XML-RPC worm
Kevin
plug-discuss at firstpacket.com
Tue Nov 8 16:22:42 MST 2005
Just noticed this on securityfocus.com. Thought I would share it with
the group.
http://securityfocus.com/brief/38
A new Linux worm is crawling the web looking for a large number of
vulnerable PHP systems and applications. The worm, known as Linux.Plupii
(Symantec) or Linux/Lupper.worm (McAfee), is rated as a Category 2 worm
by Symantec, while McAfee considers the risk "low." The worm installs a
Trojan using wget and the attack allows for arbitrary code execution
under the privileges of the web server user.
The worm exploits PHP based vulnerabilities discovered back in June, and
affects a large number of PHP web applications that use XML-RPC. The
Trojan makes simple requests to web servers running on port 80 and the
attack has been well documented by SANS. Unpatched systems are ripe for
exploitation. Affected systems will need to be wiped and have the OS
reinstalled, in most cases.
The report comes on the heels of a new PHP release that addresses more
security issues. Readers are also reminded of the Perl-based Santy worm
and its variants as an indication that web-based worms that target Linux
and Unix applications are becoming much more commonplace.
...Kevin
More information about the PLUG-discuss
mailing list