_______ __ __ ______ _____ | |.--.--.| |_ .-----..-----..-----.| |_ |__ || | | | - || | || _|| _ || _ ||__ --|| _|| __||__ | |_______||_____||____|| __||_____||_____||____||______| |__| Public Security Note |__| http://www.outpost24.com [BACKGROUND] Mambo is a dynamic portal engine and content management system. The software is written in PHP. A computer researcher which goes under the alias rgod released an exploit for the "register_globals" Emulation Layer Overwrite vulnerability and just a few days after the vulnerability was released increased attacks for this vulnerability was monitored, the increased traffic is due to a worm which is currently in the wild. [DESCRIPTION] Linux/Elxbot is a backdoor for the Mambo vulnerability. It will search on Google for vulnerable targets. Once it infects a computer it will connect to a predetermined IRC server where the attackers will wait and have the possibility to gain access to the infected computer. The attackers may also perform various tasks such as: * Execute arbitrary commands * TCP flood * HTTP flood * UDP flood * Search Google for more vulnerable targets * Portscan On certain systems it will also download a perl script which will allow the attacker to create a backchannel and spawn a shell on the infected computer with the same privileges as the running webserver. A detailed profile is available for Outpost24 members, for more information please visit our webpage at http://www.outpost24.com [SOLUTION] Download the latest version from the official Mambo homepage or download the specific patch for this vulnerability. http://mamboforge.net/frs/download.php/7636/Mambo4523.security_fix.zip [AUTHOR] Backdoor was analyzed by David Jacoby at Outpost24 Security http://www.outpost24.com
