Mare.D attacks the Mambo content management system

F-Secure is warning about 'network worm' Mare.D targets vulnerabilities in Content Management System (CMS) Mambo and XML-RPC PHP library (this is The code library for PHP programmers allows procedures to run between multiple computers with different operating systems.

Interface of Mambo CMS system

F-Secure said the Mare.D worm installs a number of backdoor ports on the infected system (and will harm it if the system runs Mambo open source CMS system or the XML-RPC PHP library).

Two of these back ports are of the 'connectback shell backdoor' type, named "cb" and "ping.txt".These two back ports connect to the remote computer via port 8080. The third back port is written in Perl language and controlled by IRC (Internet Relay Chat).The main component of the listening worm for commands at port 27015 of UDP (User Datagram Protocol) protocol.

Secunia said, this vulnerability affects PHP XML-RPC version 1.1 and earlier versions.The company advises users to upgrade the PHP XML-RPC library to version 1.1.1.

On his website, Mambo said he had released fixes for versions 4.5.3 and 4.5.3h.Users can download these fixes fromhttp://www.mamboserver.com/.Mambo also recommends that users upgrade their software if they have previous versions of 4.5.3.

A consultant from Sophos said, they still haven't seen any customers complaining about the Mare.D worm.