PHP hacks (./atac, d0s.txt)

Some weird stuff happening on my server today, please leave comments if you know of anything about this…

UPDATE: found it, I think it might’ve got in via phpnuke…

I posted to bugtraq and people there are VERY helpful! Thanks a lot guys… I have turned on mod_security with Apache and I’m gonna go over the logs to see where exactly it came from in a little while…

I found the included script in /var/tmp called d0s.txt.

I found a bunch of processes called ./atac 20 running, and found the
following content in /tmp/atac:

http://andrewng.com/tmp/atac.tbz

here’s d0s.txt: http://andrewng.com/tmp/d0s.txt.bz2

2 Responses to PHP hacks (./atac, d0s.txt)

  1. openedge1 May 2, 2005 at 9:55 am #

    Hello
    Over the weekend, we also found this folder, with some script files (written in spanish like yours.) We do not use PHPNuke, but instead Typo3 for our server.
    We found failed ssh attempts on our server and the following in our log files
    kernel SIGNAL 11 grsec /home/wwws/ /a/atac[atac:31913]

    This points to an alternate issue, but we found the same folders, and some we cannot remove.
    Is this a NEW hack maybe…
    Interesting.
    Thank you
    Raymond Hayes

  2. ayn May 2, 2005 at 10:14 am #

    Hi Raymond,

    Thanks for the comments…

    Yeah, I examined my phpbb board and it is up-to-date so the viewtopic.php hack shouldn’t work… I’m not sure if it were really phpnuke, but that is the most likely culprit, mainly because it is huge and there have been numerous security problems with it. This hack just pulled the trigger for me, I am shutting off my nuke site, I kept it pretty much only because of the user database integration it had with Gallery.

    –Andrew

Leave a Reply