Re: Apache hacks (./atac, d0s.txt)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Apache hacks (./atac, d0s.txt)
From: Nick Bright <nick-tech@xxxxxxxxxxxxxx>
Date: Mon, 02 May 2005 16:35:15 -0500
In-reply-to: <d4093bc205043020112c6337c2@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Terraworld, Inc
References: <20050429190358.GA3757@xxxxxxxxxxxx> <d4093bc205043020112c6337c2@xxxxxxxxxxxxxx>

I have also had two servers compromised in a similar manner. Both
machines were running White Box Enterprise Linux 3.0 (RedHat EL clone,
for those not familier), and both were up to date with all the latest
patches (I update weekly, except for the kernel).

On the first machine, about two or three weeks ago, I discovered a shell
running a perl script out of /tmp which was a UDP DDoS zombie program.
As far as I could tell, it got in through PHP somewhere, but I couldn't
tell where for sure. It's possible it came in through a vulnerable
phpBB2 installation, but I can not say for sure.

The second machine, which has been the subject of DDoS attacking for the
past week (about 40 megabits of inbound UDP traffic hitting the machine
for around 30 to 40 minutes, at random periods), ended up being a DDoS
zombie as well - sevearly effecting my systems by consuming all of my
bandwidth. This one definately got in through php, as I found several
php files containing a "phpshell" program which was obviously used to
execute the shell commands which started a "sh -c ./stealth <ip
address>" process which DOS'd the target host. However, I really have no
idea /how/ this happened.

I have also heard from other people 'round the net and IRC that this is
happening to a lot of servers. Is this a security vulnerability in
Apache2/PHP, or simply a case of an exploitable configuration that many
people use?

Some notes I've made on the situation, nearly all attacking hosts have
been IP addresses that are assigned through RIPE (thus, are in europe)
They appear to be compromised servers. One IP address making repeated
requests for the now removed phpshell file is 83.103.184.208, also
assigned through RIPE. Another odd thing was that 69.218.121.228 made
quite a few requests of my server searching for things like "/forum",
"/phpBB", "/bb" and the like, obviously looking for exploitable phpBB
installations.

I have no evidence to say such, but I think the attacks I was on the
receiving end of, are the same type of attack that was being dished out.
I have the UDP flooder script that was deposited in /tmp on the first
server, but (oddly) I couldn't locate the "stealth" script on the second
server. Try as I might, I could not locate a file by that name on the
filesystem.

On Sat, 2005-04-30 at 22:11, a.list.address@xxxxxxxxx wrote:
> Looks like someone was trying to use your server as a DDoS zombie. 
> What kind of Perl or PHP scripts are on your server?  Look in your
> Apache access log for POST requests that may have uploaded one of
> these files, or GET/POST requests that may have uploaded a URL to
> download one of these files.  See if you can figure out how it got on
> your server.
-- 
- Nick Bright
  Terraworld, Inc
  888-332-1616 x315
  http://home.terraworld.net

References:
- Apache hacks (./atac, d0s.txt)
  - From: Andrew Y Ng
- Re: Apache hacks (./atac, d0s.txt)
  - From: a.list.address@xxxxxxxxx

Prev by Date: tHorK FrameWork Beta v0.1::: another exploit framework
Next by Date: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
Previous by thread: Re: Apache hacks (./atac, d0s.txt)
Next by thread: Re: Apache hacks (./atac, d0s.txt)
Index(es):
- Date
- Thread