Re: XML-RPC worm

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Matt Mets
Date:  
To: plug-discuss, Main PLUG discussion list
Subject: Re: XML-RPC worm
> Affected systems will need to be wiped and have the OS
> reinstalled, in most cases.


um, this would be affected systems that didnt know how to set their
web server permissions correctly i assume? you think that any decent
install would do that... ill check the gentoo tonight (which would
probably have been patched a long time ago anyway), but it doesnt seem
to make a whole lot of sense to me.

I mean come on, you dont have to reinstall an os to do this stuff...
thats crazy talk. This is unix, man, there isnt a registry to screw
up... just reinstall the frigging webserver if you have to.

On 11/8/05, Kevin <> wrote:
>
> Just noticed this on securityfocus.com. Thought I would share it with
> the group.
>
> http://securityfocus.com/brief/38
>
> A new Linux worm is crawling the web looking for a large number of
> vulnerable PHP systems and applications. The worm, known as Linux.Plupii
> (Symantec) or Linux/Lupper.worm (McAfee), is rated as a Category 2 worm
> by Symantec, while McAfee considers the risk "low." The worm installs a
> Trojan using wget and the attack allows for arbitrary code execution
> under the privileges of the web server user.
>
> The worm exploits PHP based vulnerabilities discovered back in June, and
> affects a large number of PHP web applications that use XML-RPC. The
> Trojan makes simple requests to web servers running on port 80 and the
> attack has been well documented by SANS. Unpatched systems are ripe for
> exploitation. Affected systems will need to be wiped and have the OS
> reinstalled, in most cases.
>
> The report comes on the heels of a new PHP release that addresses more
> security issues. Readers are also reminded of the Perl-based Santy worm
> and its variants as an indication that web-based worms that target Linux
> and Unix applications are becoming much more commonplace.
>
> ...Kevin
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss