Worm Linux/Lupper
A new worm affecting Linux systems named Linux/Lupper.worm (McAfee Inc.), Linux.Plupii (Symantec) is spreading in wild by exploiting different PHP/CGI vulnerabilities on many vulnerable web servers. It propagates by scanning entire class B subnet and blindly attacks web servers by sending malicious http requests on port 80 on vulnerable servers and downloads and executes the worm in the PHP/CGI environment.
It has been reported that it is a modified derivative of the Linux/Slapper and BSD/Scalper wormsreported earlier. The worm is capable of harvesting email addresses and accepts remote commands. It also opens one of the two UDP ports 7111/7222 on infected system. The compromised server/network can be used for DDoS attacks.
The compromised server may contain a file named /tmp/lupii. The worm generates URLs which include strings like cgi-bin, stat, xmlrpc etc.
The worm exploites many vulnerabilities including:
- The XML-RPC for PHP Remote Code Injection vulnerability (described in Bugtraq ID 14088)
- The AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability (described in Bugtraq ID 10950)
- The Darryl Burgdorf Webhints Remote Command Execution Vulnerability (described in Bugtraq ID 13930)
The system administrators are advised turn off unwanted remote services and install latest patches on the server. For further details refer to the following URLs:
References
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91 11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
