Bugtraq mailing list archives
Re: Apache hacks (./atac, d0s.txt)
From: Chris Umphress <umphress () gmail com>
Date: Sat, 30 Apr 2005 00:46:37 -0700
Looks like it ignores all the `kill` signals, not sure how I can actually kill it...
SIGKILL (Signal 9) cannot be blocked, so try: kill -s SIGKILL <pid> -or- killall -KILL atac
my @canais=("#bots ddos"); my $nick='b0t'; my $ircname = 'b0t'; $servidor='irc.gigachat.net' unless $servidor;
It's an IRC bot, should be obvious, but just commenting...
$SIG{'INT'} = 'IGNORE'; $SIG{'HUP'} = 'IGNORE'; $SIG{'TERM'} = 'IGNORE'; $SIG{'CHLD'} = 'IGNORE'; $SIG{'PS'} = 'IGNORE';
Again, there is no way to block SIGKILL (signal 9) for any program
# DCC package DCC;
This is where things get really scary for you. DCC is the ability to send files over IRC. The bot could have sent almost anything (within certain permission ranges, we hope). Now is a very good time to disconnect the server from the internet if you have not already done so.
notice("$pn", "\001Bot powered by DDOS TEAM\001");
This line seems to indicate that this bot is only designed to be part of a larger "bot-net" to DoS someone, but those DCC capabilities are worrysome. So, in addition to investigating how this got into your server, it would also be a good idea to check what might have gotten out. Good luck, and apologies if you already knew all of this. -- Chris Umphress <http://daga.dyndns.org/>
Current thread:
- Re: Apache hacks (./atac, d0s.txt) a.list.address () gmail com (May 02)
- Re: Apache hacks (./atac, d0s.txt) Nick Bright (May 02)
- <Possible follow-ups>
- Re: Apache hacks (./atac, d0s.txt) Chris Umphress (May 02)
- Re: Apache hacks (./atac, d0s.txt) Sagiko (May 02)
- Re: Apache hacks (./atac, d0s.txt) Daniel Cid (May 02)
- Re: Apache hacks (./atac, d0s.txt) Luiz Henrique (May 02)
- Re: Apache hacks (./atac, d0s.txt) Skip Carter (May 02)
- Re: Apache hacks (./atac, d0s.txt) Robert Zilbauer (May 02)
- Re: Apache hacks (./atac, d0s.txt) KF (lists) (May 02)
- Re: Apache hacks (./atac, d0s.txt) Jay D. Dyson (May 02)
- Re: Apache hacks (./atac, d0s.txt) Steve Kemp (May 02)