Re: Apache hacks (./atac, d0s.txt)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Apache hacks (./atac, d0s.txt)
From: "a.list.address@xxxxxxxxx" <a.list.address@xxxxxxxxx>
Date: Sat, 30 Apr 2005 22:11:48 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=NxCqcv8pCEzEVIJB+C8AWcvppi6lURrKcPjlm/Z5jX3zWbKZT5cjpKjKIJGEwUNvOnt29L7DAHKfRe+dx8MEdNrXd0XqqMM7NfjYk1299xqHArc7QIj8qG4Bx/PXxXfL+YICYX/BT33aIL5wXn9NJaX0iF+RyKhPF+2hO7n66Gw=
In-reply-to: <20050429190358.GA3757@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20050429190358.GA3757@xxxxxxxxxxxx>
Reply-to: "a.list.address@xxxxxxxxx" <a.list.address@xxxxxxxxx>

Looks like someone was trying to use your server as a DDoS zombie. 
What kind of Perl or PHP scripts are on your server?  Look in your
Apache access log for POST requests that may have uploaded one of
these files, or GET/POST requests that may have uploaded a URL to
download one of these files.  See if you can figure out how it got on
your server.

Follow-Ups:
- Re: Apache hacks (./atac, d0s.txt)
  - From: Nick Bright

References:
- Apache hacks (./atac, d0s.txt)
  - From: Andrew Y Ng

Prev by Date: Insecure pty permissions in OS X < 10.4
Next by Date: Microsoft WINS Vulnerability + OS/SP Scanner
Previous by thread: Apache hacks (./atac, d0s.txt)
Next by thread: Re: Apache hacks (./atac, d0s.txt)
Index(es):
- Date
- Thread