Attackers targeting a flaw patched in 2012 are looking to build a botnet Credit: REUTERS/Benoit Tessier In 2012, researchers discovered a flaw in some PHP builds that would enable a remote attacker to execute commands on the server, if PHP was configured as a CGI script (PHP-CGI) at the time. Now, it’s being used again to propagate a botnet and mine for Bitcoins.Scanning for said flaws was easily automated, and the issue has been linked to various attacks several times over the years. This week, following a spike back in August, researchers at Trustwave noticed an uptick in attacks targeting the PHP-CGI flaw, and the endgame is the installation of BoSSBoTv2.The malware is botnet script, and the fact that it’s been coded in C is a bit of a unique twist on the common botnet developments, which are often written in Perl or PHP.In August, after honeypots detected automated scans targeting the PHP-CGI vulnerability, one researcher discovered an ad online offering the full source code to BoSSBoTv2 to the highest bidder. It isn’t clear if someone bought the code, but several weeks later the malware was circulating again. If the server is vulnerable to the PHP-CGI issue, the attacker will attempt to install both 64-bit and 32-bit software. There are no OS checks, so the automation simply attempts both to see what sticks.The target in this case isn’t home users, but businesses that rent their servers (dedicated webhosting or VPS hosting) or co-locate them. The reasoning is simple. Enterprise servers have stronger processing power and are connected to faster pipes, offering speeds of up to 100Mbps or more in some cases. Once installed, the malware enables the attacker to control the servers directly via remote shell or IRC. The IRC aspect is the main selling point for the software, as it’s promoted as a botnet tool (for DDoS), but with the additional feature of Bitcoin mining, since the servers have the processing power.Fees for BoSSBoTv2 are $125 for lifetime updates, or $25 for the basic package, but upgrades will be extra. Currently, there isn’t much detection coverage on the latest binaries used in the attack [Example 1] [Example 2].Administrators are advised to look for strings that contain POST variables that are Base64 encoded, which result in anything other than a 404 error. The discovery of such log messages could be an indicator of compromise. The following directories are being targeted during the automated scans:/cgi-bin/php/cgi-bin/php4/cgi-bin/php5/cgi-bin/php.cgi/cgi-bin/php-cgi Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe