|
BugTraq
Apache hacks (./atac, d0s.txt) Apr 29 2005 07:03PM Andrew Y Ng (ayn AndrewNg com) (10 replies) Re: Apache hacks (./atac, d0s.txt) May 01 2005 03:11AM a.list.address (at) gmail (dot) com [email concealed] (a list address gmail com) (1 replies) |
|
Privacy Statement |
> kill it...
SIGKILL (Signal 9) cannot be blocked, so try:
kill -s SIGKILL <pid>
-or-
killall -KILL atac
> my @canais=("#bots ddos");
> my $nick='b0t';
> my $ircname = 'b0t';
> $servidor='irc.gigachat.net' unless $servidor;
It's an IRC bot, should be obvious, but just commenting...
> $SIG{'INT'} = 'IGNORE';
> $SIG{'HUP'} = 'IGNORE';
> $SIG{'TERM'} = 'IGNORE';
> $SIG{'CHLD'} = 'IGNORE';
> $SIG{'PS'} = 'IGNORE';
Again, there is no way to block SIGKILL (signal 9) for any program
> # DCC
> package DCC;
This is where things get really scary for you. DCC is the ability to
send files over IRC. The bot could have sent almost anything (within
certain permission ranges, we hope). Now is a very good time to
disconnect the server from the internet if you have not already done
so.
> notice("$pn", "\001Bot powered by DDOS TEAM\001");
This line seems to indicate that this bot is only designed to be part
of a larger "bot-net" to DoS someone, but those DCC capabilities are
worrysome. So, in addition to investigating how this got into your
server, it would also be a good idea to check what might have gotten
out.
Good luck, and apologies if you already knew all of this.
--
Chris Umphress <http://daga.dyndns.org/>
[ reply ]