Results 1 to 8 of 8

Thread: Linux Worm

  1. #1

    Linux Worm

    Found this on the Symantec site:

    http://securityresponse.symantec.com...ux.plupii.html

    It was evidently found yesterday (11/6). Of course, I see this as I'm finishing up the installation of Fedora4 on my laptop.


  2. #2
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    Hmm,from what I hear..that won't be too much of a threat to a desktop...the only way it might affect people is that if they have outdated versions of things like wordpress..also,the XML-RPC exploit was fixed a few months ago I thought?

  3. #3
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    It seems like this is a variant of another virus recently found active... it mostly attacks web-servers and things alike by trying different CGI-attacks...

    I think it will not do much harm if your not running any web services or FTP and Telnet thingies ?! But then again ... I'm not a Linux L33t

    The earlier variant would open port udp 7111 I thought ...I'm not sure exactly , read it somewhere on a forum.

    C.
    Back when I was a boy, we carved our own IC's out of wood.

  4. #4
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Yup.. old stuff..

    but it's funny to filter your apache logs and find hundreds of infected computers trying to infect you..

    They all have an open port 7222 with ability to connect as user nobody (or some other web user)

    And knowing the update state of such a box, the doesn't have to stop there
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  5. #5
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    WTFOMFG!!!???11`~ LINUCKS CAN'T GET VIRUSSS!! WINBLOWS SUX!!1111

    - X
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

  6. #6
    Member
    Join Date
    Sep 2005
    Posts
    77
    Was reading up on this as well recently. Saw that the worm came out awhile back.... but oddly enough, there seems to be a sudden reemergence. I've been watching a hundred or so IDS sensors across the US and within the last 2+ weeks seen this worm steadily spread.
    Have a few clients that fell victim to it (running both FTP and Apache). Took it offline, ran antivirus, found 8+ infected files that were then cleaned. Turned off uneeded services, patched...etc
    Put the server back on and BOOM.. the thing just went right back work posting:

    [11/Nov/2005:16:38:02 +0300] "POST /xmlrpc.php HTTP/1.1" 404 296
    [11/Nov/2005:16:38:03 +0300] "POST /blog/xmlrpc.php HTTP/1.1" 404 301
    [11/Nov/2005:16:38:04 +0300] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 308
    [11/Nov/2005:16:38:05 +0300] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 309
    [11/Nov/2005:16:38:07 +0300] "POST /drupal/xmlrpc.php HTTP/1.1" 404 303
    [11/Nov/2005:16:38:08 +0300] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 309
    [11/Nov/2005:16:38:09 +0300] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 306
    [11/Nov/2005:16:38:11 +0300] "POST /xmlrpc.php HTTP/1.1" 404 296
    [11/Nov/2005:16:38:12 +0300] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 303
    [11/Nov/2005:16:38:13 +0300] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 303

    Like the article said at the beginning of this thread... who knows what else could have been installed since the initial infection
    %42%75%75%75%75%72%70%21%00

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Have a look here: http://isc.sans.org/diary.php?storyid=823

    You'll see lots of similarities.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Great link SirDice,
    xml-rpc for php is used in a large number of popular web applications such as PostNuke, Drupal, b2evolution, Xoops, WordPress, PHPGroupWare and TikiWiki. When exploited, this could compromise a vulnerable system. Most of these packages should have xml-rpc for php vulnerability fixed in the latest version. If you are still running an old version, you should get it updated immediately.
    Funny thing is that this hole is (was) allready widely known..

    The cms I use has been patched for this in August for example..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •