lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 30 Apr 2005 00:46:37 -0700
From: Chris Umphress <>
To: Andrew Y Ng <>
Subject: Re: Apache hacks (./atac, d0s.txt)

> Looks like it ignores all the `kill` signals, not sure how I can actually
> kill it...

SIGKILL (Signal 9) cannot be blocked, so try:

kill -s SIGKILL <pid>
killall -KILL atac

> my @canais=("#bots ddos");
> my $nick='b0t';
> my $ircname = 'b0t';
> $servidor='' unless $servidor;

It's an IRC bot, should be obvious, but just commenting...

> $SIG{'INT'} = 'IGNORE';
> $SIG{'HUP'} = 'IGNORE';
> $SIG{'TERM'} = 'IGNORE';
> $SIG{'CHLD'} = 'IGNORE';
> $SIG{'PS'} = 'IGNORE';

Again, there is no way to block SIGKILL (signal 9) for any program

> # DCC
> package DCC;

This is where things get really scary for you. DCC is the ability to
send files over IRC. The bot could have sent almost anything (within
certain permission ranges, we hope). Now is a very good time to
disconnect the server from the internet if you have not already done

> notice("$pn", "\001Bot powered by DDOS TEAM\001");

This line seems to indicate that this bot is only designed to be part
of a larger "bot-net" to DoS someone, but those DCC capabilities are
worrysome. So, in addition to investigating how this got into your
server, it would also be a good idea to check what might have gotten

Good luck, and apologies if you already knew all of this.

Chris Umphress <>

Powered by blists - more mailing lists