Found this on the Symantec site:
http://securityresponse.symantec.com...ux.plupii.html
It was evidently found yesterday (11/6). Of course, I see this as I'm finishing up the installation of Fedora4 on my laptop.
;)
Printable View
Found this on the Symantec site:
http://securityresponse.symantec.com...ux.plupii.html
It was evidently found yesterday (11/6). Of course, I see this as I'm finishing up the installation of Fedora4 on my laptop.
;)
Hmm,from what I hear..that won't be too much of a threat to a desktop...the only way it might affect people is that if they have outdated versions of things like wordpress..also,the XML-RPC exploit was fixed a few months ago I thought?
It seems like this is a variant of another virus recently found active... it mostly attacks web-servers and things alike by trying different CGI-attacks...
I think it will not do much harm if your not running any web services or FTP and Telnet thingies ?! But then again ... I'm not a Linux L33t ;)
The earlier variant would open port udp 7111 I thought ...I'm not sure exactly , read it somewhere on a forum.
C.
Yup.. old stuff..
but it's funny to filter your apache logs and find hundreds of infected computers trying to infect you..
They all have an open port 7222 with ability to connect as user nobody (or some other web user)
And knowing the update state of such a box, the doesn't have to stop there ;)
WTFOMFG!!!???11`~ LINUCKS CAN'T GET VIRUSSS!! WINBLOWS SUX!!1111 ;)
- X
Was reading up on this as well recently. Saw that the worm came out awhile back.... but oddly enough, there seems to be a sudden reemergence. I've been watching a hundred or so IDS sensors across the US and within the last 2+ weeks seen this worm steadily spread.
Have a few clients that fell victim to it (running both FTP and Apache). Took it offline, ran antivirus, found 8+ infected files that were then cleaned. Turned off uneeded services, patched...etc
Put the server back on and BOOM.. the thing just went right back work posting:
[11/Nov/2005:16:38:02 +0300] "POST /xmlrpc.php HTTP/1.1" 404 296
[11/Nov/2005:16:38:03 +0300] "POST /blog/xmlrpc.php HTTP/1.1" 404 301
[11/Nov/2005:16:38:04 +0300] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 308
[11/Nov/2005:16:38:05 +0300] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 309
[11/Nov/2005:16:38:07 +0300] "POST /drupal/xmlrpc.php HTTP/1.1" 404 303
[11/Nov/2005:16:38:08 +0300] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 309
[11/Nov/2005:16:38:09 +0300] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 306
[11/Nov/2005:16:38:11 +0300] "POST /xmlrpc.php HTTP/1.1" 404 296
[11/Nov/2005:16:38:12 +0300] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 303
[11/Nov/2005:16:38:13 +0300] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 303
Like the article said at the beginning of this thread... who knows what else could have been installed since the initial infection
Have a look here: http://isc.sans.org/diary.php?storyid=823
You'll see lots of similarities.
Great link SirDice,Funny thing is that this hole is (was) allready widely known..Quote:
xml-rpc for php is used in a large number of popular web applications such as PostNuke, Drupal, b2evolution, Xoops, WordPress, PHPGroupWare and TikiWiki. When exploited, this could compromise a vulnerable system. Most of these packages should have xml-rpc for php vulnerability fixed in the latest version. If you are still running an old version, you should get it updated immediately.
The cms I use has been patched for this in August for example..