Outpost24 Public Security Note: Linux/Elxbot

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Outpost24 Public Security Note: Linux/Elxbot
From: David Jacoby <security@xxxxxxxxxxxxx>
Date: Mon, 05 Dec 2005 21:23:23 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Outpost24 Security
User-agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)


 _______         __                         __    ______  _____
|       |.--.--.|  |_ .-----..-----..-----.|  |_ |__    ||  |  |
|   -   ||  |  ||   _||  _  ||  _  ||__ --||   _||    __||__    |
|_______||_____||____||   __||_____||_____||____||______|   |__|
 Public Security Note |__|   http://www.outpost24.com




[BACKGROUND]
Mambo is a dynamic portal engine and content management system.
The software is written in PHP. A computer researcher which goes
under the alias rgod released an exploit for the "register_globals"
Emulation Layer Overwrite vulnerability and just a few days after
the vulnerability was released increased attacks for this vulnerability
was monitored, the increased traffic is due to a worm which is
currently in the wild.



[DESCRIPTION]
Linux/Elxbot is a backdoor for the Mambo vulnerability. It will search
on Google for vulnerable targets. Once it infects a computer it will
connect to a predetermined IRC server where the attackers will wait and
have the possibility to gain access to the infected computer. The attackers
may also perform various tasks such as:

* Execute arbitrary commands
* TCP flood
* HTTP flood
* UDP flood
* Search Google for more vulnerable targets
* Portscan

On certain systems it will also download a perl script which will
allow the attacker to create a backchannel and spawn a shell on
the infected computer with the same privileges as the running webserver.


A detailed profile is available for Outpost24 members, for more information
please visit our webpage at http://www.outpost24.com



[SOLUTION]
Download the latest version from the official Mambo homepage or
download the specific patch for this vulnerability.

http://mamboforge.net/frs/download.php/7636/Mambo4523.security_fix.zip




[AUTHOR]
Backdoor was analyzed by David Jacoby at Outpost24 Security
http://www.outpost24.com

Prev by Date: [security bulletin] HPSBUX01059 SSRT4704 Revised - HP-UX Running wu-ftpd Local Unauthorized Access
Next by Date: Buffer Overflow in MultiTech VoIP Implementations
Previous by thread: [security bulletin] HPSBUX01059 SSRT4704 Revised - HP-UX Running wu-ftpd Local Unauthorized Access
Next by thread: Buffer Overflow in MultiTech VoIP Implementations
Index(es):
- Date
- Thread