Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > December 2005 > Malicious Software Report Linux/Elxbot

December 2005

Malicious Software Report Linux/Elxbot

ID: 01073
Ref: 1007/2005
Date: 06 December 2005:12:47:39
Version: 1
Title: Malicious Software Report Linux/Elxbot
Abstract: Description of a Linux/Elxbot backdoor for a Mambo vulnerability.
_______ __ __ ______ _____
| |.--.--.| |_ .-----..-----..-----.| |_ |__ || | |
| - || | || _|| _ || _ ||__ --|| _|| __||__ |
|_______||_____||____|| __||_____||_____||____||______| |__|
Public Security Note |__| http://www.outpost24.com

[BACKGROUND]
Mambo is a dynamic portal engine and content management system.
The software is written in PHP. A computer researcher which goes
under the alias rgod released an exploit for the "register_globals"
Emulation Layer Overwrite vulnerability and just a few days after
the vulnerability was released increased attacks for this vulnerability
was monitored, the increased traffic is due to a worm which is
currently in the wild.

[DESCRIPTION]
Linux/Elxbot is a backdoor for the Mambo vulnerability. It will search
on Google for vulnerable targets. Once it infects a computer it will
connect to a predetermined IRC server where the attackers will wait and
have the possibility to gain access to the infected computer. The attackers
may also perform various tasks such as:

* Execute arbitrary commands
* TCP flood
* HTTP flood
* UDP flood
* Search Google for more vulnerable targets
* Portscan

On certain systems it will also download a perl script which will
allow the attacker to create a backchannel and spawn a shell on
the infected computer with the same privileges as the running webserver.


A detailed profile is available for Outpost24 members, for more information
please visit our webpage at http://www.outpost24.com

[SOLUTION]
Download the latest version from the official Mambo homepage or
download the specific patch for this vulnerability.

http://mamboforge.net/frs/download.php/7636/Mambo4523.security_fix.zip

[AUTHOR]
Backdoor was analyzed by David Jacoby at Outpost24 Security
http://www.outpost24.com
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |