A few days ago one of my webhosting customers had their FTP login compromised, and the attacker modified his index.php file to include some extra code, and roughly twelve thousand other bots have been trying to access it via a POST operation since
I'm okay at PHP but no genius, but from what I've been able to garner it takes the (encrypted) data included in the POST, decrypts it together with the contents of another file left behind on the host, and sends a response packed into a HTTP 503 header.
From the behavior, I get the feeling this system was set up as a control host for a botnet.
I've managed to save a copy of the PHP code as well as a packet capture of one of the bots trying to POST after I'd already deactivated the site... But now what do I do with it? I don't have the time or expertise to further analyze the damn thing myself, what groups should I forward the lot to?