New worm targets Linux systems

CNET News.com ^ | November 7, 2005, 5:12 PM PST | Joris Evers

[Bush2000]

New worm targets Linux systems
By Joris Evers
Staff Writer, CNET News.com
Published: November 7, 2005, 5:12 PM PST

A new worm that propagates by exploiting security vulnerabilities in Web server software is attacking Linux systems, warned antivirus companies on Monday.

The worm spreads by exploiting Web servers that host susceptible scripts at specific locations, according to antivirus software maker McAfee, which has named the worm "Lupper."

Lupper blindly attacks Web servers, installing and executing a copy of the worm when a vulnerable server is found, McAfee said in its description of the worm.

A backdoor is installed on infected servers, giving the attacker remote control over the system. The server joins a network of compromised systems, which can be used, for example, in attacks against other computers, according to McAfee.

The worm exploits three vulnerabilities to propagate the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability, according to Symantec's online description of the worm.

The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf's Webhints is a hint generation script, no fixes are available for the script, according to Symantec's DeepSight Alert Services.

McAfee rates Lupper as a low risk. Symantec, which calls the worm Plupii, rates it medium risk, but notes that the worm has not been widely distributed. The SANS Internet Storm Center, which tracks network threats, reports some worm sightings.

Symantec and McAfee have updated their products to protect against the worm. If a system has been infected, Symantec recommends complete reinstallation of the system because it will be difficult to determine what else the computer has been exposed to, the company said.

[JoJo Gunn]

But of course you don't care, sugah. That's why you post these type threads, right?

Start acting like a man, instead of an estrogen crazed shill, and you'll be treated accordingly.

Nighty night....

[MikefromOhio]

LOL who put "gatesbot2000" into the keywords?


LOL

[Utopia]

I've been inside the beast. I know what's its like. MS does not believe in QA or testing. The most shocking thing I encountered was the total lack of engineering discipline.

[Knitebane]

We can agree to disagree on any number of subjects, without taking out the long knives ...

You don't seem to be able to, considering the number of times you've had posts pulled for reasons varying from personal attacks to copyright infringement.

But that's about what one would expect of a thief anyway.

Tell it to McAfee. This worm is listed as "Linux/Lupper.worm". It's a derivative of "Linux/Slapper". It has been found in the wild, and there's no evidence that it attacks Windows-based web servers at all.

Actually, there's quite a bit of evidence that Lupper runs on FreeBSD provided that all of the requirements are met. Likewise on Win2K3 running Cygwin. But let's not let the facts get in the way of your rant, shall we?

One more time for the slow people. Linux is a kernel. This worm has nothing to do with the kernel.

This worm uses broken code in a couple of applications that usually are only seen on Linux systems, but can run on any system that has certain requirements, a Linux kernel not being one of them.

[Bush2000]

I've been inside the beast. I know what's its like.

Where, exactly, did you work?

MS does not believe in QA or testing.

That's interesting. I'll have to inform some of my friends at M$ that work in QA that they're just figments of M$'s imagination. /SARCASM

The most shocking thing I encountered was the total lack of engineering discipline.

You really don't know what you're talking about. I'd be surprised if you were anything other than an entry level guy that washed out...

[Bush2000]

But that's about what one would expect of a thief anyway.

A thief? LMFAO! Yeahhhhh, rrrright. You've already tried and failed to sell the notion that downloading pics of your medieval freakshow from a publicly accessible website is "stealing". It ain't. Unless you consider downloading public content from FR or Amazon or Dell or CNET "stealing". What a maroon.

Actually, there's quite a bit of evidence that Lupper runs on FreeBSD provided that all of the requirements are met. Likewise on Win2K3 running Cygwin.

Then you shouldn't have any problem referencing here, then. Provide a link.

One more time for the slow people. Linux is a kernel. This worm has nothing to do with the kernel.

Keep flogging that strawman. Clue phone: Nobody ever said that it had anything to do with the kernel, lightweight.

This worm uses broken code in a couple of applications that usually are only seen on Linux systems, but can run on any system that has certain requirements, a Linux kernel not being one of them.

Again, read for comprehension. There's no evidence that it affects alternate platforms.

[Knitebane]

Unless you consider downloading public content from FR or Amazon or Dell or CNET "stealing". What a maroon.

Except it was never public content. At no point were you given permission to use it publicly.

There is no difference in you possessing one of my copyrighted images and me possessing a Warez version of Windows XP.

Keep flogging that strawman. Clue phone: Nobody ever said that it had anything to do with the kernel, lightweight.

You need to buy a dictionary, dolt.

I'll use small words, since I know you're stupid.

Linux = kernel
Distro = kernel + userland apps

Saying that this is a Linux worm is like saying that a vulnerability in Adobe Photoshop is a Windows problem.

But keep flapping away. I'm enjoying watching you act like a fool.

[Bush2000]

Saying that this is a Linux worm is like saying that a vulnerability in Adobe Photoshop is a Windows problem.

I never "possessed" any of your copyrighted images (as if I'd want to have a keepsake of your wedding freakshow, anyway). You were idiotic enough to put them in a publicly accessible location, and Google linked to them.

Saying that this is a Linux worm is like saying that a vulnerability in Adobe Photoshop is a Windows problem.

Go whine to McAfee. They list it as a Linux worm because it affects the Linux platform.

[N3WBI3]

Then you shouldn't have any problem referencing here, then. Provide a link.

Here

[Bush2000]

I ask for a link justifying the claim -- and you provide some random blog? LMFAO! That could be your blog -- or somebody you know. Try producing a credible link.

[Knitebane]

Go whine to McAfee. They list it as a Linux worm because it affects the Linux platform.

McAffee has a vested interest in keeping up the myth of the Linux worm. In the post-Windows era, they'll be hard pressed to find a market.

Much like you.

[js1138]

One more time for the slow people. Linux is a kernel. This worm has nothing to do with the kernel.

And worms that attack Outlook Express, IE, or Word have nothing to do with Windows.

If these apps are insecure, there are alternatives available for free.

[Knitebane]

Outlook Express and IE come with Windows and cannot be completely uninstalled. That makes it Microsoft's problem and properly a Windows problem.

Word is a different issue, of course. But then, Word macro viruses are listed as exactly that, not as a Windows problem.

This is being listed as a Linux problem, when it does not ship with any recent version of a Linux distro, isn't installed by default on any Linux distro and will actually run on any OS that will run PHP.

If someone writes an ASP based app, it doesn't ship with the Windows CD, and there is an exploit for it is it a Windows problem? Of course not. Likewise, this worm isn't a Linux problem.

[js1138]

Outlook Express and IE come with Windows and cannot be completely uninstalled. That makes it Microsoft's problem and properly a Windows problem.

No one needs to use IE for anything other than downloading Firefox or Opera.

No one ever needs to use Outlook or Outlook Express, ever.

Besides, the whole thing is overblown. In twenty years of doing IT work on MS platforms I've only seen one infection get past a virus scanner, and that was Melisa, a Word virus. It was painful for a few days, but destroyed nothing.

[Knitebane]

No one needs to use IE for anything other than downloading Firefox or Opera.

No one ever needs to use Outlook or Outlook Express, ever.

Heck, just go the next step...

No one ever needs to use Windows, ever.

:)

Besides, the whole thing is overblown. In twenty years of doing IT work on MS platforms I've only seen one infection get past a virus scanner, and that was Melisa, a Word virus. It was painful for a few days, but destroyed nothing.

I watched Slammer rip through networks and take them down. It cost several customers more than a few million dollars in lost revenue, a few hundred thousand in T&E expenses for contracted services and probably a couple hundred for Tums.

All because of a security hole that had been patched and the next MS patch removed the previous one.

[js1138]

I watched Slammer rip through networks and take them down.

I ran a couple of networks during that period. There was nothing that could get through even a simple firewall.

[MadIvan]

No one ever needs to use Windows, ever.

I'll tell my story. I had a good laptop - Intel Centrino 1.5 Ghz, 1.2 GB of RAM, ATI Mobility Radeon 9200 with 64 MB of Video RAM...it came with XP pre-installed. Service Pack 2 killed it. It was taking 5 minutes to boot. I did a clean install to see if that would improve matters. It didn't. I sent it to an authorised service centre to do diagnostics on it. The laptop passed with flying colours.

I put Ubuntu Linux on it. It runs fine now - Opera on Linux is a fantastic web browser.

The Microsoft supporting bastards can spew idiocy all they like - but those who have practical experience like this know the truth. They can lie and hem and haw all they want, but in the final analysis, more people are going to discover this.

Regards, Ivan

[js1138]

I've built XP systems that boot in 15 seconds from power on. I'm not disputing your story, but a well designed computer -- not an expensive one -- will not thave that problem.

Laptops are always slower than desktops with the same nominal specs, but I'm talking about PCs costing under $600 with retail Windows installed.

The problem with Dell and other brands that preinstall Windows is not windows, but the adware the manufacturer installs. I've seen Dell computers take minutes to boot. They aren't booting Windows; they are installing a bunch of crap demo programs.

[MadIvan]

With XP Service Pack 1, the boot time wasn't a problem, but SP 2 just destroyed it, for whatever reason. As I said, I tried a clean install.

I do have faster machines which I have kept XP on, but for how long is this going to function well - when Vista comes, is that going to be the breaking point as SP 2 was for my laptop?

Regards, Ivan

[js1138]

I've put SP2 on a hundred machines with no trouble at all. I don't doubt your story, because I have seen slow XP machines, but none after I have cleaned them up. All the slow machines I have seen have been Dell or Gateway. None that I have built or modified.

Dell puts the most amazing array of crapware on their machines. It's cheaper for my clients to reinstal with a retail copy of windows than to have me remove all the adware that slows these machines down.