[87547] in North American Network Operators' Group
Re:Destructive botnet originating from Japan
daemon@ATHENA.MIT.EDU (chuck goolsbee)
Sun Dec 25 12:19:35 2005
In-Reply-To: <0A2E92C3-5B3A-4300-86F1-62E33670330C@prolexic.com>
Date: Sun, 25 Dec 2005 09:19:04 -0800
To: nanog@merit.edu
From: chuck goolsbee <chucklist@forest.net>
Errors-To: owner-nanog@merit.edu
>Well it appears that bad code always seems to be the root of
>problems, according to our research today the problem appears to be
>caused by incorrectly written PHP applications that perform includes
>using a string without running any validation against the string:
The truly frightening thing about an exploit using PHP is that the
"bad code" can be as much user-generated as it is
developer-generated. In other words, the clueless webmaster who
copy/pastes code can unwittingly lead to the compromise of a server
that s/he has even very limited user-level access on.
That and the vast variation of PHP versions we see still in use on
various colo servers.
Another year, yet another variation of whack-a-mole.
--chuck goolsbee
