NYCPHP Meetup

[inforequest]

As I recall, the majority of distributed denial of service (DDOS) 
attacks are now coming from compromised servers (check Netcraft). 
Consider this scenario:

Programming "company" creates website offering a free script to the 
world. Maybe it's a PHP script. Maybe it's a forum, or a directory 
script, or maybe it's a mod to one of those. The site is in a 
less-regulated place with a TLD ending in 2 letters. The coders are 
identified by monikers. The "AboutUs" looks one of those corporate 
templates we all love so much. The forum is full of "awesome dood... I 
need a script like this! But I can't get  it to work!" followed by admin 
responses like "no problem. PM me and I'll help you" and then "thanks 
dude! you rock! It works great!"

What we didn't see was the passing of shell access from user to unknown, 
overseas coder. Even if that didn't happen, is the script full of 
cross-site or other injection opportunities? Sure they are. Free support 
for a free script running on a low-cost shared hosting plan = 
compromised server (or compromisable).

Now after you see one of those blatantly exploitable free scripts 
gaining popularity, go file a report with Secunia or whomever. Unless 
you provide extensive details of the code and exploit potential, they 
won't publish it nor can they afford the time to look into it.

-=john andrews
http://www.seo-fun.com