Mambo worm in the wild

Kauft das PHP-Sicherheitsbuch!

Dritte Auflage
Jetzt das eBook bestellen!
~~€ 36,00~~
Als eBook nur € 28,99!

Links

(Profil nur für Xing-Mitglieder sichtbar)
VServer Hosting
@christopherkunz

Pages

Frontpage
About Christopher Kunz
Kontaktformular

Syndicate This Blog

Tuesday, December 6. 2005

Well, it wasn’t totally unexpected, I guess. The recently discovered remote code execution hole in Mambo has spawned a nifty little worm, called “Elxbot”. I actually referred to the (then still fairly unknown) vulnerability and to the possibility that it might be abused by worm writers in my talk at the last PHP Conference. There is a number of reasons this had to happen:

1. Trivial exploit, just like XMLRPC et al.

2. Victims easily obtainable via automated Google (either “inurl:option=com_” or just “powered by Mambo”)

3. very large install base

I am already expecting a similar outbreak for the PHPKIT holes I recently reported. It has all of the features that I outlined above, although the install base is probably somewhat limited to german users (and there, mainly to gaming clans). Seeing this, I didn’t actually publish a PoC for the remote code execution hole, but it is somewhat trivial to find and exploit anyway. So, Counter-Strike players, prepare for a bomb that is placed on your website soon, and please patch your PHPKIT installation.

At least, phpkit.de seems not to be vulnerable, although I NEVER had any official vendor response. Way to go, folks.

Posted by Christopher Kunz in PHP at 10:27 | Comment (1) | Trackback (1)

Trackbacks

Trackback specific URI for this entry

Mambo worm in the wild - Absyntholog
Mambo worm in the wild PHP Well, it wasn’t totally unexpected, I guess. The recently discovered remote code execution hole in Mambo has spawned a nifty little worm, called “Elxbot”. I actually referred to the (then still fairly unknown) vulnerability

Weblog: Func. News
Tracked: Dec 06, 13:10

Comments

Display comments as (Linear | Threaded)

So it is true.. I started noticing the hits from one or two sites im my log file earlier in december. I dont have a Mambo site installed , but google still has a bunch of records which would be targeted.

I wrote a little script then to prevent them from wasting to much bandwith on my new site as i figured it was just a script kiddie.
I checked the logs again ealier today and noticed that about every second hit was one of them.

So I wrote a new script to go trough the log files and grab the ip’s of the servers maing the requests, it then adds the ip’s to my htaccess file. I’ve posted it up on my site.

Emerica
http://www.projectxnetwork.com

#1 Emerica (Homepage) on 2006-01-07 00:04 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry