This section describes an instance of the Mambo exploit observed on out honeynet. The hosts involved in the attack are:
The following activity was logged by Apache during the attack:
The GET request is an attempt to exploit a Mambo remote file-include vulnerability to execute http://66.98.a.a/cmd.txt on the victim host. Despite the extension .txt, the URL specifies a PHP script rather than a text file. The vulnerable code in Mambo is as follows:
This simply includes the file the attacker wants and ignores the filename after the '?' character. The included code then attempts to execute the operating system commands specified by the cmd= parameter in the original HTTP request. (Successful exploitation of this vulnerability requires the allow_url_fopen configuration directive to be on.) The Philippine Honeynet Project have analysed an incident in which this script 'cmd.txt' appears: "Defacing Tool 2.0 by r3v3ng4ns" is a suite of php based scripts that allows the attacker to send commands to the server primarily with the intent to
deface web sites.". In our experience the script is often used to download further malware using wget/curl, or to test for the presence of vulnerable scripts by attempting commands such as 'id' or 'uname'. It seems that the script can also be uploaded to PHP/Apache servers to provide an easily accessible set of utilities for executing commands, searching for files. This will only be an issue if the web server allows the upload of PHP scripts to the web root. The command that was parsed out is as follows:
Five distinct hosts have participated in the attack up to the point that this command is executed
This script is dc.txt, a simple connect-back shell written in Perl:
The behavior of this script was studied on a virtual machine. The script downloaded and executed another Perl program, the IRC bot variant PERL/Shellbot. This joined a particular IRC channel and waited for commands.