I don’t believe it!
I just decided to step away a little bit from being Admin for the biology and focusing my attention more on the studies. For 2 weeks now I did nothing for the servers anymore, just watching it do the scheduled backups and copying them over to my pc every week…
Today the IT department calls me on my mobile, informing me that the server has been taken over by someone and was therefore disconnected from the internet till it is fixed and the vulnerability is patched.
Great!
It turned out that it is an exploit of the Mambo content management system in conbination with php and mySQL that allows any person to run code on a defaced system. Seems that linux is not the “safe haven” of the internet concerning worms and viruses anymore… :(
The more userfriendly it gets, the more vulnerabilities will show up.
For all of you running portals using mySQL and php (e.g. Mambo / Joomla! / WordPress / blogging) , get patches immediately! Anyone using the exploit can gain wwwrun-permissions easily and execute all kinds of shell commands remotely.
Update:
The whole thing is now called a Mambo-worm and it is spreading fast.
Linux/Elxbot is a backdoor for the Mambo vulnerability. It will search on Google for vulnerable targets. Once it infects a computer it will connect to a predetermined IRC server where the attackers will wait and have the possibility to gain access to the infected computer. The attackers may also perform various tasks such as:
* Execute arbitrary commands
* TCP flood
* HTTP flood
* UDP flood
* Search Google for more vulnerable targets
* PortscanOn certain systems it will also download a perl script which will allow the attacker to create a backchannel and spawn a shell on the infected computer with the same privileges as the running webserver.