Linux worm crawls the web, what to do to protect our systems
benm at dsl-only.net
Mon Nov 7 23:54:16 UTC 2005
On 7 Nov 2005 at 15:13, Antonio Olivares wrote:
> --- James Kosin <jkosin at beta.intcomgrp.com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: RIPEMD160
> > Antonio Olivares wrote:
> > >Dear List,
> > > A strange worm is going around the web. It attacks
> > >some vulnerabilities in PHP.
> > >
There is a current very nasty probe going around which combines
some perl and php vulnerabilities. The problem is not in either
Linux or Apache, but in perl or php scripts added on by the
It first probes 13 locations in which "awstats.pl" could reside, then
tries 16 variants of "xmlrpc.php" probes, finishing up with a couple
dozen locations for "hints.pl". If any of these probes are successful,
it does a wget to download the trojan from a malware site.
If you have not updated the applicable programs, it is a matter of
short time before your box starts calling home to the malware site.
Updates allegedly exist for each vulnerable script.
The website http://isc.sans.org did a very thorough writeup on this
yesterday and everyone running these scripts should check that
page for details :
See http://www.frsirt.com/english/advisories/2005/0750 for details
on the webhints problem (other languages besides English are
See http://secunia.com/advisories/14299/ on the awstats.pl
As regards xmlrpc.php, from
> You can find the details of the vulnerability at:
> For a list of vulnerable applications, please refer to:
> If you are running a vulnerable version, you are advised to upgrade immediately:
Hope this helps.
More information about the users