Re: Mambo File Inclusion Attacks

[Christopher Kunz <chrislist () de-punkt de>]

Mark Ryan del Moral Talabis schrieb:
> We have been receiving multiple attacks directed towards the popular
> open source portal and content management system, Mambo. The attacks
> makes use of the "mosConfig_absolute_path" file inclusion
> vulnerability of certain unpatched versions of the said application.
> In this case, a possibly malicious file called "micu" is downloaded in
> the process of the attack.
>
> Full analysis:
> http://www.philippinehoneynet.org/data.php

I'd say this is fairly old news. We have been seeing these attacks since shortly
after the advisory for the hole. micu is just your standard ddos/backdoor tool
and the kids using it are mostly romanian and from south america.

What worries me more is that we are also seeing a massive increase in
non-application-specific PHP inclusion attacks. Seems like there are several
spiders that just try injecting http://-style URLs into any URI parameter they
see on a given domain.

--ck

-- 
http://www.de-punkt.de   [ chris () de-punkt de ]    http://www.stormix.de
PHP-Anwendungen sind gefährdet! SQL-Injection, XSS, Session-Angriffe,
CSRF, Commandshells, Response Splitting,... böhmische Dörfer? Dann gleich
"PHP-Sicherheit" direkt beim Verlag vorbestellen! http://www.php-sicherheit.de/

-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------