Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Lupper.Worm In the WIld

Posted by CmdrTaco on from the inching-its-way-around-the-net dept.

jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."

16 of 363 comments (clear)

  1. CONTINUE: by xtracto · · Score: 5, Funny

    Next, is a collection of messages telling that it is the fault of the system andministrators and not a problem of the Linux Distributions.

    p.s. BURN KARMA BURN!

    --
    Ubuntu is an African word meaning 'I can't configure Debian'
    1. Re:CONTINUE: by EraserMouseMan · · Score: 1, Funny

      Of course, Linux is perfect by definition.

      And I'm sure this worm was written by a Microsoftie or possibly by Bill Gates himself.

    2. Re:CONTINUE: by rtb61 · · Score: 2, Funny

      Only if the worm turns and starts to attack windoze boxen instead, thats the defining nature of redmond code, bugs.

      --
      Chaos - everything, everywhere, everywhen
  2. Complete infection by soren.harward · · Score: 5, Funny

    All sysadmins who are still running this insecure setup are advised to patch your systems immediately. Yes, all fourteen of you.

  3. Before all teh MSFT fanboys jump on this, by Anonymous Coward · · Score: 5, Funny

    Paraphrased from the virus description;

    IF you run a specific kernel version with some special module
    AND you run one of a couple specific versions of one package not installed by default
    AND you have a very "generic" config on that package
    AND you have some plugins enabled, but not configured for security
    AND you are on a world routable IP address
    AND you have some specific vulnerable scripts,

    THEN you might need to take a look at if you are at risk.

    Paraphrased from the virus description of most MSFT worms:

    IF you run an MSFT operating system
    AND you havent reformated your HDD in the lsat hour

    THEN its time to pucker up and kiss the sucker goodbye..

    -GenTimJS

  4. I'm not worried... by PoprocksCk · · Score: 5, Funny

    I doubt I'll have the libraries required to run this worm.

    1. Re:I'm not worried... by WinterSolstice · · Score: 3, Funny

      Ha!

      Yes, if your luck with PHP on linux is like mine, you'll have to resolve dependencies for about 15 minutes first :)

      -WS

      --
      An operating system should be like a light switch... simple, effective, easy to use, and designed for everyone.
    2. Re:I'm not worried... by _Sprocket_ · · Score: 3, Funny

      apt-get install morrisworm2

  5. Linux/BSD only by WhiteWolf666 · · Score: 3, Funny

    Currently, this worm is only compatible with Linux/BSD systems, because they are the only systems with full shell scripting capabilities.

    It is rumored that you can obtain the same level of compatibility with the Cygwin Suite, but that is not an officially supported configuration by Microsoft.

    Never fear, though, Monad will bring Lupper, and similar PHP/Shell script worms to the Windows platform for the masses!

    Seriously, though; isn't everyone fairly aware that PHP ain't that secure?

    --
    WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
  6. Re:Conditions for infection... by maxwell+demon · · Score: 5, Funny

    Hey, I've found a way to write a true Linux worm! It can infect all Linux computers which have a user named "wormhole" with password "unsafe", and have a suid-root copy of bash installed at /bin/rootbash which is executable by user "wormhole". Ah, and of course the user "wormhole" must be able to remote login through either rlogin or ssh with password authentication enabled. To spread, the worm also needs the file /etc/wormspreadrc, which must contain a list of other vulnerable computers, one hostname or IP number per line.

    SCNR

    --
    The Tao of math: The numbers you can count are not the real numbers.
  7. Gnu! by rabel · · Score: 4, Funny

    That's Gnu/Linux worm to you, you insensitive clod!

  8. clearly a violation by FudRucker · · Score: 4, Funny

    if this worm does not include the sourcecode with every computer it infects it is violating the terms and conditions of the GNU/GPL

    --
    Politics is Treachery, Religion is Brainwashing
  9. Re:if it attacks PHP cross-platform... by Anonymous Coward · · Score: 1, Funny
    Oh, and while we're at it, aren't these virii more specifically Linux/i386 and BSD/i386 virii ?

    No, there aren't. Primarily because "virii" IS NOT A WORD YOU TWIT!

  10. Re:Remarkably Useless page. by tomhudson · · Score: 4, Funny

    I'll tell you what, anyone wants some practice exploiting the hole, here's the IP address of a vulnerable machine to practice on: http://127.0.0.1/

    Knock yourselves out :-)

  11. Re:Remarkably Useless page. by Macrobat · · Score: 4, Funny

    You know, if you link to a porn site, you could at least warn us.

    --
    "Hardly used" will not fetch you a better price for your brain.
  12. They are just now discovering this??? by Christianfreak · · Score: 2, Funny

    I've been seeing requests for some of these URLs for 6 months now. I figured it was a worm but I know I'm patched and I don't run any of that stuff anyway. Amazing to me that people get owned by this sort of thing.

    Between this and the SSH worm, maybe its time to investigate using Windows ME with Personal Web Server. :-D

    --
    The Anti-Blog