Well it appears that bad code always seems to be the root of
problems, according to our research today the problem appears to be
caused by incorrectly written PHP applications that perform includes
using a string without running any validation against the string:
The truly frightening thing about an exploit using PHP is that the
"bad code" can be as much user-generated as it is
developer-generated. In other words, the clueless webmaster who
copy/pastes code can unwittingly lead to the compromise of a server
that s/he has even very limited user-level access on.
That and the vast variation of PHP versions we see still in use on
various colo servers.
Another year, yet another variation of whack-a-mole.