Linux worm exploits holes in Mambo content management system and PHP XML-RPC library
Linux worm turns on Mambo and PHP
/v3-uk/news/1972393/linux-worm-mambo-php
20 Feb 2006, Iain Thomson , V3
Security experts today warned of a Linux network worm that exploits holes in the Mambo content management system and the PHP XML-RPC library.
Dubbed Mare.D, the worm leaves multiple backdoors on infected systems. Two of these are connectback shell backdoors that link to a remote host, while a third allows the malware's writer to access and control infected systems via IRC.
"The main component of the Mare.D worm is written in C and compiled with the GNU C compiler," said F-Secure researcher Gergely Erdelyi.
The worm scans for vulnerable systems automatically and installs a small shell script which downloads the rest of the malware.
The vulnerabilities in Mambo and the PHP XML-RPC library are both rated as 'highly critical' by vulnerability testing group Secunia, but patches are available for both.
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
Where these idiots do their research?
It's really annoying to read news posted by a mssinformed alarmist.
Iain: find your real call in life... this is not for you.
Posted by Mark Bench, 21 Feb 2006
... one year after it has been patched!
Yes a real nightmare....
This was patched in mambo v4.5.2.1 (19-Feb-2005) released one year ago.
The Secunia advisory you mention is from 2005-02-21.
PHP doesnt recommend "register_globals" enabled since at least 4 years ago (php 4.2.0 defaults it to off).
Even XML-RPC for PHP 1.x was patched 2005-06-30 against the flaw this worm tries to exploit (v1.1.1 clear).
Poor litle worm... one year late.
Posted by Pedro Marques, 21 Feb 2006
NOT A LINUX EXPLOIT AT ALL!!!!!
This is a PHP and Mambo issue. Not Linux. Would you call a Realplayer vulnerability a Windows vulnerability? No. This smells of the usual Microsoft FUD campaign to try to undermine Linux. Keep in mind that this is old news, is already fixed, and also affects Windows machines as well. Bad reporting.
Posted by da truth, 22 Feb 2006
While we appreciate the pun...
...an exploit for a year-old vulnerability in an application run by very few people is not exactly going to cause screaming crowds to surge through the streets, looting and pillaging as they go.
I thought for a second there that I might finally have had some security work to do, but no, the spoilsport automatic updates fixed one half of the exploit almost a year ago, and the other half over six months ago. It looks like we're going to have to borrow some l33t h4xx0rZ from MS-Windows-land if we want any excitement around here.
Posted by Leon Brooks, 21 Feb 2006
1 year later, not bad :-)
This vulnerability has been fixed one year ago. Please check twice before publishing.
Posted by tim patricks, 21 Feb 2006
Could be a real fantasy
Extremely untimely alarmist article. This has been fixed for months in both Mambo and in PHP. I don't get why this even got coverage, much less a subtitle like "Could be a real nightmare."
Posted by ray_gto, 21 Feb 2006
Not in the Same Category
Technically this could be considered to be an Errant Program Work of sorts. This is not reflective of the underlying security mechanisms of the Linux kernel however.
Implying that this is a Linux worm is like saying that an work/errant application in TurboTax is an error in a Microsoft platform.
Just because the work was constructed with the GNU compiler means little.
For example I can compile using GCC on Windows as well.
Again, VNU needs to be really carefull about what it associates with an OS and what it associates with an application.
This so-called 'worm' could potentially manifest itself on a BSD based platform such as FreeBSD or Mac OSX for example.
Posted by Nicholas Donovan, 21 Feb 2006
Linux worm, eh?
If I am not mistaken, this is NOT NEWS. This vulnerability was patched two PHP releases ago. Most users of FOSS are far more vigilant than windows users abount staying updated. You'd have to be running YEAR-OLD versions for this to even register on the radar. While year-old software is usaully "current" in the microsoft arena, FOSS is usually far more timely about fixing vulnerabilities and publishing upgrades.
Posted by penguinista, 21 Feb 2006
Old virus and not just Linux
It's XML-RPC for PHP 1.x.
Most have updated, if not they should. Also it affect Windows as well. Title is incorrect and based on bad reporting skill set.
Posted by Zip A dee do da, 21 Feb 2006
????
It is one year ago!
Secunia Advisory: SA14337 Print Advisory
Release Date: 2005-02-21
Last Update: 2005-02-25
Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Mambo 4.x
Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.
CVE reference: CAN-2005-0512
Posted by Thorsten Stettin, 21 Feb 2006
So now they're gonna say
So now they're gonna say that linux is insecure 'cause there's a worm for it too.
If only people would understand that just 'cause the php people can't get their security straight (proven again and again), there are plenty of people who don't even use php.
npj
Posted by npj, 20 Feb 2006
Journalistic Sensationalism
Journalistic Sensationalism Typical Poor Reporting Without checking the facts first. Must have run out of articles to report.
Posted by M H, 21 Feb 2006