[Dshield] Can Someone Decipher This Log Entry?
David Cary Hart
DShield at TQMcube.com
Thu Dec 22 14:40:55 GMT 2005
On Thu, 22 Dec 2005 11:30:34 +0100
Stephane Grobety <security at admin.fulgan.com> opined:
> Hello David,
> I've masked part of the IP you provided in your message, just in case
> in case. It's a bit silly considering you didn't do the same, but,
> well, it does no additional harm...
> it looks like that this is an attempt to exploit a flaw in the Mambo
> content management software (looks like it's this one:
> If the exploit succeeds, it will try to wget a file called "micu" from
> XXX.136.48.69 into the /tmp folder and execute it.
> At this moment, that server is still serving the file so I checked it.
> What it does is try to download and execute two more files: "mare" and "ro"
> "mare" isn't available on the remote server but "ro" is. it looks like
> an ELF executable. Now, I'm not a specialist of that file format so
> I may be completely wrong here but this looks like a Linux x86
> executable file. It seems to link the /lib/ld-linux.so.2 library and
> import a bunch of functions that you expect from a IP server program.
> It also contains a number of strings that indicates that it might try
> to contact an IRC server (*.undernet.org). It also has a nice internal
> help that is probably intended to be used by the attacker:
Thank you for your very thorough exploit excursion. If I understand this
correctly, if somehow successful, this creates a zombie out of a Linux machine.
I have nmapped dozens of zombies. So far, they have all been Windows machines.
Scary stuff. BTW, what really concerns me is that the pipes are getting bigger.
We have seen - so far - about fifty compromised FIOS connected machines.
15-Mbps/2-Mbps for about 45 bucks/mo and any nitwit can rape, plunder and
pillage the 'net.
Our DNSRBL -
Eliminate Spam: http://www.TQMcube.com/spam_trap.php
Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
Zombie Graphs: http://www.TQMcube.com/zombies.php
More information about the list