've made on the situation, nearly all attacking hosts have
been IP addresses that are assigned through RIPE (thus, are in europe)
They appear to be compromised servers. One IP address making repeated
requests for the now removed phpshell file is 126.96.36.199, also
assigned through RIPE. Another odd thing was that 188.8.131.52 made
quite a few requests of my server searching for things like "/forum",
"/phpBB", "/bb" and the like, obviously looking for exploitable phpBB
I have no evidence to say such, but I think the attacks I was on the
receiving end of, are the same type of attack that was being dished out.
I have the UDP flooder script that was deposited in /tmp on the first
server, but (oddly) I couldn't locate the "stealth" script on the second
server. Try as I might, I could not locate a file by that name on the
On Sat, 2005-04-30 at 22:11, a.list.address () gmail com wrote:
Looks like someone was trying to use your server as a DDoS zombie.
What kind of Perl or PHP scripts are on your server? Look in your
Apache access log for POST requests that may have uploaded one of
these files, or GET/POST requests that may have uploaded a URL to
download one of these files. See if you can figure out how it got on
- Nick Bright