[PLUG] Possible hack attempt on my server
Auke Kok
sofar at foo-projects.org
Thu Jun 8 22:38:58 UTC 2006
Bill Ensley wrote:
> This list won't allow me to attach the file.
>
> They didn't actually manage to get in, they just
> Used my uploader to upload the file.
>
> I just wanted to know if anyone knows what it is.
>
> I did find it elsewhere on the internet it is called
>
> Bab.php
if it's the one linked #1 on google for "bab.php" then sure, it's dangerous.
It's basically a swiss knife backdoor that -once activated- tries a bunch of
known vulnerabilities and sets up show for you. It doesn't try any rootkitish
type of things but most zombie networks don't care about root - only about
getting a network connection up to establish a connection.
( http://www.neurotransmitter.net/wiki/tiki-download_file.php?fileId=15 )
Having one of these on your webserver is not the end - the script may not have
been activated or used yet (only uploaded), but you should carefully monitor
network connections and integrity of your network tools. A good Audit is required.
Auke
More information about the PLUG
mailing list