 |
| |
|
cp77fk4r
Global Admin
Registerd on: 01/01/1970, 04:00:00
Location:: Israel
Posts: 621
|
| |
|
|
|
 |
|
|
A new worm that propagates by exploiting security vulnerabilities in Web server software is attacking
Linux systems, antivirus companies warned on Monday.
The worm spreads by exploiting Web servers that host susceptible scripts at specific locations,
according to antivirus software maker McAfee, which has named the worm "Lupper."
Lupper blindly attacks Web servers, installing and executing a copy of the worm when a vulnerable
server is found, McAfee said in its description of the worm.
A backdoor is installed on infected servers, giving the attacker remote control over the system.
The server joins a network of compromised systems, which can be used, for example, in attacks against
other computers, according to McAfee.
The worm exploits three vulnerabilities to propagate: the XML-RPC for PHP Remote Code Injection vulnerability;
AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability;
and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability,
according to Symantec's online description of the worm.
The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year.
Patches are available for most systems.
AWStats is a log analyzer tool; a fix for the flaw has been available since February.
Darryl Burgdorf's Webhints is a hint generation script; no fixes are available for the script, according to Symantec's DeepSight Alert Services.
McAfee rates Lupper as low risk. Symantec, which calls the worm "Plupii," rates it medium risk,
but notes that the worm has not been widely distributed.
The SANS Internet Storm Center,which tracks network threats, reports some worm sightings.
Symantec and McAfee have updated their products to protect against the worm.
If a system has been infected, Symantec recommends complete reinstallation of the system because
it will be difficult to determine what else the computer has been exposed to, the company said.
(http://news.zdnet.com/2100-1009_22-5938475.html)
|
1f y0u c4N r34d th15 y0u R34lly n33d 2 g3T l41d |
|
| |
|
|
cp77fk4r
Global Admin
Registerd on: 01/01/1970, 04:00:00
Location::
Posts: 621
|
| |
|
|
|
|
|
|
Names:
McAfee: Linux/Lupper.worm.
Computer Associates: Linux/Lupper.A, Linux/Lupper.B.
Kaspersky: Backdoor.Linux.Small.al
ClamAV: Exploit.Linux.Lupii.
Trend Micro: ELF_LUPPER.A.
Damage:
Payload Trigger: n/a
Payload: Opens a back door on the compromised computer.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: Generates URLs in order to scan for other computers to infect, which may affect network performance.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Technical details:
When Linux.Plupii is executed, it performs the following actions:
1)Sends a notification message to an attacker at a remote IP address, through UDP port 7222.
2)Opens a back door on UDP port 7222, which enables a remote attacker to have unauthorized access to the compromised computer.
3)Generates URLs which include the following strings:
/cgi-bin/
/scgi-bin/
/awstats/
/cgi-bin/awstats/
/scgi-bin/awstats/
/cgi/awstats/
/scgi/awstats/
/scripts/
/cgi-bin/stats/
/scgi-bin/stats/
/stats/
/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
/blog/xmlrpc.php
/drupal/xmlrpc.php
/community/xmlrpc.php
/blogs/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogtest/xmlsrv/xmlrpc.php
/b2/xmlsrv/xmlrpc.php
/b2evo/xmlsrv/xmlrpc.php
/wordpress/xmlrpc.php
/phpgroupware/xmlrpc.php
/cgi-bin/includer.cgi
/scgi-bin/includer.cgi
/includer.cgi
/cgi-bin/include/includer.cgi
/scgi-bin/include/includer.cgi
/cgi-bin/inc/includer.cgi
/scgi-bin/inc/includer.cgi
/cgi-local/includer.cgi
/scgi-local/includer.cgi
/cgi/includer.cgi
/scgi/includer.cgi
/hints.pl
/cgi/hints.pl
/scgi/hints.pl
/cgi-bin/hints.pl
/scgi-bin/hints.pl
/hints/hints.pl
/cgi-bin/hints/hints.pl
/scgi-bin/hints/hints.pl
/webhints/hints.pl
/cgi-bin/webhints/hints.pl
/scgi-bin/webhints/hints.pl
/hints.cgi
/cgi/hints.cgi
/scgi/hints.cgi
/cgi-bin/hints.cgi
/scgi-bin/hints.cgi
/hints/hints.cgi
/cgi-bin/hints/hints.cgi
/scgi-bin/hints/hints.cgi
/webhints/hints.cgi
/cgi-bin/webhints/hints.cgi
/scgi-bin/webhints/hints.cgi
4)Sends HTTP requests to the URLs it generates, and attempts to spread by exploiting the following Web server-related vulnerabilities:
5)The XML-RPC for PHP Remote Code Injection vulnerability.
The AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability.
The Darryl Burgdorf Webhints Remote Command Execution Vulnerability.
6)Attempts to download and execute a copy of itself from the following Web site:
[http://]62.101.193.244/[REMOVED]/lupii
Saves the copy of the worm it downloads as the following file:
/tmp/lupii
Credits: Takayoshi Nakayama.
Edit by : cp77fk4r At 10/11/2005, 03:08:22
|
|
|
| |
|
|
cp77fk4r
Global Admin
Registerd on: 01/01/1970, 04:00:00
Location::
Posts: 621
|
| |
|
|
|
|
|
|
The XML-RPC for PHP Remote Code Injection vulnerability:
http://www.securityfocus.com/bid/14088/info
The AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability:
http://www.securityfocus.com/bid/10950/info
The Darryl Burgdorf Webhints Remote Command Execution Vulnerability:
http://www.securityfocus.com/bid/13930/info
Have a safe day. :)
|
|
|
| |
|
|
 |
|
