Linux Lupper.Worm In the WIld 363
jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."
Re:Remarkably Useless page. (Score:4, Informative)
I'd say if your website has one of those scripts I'd look into updating or removing whatever software it is that has the vulnerability.
Re:Remarkably Useless page. (Score:5, Informative)
Re:PHP exploit, not directly a linux problem? (Score:5, Informative)
Short of detail (Score:5, Informative)
"The XML-RPC hole commonly exists in blogging and Wiki programs. There are now fixes available for this hole for most systems.
AWStats is a popular, open-source log-file analyzer. Only servers which run AWStats 5.0 to 6.3 can be attacked. Versions 6.4, which came out in March, and higher are immune.
Finally, Webhints is an older script program that's designed to set up and maintain a "Hint (Quote/Tip/Joke/Whatever) of the Day" page. Version 1.3 is vulnerable to attack. There is, at this time, no known fix for the program. "
This still does not tell me which blogging/wiki programs are affected, only theat "most" have fixes - more info, anyone?
Does it look like this? (Score:5, Informative)
193.166.84 - - [04/Nov/2005:15:10:10 -0700] "GET
193.166.84 - - [04/Nov/2005:15:10:12 -0700] "GET
193.166.84 - - [04/Nov/2005:15:10:14 -0700] "GET
.
.
.
193.166.84 - - [04/Nov/2005:15:10:31 -0700] "POST
193.166.84 - - [04/Nov/2005:15:10:33 -0700] "POST
193.166.84 - - [04/Nov/2005:15:10:34 -0700] "POST
.
.
.
For 60 hits.
Other links (Score:4, Informative)
a decent description (Score:1, Informative)
Re:Short of detail (Score:3, Informative)
Re:Conditions for infection... (Score:5, Informative)
Re:PHP exploit, not directly a linux problem? (Score:4, Informative)
According to this article [com.com], AWStats was patched back in February.
It's not Windows (Score:5, Informative)
Apche usually runs as user nobody with very limited privileges. I doubt you'd need to wipe and reinstall the OS. That's why lupper runs in
Re:Conditions for infection... (Score:3, Informative)
It's Not configuration of apache, but configuration of PHP. Basically, it's whether you allow the following:
[?php
$foo = `ls`;
$bar = include("http://foo.com/example.txt");
?]
A lot of people have #1 (since they don't see the difficulty in allowing that, and in some cases it is hella-useful for hacking stuff together).
#2 is just plain dumb.
I don't remember what PHP ships with defaults nowadays (I think yes to shell commands at least), it's possible that they don't allow "http://" (remote file protocols) by default in their later releases.
--Robert
Re:if it attacks PHP cross-platform... (Score:4, Informative)
Not exactly. From what I understood, there are BSD and Linux variants : both versions are using the same PHP holes, but the binary itself must be Linux or BSD compatible.
There's a layer available in BSD that allows to run Linux binaries natively, so Linux potentially could infect a BSD system, but it is somewhat like saying an MS-Windows virus could infect a Linux through wine.
Oh, and while we're at it, aren't these virii more specifically Linux/i386 and BSD/i386 virii ?
an excerpt from my logs (Score:3, Informative)
[06/Nov/2005:18:13:39 -0500] "GET
Why not get somebody to shut down members.lycos.co.uk/sugi/a.txt??
Re:Conditions for infection... (Score:3, Informative)
Re:Remarkably Useless page. (Score:5, Informative)
My web server logs for my home machine are full of attempts to exploit these holes, coming from a large number of IP addresses.
This indicates that this is indeed in the wild, and active, and spreading.
Thus, it is not alarmist shit.
Re:Conditions for infection... (Score:3, Informative)
Re:CONTINUE: (Score:3, Informative)
Re:Please Rate This Worm Info!! (Score:2, Informative)
AWStats is a PHP application? (Score:5, Informative)
Re:Conditions for infection... (Score:3, Informative)
Per Making /tmp non-executable [debian-adm...ration.org]:
What you need is defense in depth. Mounting /tmp noexec,nosuid helps; Keeping everything up-to-date helps; Scanning your log files, following the news,... You get the idea.
And of course, hiring someone competent to do all this is a fine idea;)
Re:Conditions for infection... (Score:3, Informative)
Aside from keeping a system patched up, it's important on a web server to lock down all programs that aren't necessary for the operation of your web services. In typical setups there is absolutely no reason that the apache user should have to execute wget, although it will be able to by default.