XML-RPC worm

Matt Mets matt.mets at gmail.com
Tue Nov 8 17:44:23 MST 2005


> Affected systems will need to be wiped and have the OS
> reinstalled, in most cases.

um, this would be affected systems that didnt know how to set their
web server permissions correctly i assume?  you think that any decent
install would do that... ill check the gentoo tonight (which would
probably have been patched a long time ago anyway), but it doesnt seem
to make a whole lot of sense to me.

I mean come on, you dont have to reinstall an os to do this stuff...
thats crazy talk.  This is unix, man, there isnt a registry to screw
up...  just reinstall the frigging webserver if you have to.

On 11/8/05, Kevin <plug-discuss at firstpacket.com> wrote:
>
> Just noticed this on securityfocus.com.  Thought I would share it with
> the group.
>
> http://securityfocus.com/brief/38
>
> A new Linux worm is crawling the web looking for a large number of
> vulnerable PHP systems and applications. The worm, known as Linux.Plupii
> (Symantec) or Linux/Lupper.worm (McAfee), is rated as a Category 2 worm
> by Symantec, while McAfee considers the risk "low." The worm installs a
> Trojan using wget and the attack allows for arbitrary code execution
> under the privileges of the web server user.
>
> The worm exploits PHP based vulnerabilities discovered back in June, and
> affects a large number of PHP web applications that use XML-RPC. The
> Trojan makes simple requests to web servers running on port 80 and the
> attack has been well documented by SANS. Unpatched systems are ripe for
> exploitation. Affected systems will need to be wiped and have the OS
> reinstalled, in most cases.
>
> The report comes on the heels of a new PHP release that addresses more
> security issues. Readers are also reminded of the Perl-based Santy worm
> and its variants as an indication that web-based worms that target Linux
> and Unix applications are becoming much more commonplace.
>
> ...Kevin
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>


More information about the PLUG-discuss mailing list