Real Cases
Re: Re: Looking for information on logs from Mambo or Joomla Aug 24 2006 09:36AM
eaxc eax co za
Hi there,

I studied the mambo attack for a while!

The big problem with the source the attackers use is that one hacker can hack a site from another hacker using the same scripts!

i.e. if i successfully compromise a site and it is under my control another attacker would be able to take control of that host when the same script is executed by the other attacker. Thus, it makes it a cat and mouse game of who owns that system for a short period of time!

Once a few sites have been hacked the attackers connect to the irc server and connect as one of the administrators. (The names of these can be found in the scripts they use) Then they use those hacked hosts to DoS (UDP Flood) targets of their choice.

Anyone can connect to these irc servers as there are normally no authentication or security on these servers.

Once connected to the server you can change your nick to one of the admins (one that is not connected at the moment ;-) ) and execute a DoS on a target if you know the commands the irc server accepts.

The DoS command I got hold of are

!say @udpflood ip_address packet_size time_in_seconds

Then there is another command that will tell the hacked systems to search google for vulnerable hosts and exploit those holes if vulnerable!

I have large logfiles with information in them pertaining to this attack method.

All attacks was blocked with mod_security though!



[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus