IBM SOC detected an active attack attempting to infect several webservers to become part of a botnet. The attack, which was active over the weekend but began to taper off earlier this week, is attempting to exploit an older vulnerability in PHP. It works by attempting to connect to port 80 (web) on a targeted IP and injecting a shell command, which if successful, allows the malware to infect the victims system. The original attack appeared to originate from the IP address 72.26.194194.138, 31.204152.37, and 83.7575200 addresses.”]