Re: Apache hacks (./atac, d0s.txt)

• Previous message: Gunter Ollmann (NGS): "Can't trust COMODO"
• Maybe in reply to: a.list.address_at_gmail.com: "Re: Apache hacks (./atac, d0s.txt)"
• Next in thread: Sagiko: "Re: Apache hacks (./atac, d0s.txt)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 30 Apr 2005 00:46:37 -0700
To: Andrew Y Ng <ayn@andrewng.com>

> Looks like it ignores all the `kill` signals, not sure how I can actually
> kill it...

SIGKILL (Signal 9) cannot be blocked, so try:

kill -s SIGKILL <pid>
-or-
killall -KILL atac

> my @canais=("#bots ddos");
> my $nick='b0t';
> my $ircname = 'b0t';
> $servidor='irc.gigachat.net' unless $servidor;

It's an IRC bot, should be obvious, but just commenting...

> $SIG{'INT'} = 'IGNORE';
> $SIG{'HUP'} = 'IGNORE';
> $SIG{'TERM'} = 'IGNORE';
> $SIG{'CHLD'} = 'IGNORE';
> $SIG{'PS'} = 'IGNORE';

Again, there is no way to block SIGKILL (signal 9) for any program

> # DCC
> package DCC;

This is where things get really scary for you. DCC is the ability to
send files over IRC. The bot could have sent almost anything (within
certain permission ranges, we hope). Now is a very good time to
disconnect the server from the internet if you have not already done
so.

> notice("$pn", "\001Bot powered by DDOS TEAM\001");

This line seems to indicate that this bot is only designed to be part
of a larger "bot-net" to DoS someone, but those DCC capabilities are
worrysome. So, in addition to investigating how this got into your
server, it would also be a good idea to check what might have gotten
out.

Good luck, and apologies if you already knew all of this.

-- 
Chris Umphress <http://daga.dyndns.org/>

• Previous message: Gunter Ollmann (NGS): "Can't trust COMODO"
• Maybe in reply to: a.list.address_at_gmail.com: "Re: Apache hacks (./atac, d0s.txt)"
• Next in thread: Sagiko: "Re: Apache hacks (./atac, d0s.txt)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]