22 February 2006

Mambo worm demonstrates hardening of Linux systems

Linux worm turns on Mambo and PHP” opines Iain Thomson. Oh, woe, disaster, shades of CodeRed!


While it’s nice for admins to have something to do and all, and it reminds us slackers (Linux admins) that nothing is completely bulletproof, I have to express significant disappointment at the shallowness of the challenge. Why?

  • Mare.D relies upon a brace of exploits which are six and twelve months old, respectively. Any reasonably modern Linux distribution will competently self-update if told to do so. Even on a lazy once-a-week update cycle, this worm is eleven and three quarters months too late.
  • It relies upon Mambo. Who runs Mambo? None of my machines, none of any of my clients’ machines. This sucker’s playing to a very small audience. Mambo has a new security announcement; maybe next year we’ll see another worm for it? (-:
  • Even if Mambo were broken into, the exploit would download into a partition mounted “noexec” on all of my servers. GAME OVER EXPLOITER <1> and better luck next time.
  • The downloaded shell script requires access to a particular application — which may or may not be installed on any given system — to pull down the main part of the exploit.
  • The vulnerability requires PHP’s register_globals setting to be enabled, but it has been defaulted to off for the last four years.
So, well, yes, it could be a nightmare, but then again all of the molecules of air in the room could simultaneously happen to bounce out the door at once, exploding your lungs from the sudden decompression and smashing whatever’s outside your office to kindling. Just don’t bet your last dollar on it ever happening.

No comments: