Linux worm turns on Mambo and PHP

**Vin DSL** · 02-21-2006, 12:53 AM

Full story: http://www.vnunet.com/vnunet/news/21...nux-worm-loose

Security experts today warned of a Linux network worm that exploits holes in the Mambo content management system and the PHP XML-RPC library.

Dubbed Mare.D, the worm leaves multiple backdoors on infected systems. Two of these are connectback shell backdoors that link to a remote host, while a third allows the malware's writer to access and control infected systems via IRC...

The vulnerabilities in Mambo and the PHP XML-RPC library are both rated as 'highly critical' by vulnerability testing group Secunia, but patches are available for both.

Could be a real nightmare!

Extra credit:

http://www.f-secure.com/v-descs/mare_d.shtml

http://secunia.com/advisories/14337/

http://secunia.com/advisories/15852/

**JPC-Les** · 02-21-2006, 08:56 AM

I've double checked and our servers have been upgraded to a secure verion of XML_RPC lib a while back.

**jason** · 02-21-2006, 09:09 AM

Originally Posted by Les

I've double checked and our servers have been upgraded to a secure verion of XML_RPC lib a while back.

IIRC, they were upgraded after Vin alerted us to another threat in XML-RPC.

Note to anyone using XML-RPC in their apps: Double check the various software package to see if there is an update or any kind of further info to the apps you use. Even though the centralized version of the XML-RPC library has been upgraded, it is quite possible that the apps you use include their own copies of these libraries and run those instead of the centrailized versions. In other words, just because the server has been upgraded does not mean that you're using the upgraded version.

Note: XML-RPC is used in many blogs and CMS systems to allow remote authoring/administration from desktop apps. If you run this kind of software it is worth checking into, even if you don't use the feature.

--Jason

**Ron** · 02-21-2006, 09:43 AM

Originally Posted by jason

Note: XML-RPC is used in many blogs and CMS systems to allow remote authoring/administration from desktop apps. If you run this kind of software it is worth checking into, even if you don't use the feature.

Really. wow. If it's not sensitive info, what kind of RPCs can be called? Does this require specific access granted, similar to remote access for the MySQL server, or is it more open?

**jason** · 02-21-2006, 11:05 AM

I haven't studied it much, but I know there are some third party clients that can access WordPress and similar blogs to create and edit posts. They're popular to some degree because they offer features like rich text editing and spell checking that's generally not offered by the blogging software itself. The actual proceedures that they implement are limited to similar functions as you can do in the app's administrative/authoring interface.

As far as access is concerned, access is made through an included script in the distro that is accessed through a normal HTTP connection. Security is handled by the application--you'd need the same username and password in the XML-RPC transaction as you would to access the normal web interface.

--Jason

Edit: Here's some info on the WordPress implementation of XML_RPC: http://codex.wordpress.org/XML-RPC_Support

LinkBack

Thread Tools

Display

Linux worm turns on Mambo and PHP

Bookmarks

Bookmarks

Posting Permissions