[Dshield] FW: Outpost24 Public Security Note: Linux/Elxbot

Paul Marsh pmarsh at nmefdn.org
Tue Dec 6 17:11:23 GMT 2005


-----Original Message-----
From: David Jacoby [mailto:dj at outpost24.com]
Sent: Monday, December 05, 2005 3:21 PM
Subject: Outpost24 Public Security Note: Linux/Elxbot

  _______         __                         __    ______  _____
|       |.--.--.|  |_ .-----..-----..-----.|  |_ |__    ||  |  |
|   -   ||  |  ||   _||  _  ||  _  ||__ --||   _||    __||__    |
|_______||_____||____||   __||_____||_____||____||______|   |__|
  Public Security Note |__|   http://www.outpost24.com

Mambo is a dynamic portal engine and content management system.
The software is written in PHP. A computer researcher which goes under
the alias rgod released an exploit for the "register_globals"
Emulation Layer Overwrite vulnerability and just a few days after the
vulnerability was released increased attacks for this vulnerability was
monitored, the increased traffic is due to a worm which is currently in
the wild.

Linux/Elxbot is a backdoor for the Mambo vulnerability. It will search
on Google for vulnerable targets. Once it infects a computer it will
connect to a predetermined IRC server where the attackers will wait and
have the possibility to gain access to the infected computer. The
attackers may also perform various tasks such as:

* Execute arbitrary commands
* TCP flood
* HTTP flood
* UDP flood
* Search Google for more vulnerable targets
* Portscan

On certain systems it will also download a perl script which will allow
the attacker to create a backchannel and spawn a shell on the infected
computer with the same privileges as the running webserver.

A detailed profile is available for Outpost24 members, for more
information please visit our webpage at http://www.outpost24.com

Download the latest version from the official Mambo homepage or download
the specific patch for this vulnerability.


Backdoor was analyzed by David Jacoby at Outpost24 Security

The information in this transmittal (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal. Thank you.

More information about the list mailing list