-
November 7th, 2005, 11:57 PM
#1
Linux Worm
Found this on the Symantec site:
http://securityresponse.symantec.com...ux.plupii.html
It was evidently found yesterday (11/6). Of course, I see this as I'm finishing up the installation of Fedora4 on my laptop.
-
November 8th, 2005, 06:08 AM
#2
Hmm,from what I hear..that won't be too much of a threat to a desktop...the only way it might affect people is that if they have outdated versions of things like wordpress..also,the XML-RPC exploit was fixed a few months ago I thought?
-
November 8th, 2005, 07:22 AM
#3
It seems like this is a variant of another virus recently found active... it mostly attacks web-servers and things alike by trying different CGI-attacks...
I think it will not do much harm if your not running any web services or FTP and Telnet thingies ?! But then again ... I'm not a Linux L33t
The earlier variant would open port udp 7111 I thought ...I'm not sure exactly , read it somewhere on a forum.
C.
Back when I was a boy, we carved our own IC's out of wood.
-
November 8th, 2005, 08:01 AM
#4
Yup.. old stuff..
but it's funny to filter your apache logs and find hundreds of infected computers trying to infect you..
They all have an open port 7222 with ability to connect as user nobody (or some other web user)
And knowing the update state of such a box, the doesn't have to stop there
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
November 8th, 2005, 09:08 AM
#5
WTFOMFG!!!???11`~ LINUCKS CAN'T GET VIRUSSS!! WINBLOWS SUX!!1111
- X
"Personality is only ripe when a man has made the truth his own."
-- Søren Kierkegaard
-
November 15th, 2005, 04:04 PM
#6
Was reading up on this as well recently. Saw that the worm came out awhile back.... but oddly enough, there seems to be a sudden reemergence. I've been watching a hundred or so IDS sensors across the US and within the last 2+ weeks seen this worm steadily spread.
Have a few clients that fell victim to it (running both FTP and Apache). Took it offline, ran antivirus, found 8+ infected files that were then cleaned. Turned off uneeded services, patched...etc
Put the server back on and BOOM.. the thing just went right back work posting:
[11/Nov/2005:16:38:02 +0300] "POST /xmlrpc.php HTTP/1.1" 404 296
[11/Nov/2005:16:38:03 +0300] "POST /blog/xmlrpc.php HTTP/1.1" 404 301
[11/Nov/2005:16:38:04 +0300] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 308
[11/Nov/2005:16:38:05 +0300] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 309
[11/Nov/2005:16:38:07 +0300] "POST /drupal/xmlrpc.php HTTP/1.1" 404 303
[11/Nov/2005:16:38:08 +0300] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 309
[11/Nov/2005:16:38:09 +0300] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 306
[11/Nov/2005:16:38:11 +0300] "POST /xmlrpc.php HTTP/1.1" 404 296
[11/Nov/2005:16:38:12 +0300] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 303
[11/Nov/2005:16:38:13 +0300] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 303
Like the article said at the beginning of this thread... who knows what else could have been installed since the initial infection
%42%75%75%75%75%72%70%21%00
-
November 15th, 2005, 04:48 PM
#7
Have a look here: http://isc.sans.org/diary.php?storyid=823
You'll see lots of similarities.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 15th, 2005, 07:09 PM
#8
Great link SirDice,
xml-rpc for php is used in a large number of popular web applications such as PostNuke, Drupal, b2evolution, Xoops, WordPress, PHPGroupWare and TikiWiki. When exploited, this could compromise a vulnerable system. Most of these packages should have xml-rpc for php vulnerability fixed in the latest version. If you are still running an old version, you should get it updated immediately.
Funny thing is that this hole is (was) allready widely known..
The cms I use has been patched for this in August for example..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|