Archive for December, 2012

DDoS PHP-Script

Tuesday, December 18th, 2012

Just recently the BSI warned about an ongoing attack to US Banks.
The php-script involved showed a “404” Error when called without any

A closer looks shows a “404 Not Foun derror” WITH the typo in it.
Now we have a neat string to search for in google or wherever..
and bingo: some other victom already posted the source code
of the infected webserver:


Here we can see that a POST action “stop” makes the DDoS go away..

function stoped()
cmdexec("killall ping;");
print "Stop & Clean";

And here is where the typo sits:

if(md5(md5(md5($_REQUEST['pass'])))!=$pass_up and $_SESSION['LoGiN']!=true)
print "404 Not Found

Not Found

The requested URL ".$_SERVER['PHP_SELF']." was not found on this server

Additionally, a 404 Not Foun derror was encountered while trying to use an Error Document to handle the request