Slashdot Mirror
Linux Lupper.Worm In the WIld
jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."
Second, how do you remove it? Quoth the page:
tasks(723) drafts(105) languages(484) examples(29106)
According to http://searchsecurity.techtarget.com/qna/0,289202, sid14_gci955041,00.html, this worm started in 2002... or am I mistaken?
If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment ...
which in practice means that your admin have died a couple of years ago but was never replaced.
May Peace Prevail On Earth
Is it possible for this exploit to occur under any other OS other than Linux? If so, then maybe Linux is not the root cause, but it is definately "a linux problem".
http://vil.nai.com/vil/RateThisPage.asp
Let Mcaffe know how well they're trolling.
The road between democracy and tyranny is paved with secrecy in the name of security.
Except the blasted media only calls them "Computer Worms", they do not mention Windows as the problem. That is why everytime one of those stupid announcements make it onto "Good Morning America", I get a call from the boss asking if our servers are safe and everytime, I have to say, that is a Windows problem, not a Linux problem.
It's annoying that they don't call those Windows Worms/Virus/Trojan attacks...
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
From the best MS technote EVAR:
"Identified security issues in Internet Explorer could allow an attacker to compromise a Windows-based system... This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)."
And since MS included IE by default, enabled it by default, and made it almost impossible to uninstall, all you MS defenders are invited to take a long walk off a short pier. BTW, that update is less than 2 years old, so it's not like I'm really digging in the crates to find that one or making "OMG teh BSOD!" Win98 jokes.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Would you accept the same excuse for IIS?
If you mod me down, I shall become less powerful than you could possibly imagine.
It's not quite lunch, it's not quite supper; let's call it lupper!
Linux has a smaller Market Share than Mac OS X, yet it's still getting targetted by virus writers?
... just so you don't need to feel left out.But really, this article is just more anti-virus vendor FUD. Seems they're trolling non-windows users on a weekly basis (Maybe they enjoy Troll Tuesday?) because they know that their time is almost up:
- People switching to a mac won't need their productx
- People running linux won't need their products
- The 800-lb - oops - 1600 lb gorilla in the Window marketspace - Microsoft - is coming out with their own antivirus
If you were in their situation, what would you do?I find it kind of strange however that if you go to services/xmlrpc.php on my website, you get a webpage that is actually services.html. No services/xmlrpc.php or even services directory exists in my htdocs folder. Going to plain xmlrpc.php brings up a 404. However I scanned for open UDP ports and neither 7111 or 7222 are open, so according to McAfee I'm not infected. I'm probably just unknowledgable on what xmlrpc.php is, but it is still strange.
It is called privilege escalation.
Once any system is compromised, you have generally to assume that the attacker escalated their privileges using other exploits. If you had auditing enabled, you might be able to demonstrate that this did not happen, but if you had auditing enabled you probably reinstalled already!
The problem with these sorts of compromise, is in some shared hosting environments, where the end user could have installed vulnerable PHP. So doesn't really matter how good the admin, or OS is, unless the OS has specific facilities to mitigate this sort of attack.
I wouldn't take people seeing awstats attempts as proof of the worm, I've been seeing awstats exploit attempts for years, that is usually just run of the mill hacking attempts, semiautomated scanning, or earlier worms.
Unless you have tripwire or some off-disk checksums of your hard drive, you have no choice but to wipe and re-install configs and data from backups. If you haven't designed your systems to make this easy (keep all configs in /etc, /usr/local/etc, keep all customer data in one dir, etc), you're just making extra work for yourself OR making excuses why you shouldn't clean up a pwned machine.
/tmp, big deal".
Sure, 99% of the time, script kiddies are easy to clean up after. You might run into that 1% that make themselves root with an unpublished exploit, and install a kernel mod to hide themselves, and you think "oh, it's just some kiddies littering
That's happened to me exactly once in my 10+ year career, but once was too much!
Yes cgi access gives them a virtual shell, you can control how it functions.
c urity+rules _ security.html
You should be using mod_security.
http://understudy.net/tutorials.php?name=wget comes back failed You can run limited ablity shell accounts such as scponlyc (chrooted version of scponly)
And the servers I run on are all FreeBSD based.
Mod security can be found here:
http://modsecurity.org/
http://www.gotroot.com/tiki-index.php?page=mod_se
http://www.onlamp.com/pub/a/apache/2003/11/26/mod
Microsoft hasn't released an updated for IE on OS X since 6/16/2003. They only released that small upgrade from 5.2.1 because of an asinine amount of bugs in 5.2.1, including one that I found and reported. They made a big todo over 5.2.1 being their last Mac release. 2.5 years is more than long enough to consider that IE is no longer available as a Mac product. You can still pick up a Redhat release that supports Sparc (5.x). Does that mean that RH supports Sparcs? No, it doesn't.