lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 02 May 2005 16:35:15 -0500
From: Nick Bright <>
Subject: Re: Apache hacks (./atac, d0s.txt)

I have also had two servers compromised in a similar manner. Both
machines were running White Box Enterprise Linux 3.0 (RedHat EL clone,
for those not familier), and both were up to date with all the latest
patches (I update weekly, except for the kernel).

On the first machine, about two or three weeks ago, I discovered a shell
running a perl script out of /tmp which was a UDP DDoS zombie program.
As far as I could tell, it got in through PHP somewhere, but I couldn't
tell where for sure. It's possible it came in through a vulnerable
phpBB2 installation, but I can not say for sure.

The second machine, which has been the subject of DDoS attacking for the
past week (about 40 megabits of inbound UDP traffic hitting the machine
for around 30 to 40 minutes, at random periods), ended up being a DDoS
zombie as well - sevearly effecting my systems by consuming all of my
bandwidth. This one definately got in through php, as I found several
php files containing a "phpshell" program which was obviously used to
execute the shell commands which started a "sh -c ./stealth <ip
address>" process which DOS'd the target host. However, I really have no
idea /how/ this happened.

I have also heard from other people 'round the net and IRC that this is
happening to a lot of servers. Is this a security vulnerability in
Apache2/PHP, or simply a case of an exploitable configuration that many
people use?

Some notes I've made on the situation, nearly all attacking hosts have
been IP addresses that are assigned through RIPE (thus, are in europe)
They appear to be compromised servers. One IP address making repeated
requests for the now removed phpshell file is, also
assigned through RIPE. Another odd thing was that made
quite a few requests of my server searching for things like "/forum",
"/phpBB", "/bb" and the like, obviously looking for exploitable phpBB

I have no evidence to say such, but I think the attacks I was on the
receiving end of, are the same type of attack that was being dished out.
I have the UDP flooder script that was deposited in /tmp on the first
server, but (oddly) I couldn't locate the "stealth" script on the second
server. Try as I might, I could not locate a file by that name on the

On Sat, 2005-04-30 at 22:11, wrote:
> Looks like someone was trying to use your server as a DDoS zombie. 
> What kind of Perl or PHP scripts are on your server?  Look in your
> Apache access log for POST requests that may have uploaded one of
> these files, or GET/POST requests that may have uploaded a URL to
> download one of these files.  See if you can figure out how it got on
> your server.
- Nick Bright
  Terraworld, Inc
  888-332-1616 x315

Powered by blists - more mailing lists