Dear Christopher,
Yep, you are correct. The attack is quite old, we have indeed been
seeing isolated cases in the course of our research. But what is quite
peculiar is the sudden increase in these and other related attacks.
The attacks have jumped quite considerably the past few weeks,
particularly since the later part of December. Do you have any more
theories on the spiders that you mentioned? It would be really
intresting to study this further.
Thanks,
Ryan
2006/1/15, Christopher Kunz <chrislist@de-punkt.de>:
Mark Ryan del Moral Talabis schrieb:
We have been receiving multiple attacks directed towards the popular
open source portal and content management system, Mambo. The attacks
makes use of the "mosConfig_absolute_path" file inclusion
vulnerability of certain unpatched versions of the said application.
In this case, a possibly malicious file called "micu" is downloaded in
the process of the attack.
Full analysis:
http://www.philippinehoneynet.org/data.php
I'd say this is fairly old news. We have been seeing these attacks since
shortly
after the advisory for the hole. micu is just your standard ddos/backdoor tool
and the kids using it are mostly romanian and from south america.
What worries me more is that we are also seeing a massive increase in
non-application-specific PHP inclusion attacks. Seems like there are several
spiders that just try injecting http://-style URLs into any URI parameter they
see on a given domain.
--ck
--
http://www.de-punkt.de [ chris@de-punkt.de ] http://www.stormix.de
PHP-Anwendungen sind gefährdet! SQL-Injection, XSS, Session-Angriffe,
CSRF, Commandshells, Response Splitting,... böhmische Dörfer? Dann gleich
"PHP-Sicherheit" direkt beim Verlag vorbestellen!
http://www.php-sicherheit.de/
-------------------------------------------------------------------------
This List Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------
-------------------------------------------------------------------------
This List Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------
