[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1f29b89405043000465a7e43c5@mail.gmail.com>
Date: Sat, 30 Apr 2005 00:46:37 -0700
From: Chris Umphress <umphress@...il.com>
To: Andrew Y Ng <ayn@...rewng.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Apache hacks (./atac, d0s.txt)
> Looks like it ignores all the `kill` signals, not sure how I can actually
> kill it...
SIGKILL (Signal 9) cannot be blocked, so try:
kill -s SIGKILL <pid>
-or-
killall -KILL atac
> my @canais=("#bots ddos");
> my $nick='b0t';
> my $ircname = 'b0t';
> $servidor='irc.gigachat.net' unless $servidor;
It's an IRC bot, should be obvious, but just commenting...
> $SIG{'INT'} = 'IGNORE';
> $SIG{'HUP'} = 'IGNORE';
> $SIG{'TERM'} = 'IGNORE';
> $SIG{'CHLD'} = 'IGNORE';
> $SIG{'PS'} = 'IGNORE';
Again, there is no way to block SIGKILL (signal 9) for any program
> # DCC
> package DCC;
This is where things get really scary for you. DCC is the ability to
send files over IRC. The bot could have sent almost anything (within
certain permission ranges, we hope). Now is a very good time to
disconnect the server from the internet if you have not already done
so.
> notice("$pn", "\001Bot powered by DDOS TEAM\001");
This line seems to indicate that this bot is only designed to be part
of a larger "bot-net" to DoS someone, but those DCC capabilities are
worrysome. So, in addition to investigating how this got into your
server, it would also be a good idea to check what might have gotten
out.
Good luck, and apologies if you already knew all of this.
--
Chris Umphress <http://daga.dyndns.org/>
Powered by blists - more mailing lists