XML-RPC worm

Kenneth madhse at yahoo.com
Wed Nov 9 00:05:42 MST 2005 

I assumed this meant systems that had been compromised would have to be
re-installed.  Not a precise choice of words on their part.

--- Matt Mets <matt.mets at gmail.com> wrote:

> > Affected systems will need to be wiped and have the OS
> > reinstalled, in most cases.
> 
> um, this would be affected systems that didnt know how to set their
> web server permissions correctly i assume?  you think that any decent
> install would do that... ill check the gentoo tonight (which would
> probably have been patched a long time ago anyway), but it doesnt seem
> to make a whole lot of sense to me.
> 
> I mean come on, you dont have to reinstall an os to do this stuff...
> thats crazy talk.  This is unix, man, there isnt a registry to screw
> up...  just reinstall the frigging webserver if you have to.
> 
> On 11/8/05, Kevin <plug-discuss at firstpacket.com> wrote:
> >
> > Just noticed this on securityfocus.com.  Thought I would share it with
> > the group.
> >
> > http://securityfocus.com/brief/38
> >
> > A new Linux worm is crawling the web looking for a large number of
> > vulnerable PHP systems and applications. The worm, known as Linux.Plupii
> > (Symantec) or Linux/Lupper.worm (McAfee), is rated as a Category 2 worm
> > by Symantec, while McAfee considers the risk "low." The worm installs a
> > Trojan using wget and the attack allows for arbitrary code execution
> > under the privileges of the web server user.
> >
> > The worm exploits PHP based vulnerabilities discovered back in June, and
> > affects a large number of PHP web applications that use XML-RPC. The
> > Trojan makes simple requests to web servers running on port 80 and the
> > attack has been well documented by SANS. Unpatched systems are ripe for
> > exploitation. Affected systems will need to be wiped and have the OS
> > reinstalled, in most cases.
> >
> > The report comes on the heels of a new PHP release that addresses more
> > security issues. Readers are also reminded of the Perl-based Santy worm
> > and its variants as an indication that web-based worms that target Linux
> > and Unix applications are becoming much more commonplace.
> >
> > ...Kevin
> >
> >
> >
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change  you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 



		
__________________________________ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com

More information about the PLUG-discuss mailing list