New worm targets Linux systems

CNET News.com ^ | November 7, 2005, 5:12 PM PST | Joris Evers

[Bush2000]

New worm targets Linux systems
By Joris Evers
Staff Writer, CNET News.com
Published: November 7, 2005, 5:12 PM PST

A new worm that propagates by exploiting security vulnerabilities in Web server software is attacking Linux systems, warned antivirus companies on Monday.

The worm spreads by exploiting Web servers that host susceptible scripts at specific locations, according to antivirus software maker McAfee, which has named the worm "Lupper."

Lupper blindly attacks Web servers, installing and executing a copy of the worm when a vulnerable server is found, McAfee said in its description of the worm.

A backdoor is installed on infected servers, giving the attacker remote control over the system. The server joins a network of compromised systems, which can be used, for example, in attacks against other computers, according to McAfee.

The worm exploits three vulnerabilities to propagate the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability, according to Symantec's online description of the worm.

The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf's Webhints is a hint generation script, no fixes are available for the script, according to Symantec's DeepSight Alert Services.

McAfee rates Lupper as a low risk. Symantec, which calls the worm Plupii, rates it medium risk, but notes that the worm has not been widely distributed. The SANS Internet Storm Center, which tracks network threats, reports some worm sightings.

Symantec and McAfee have updated their products to protect against the worm. If a system has been infected, Symantec recommends complete reinstallation of the system because it will be difficult to determine what else the computer has been exposed to, the company said.

[youngtechster]

Not me, and here's why: Windows Advanced Server 2000, Windows Server 2003 Enterprise Edition.

There's a reason my company's new server will be running either FreeBSD, or Gentoo Linux. That website is the biggest reference why.

I wouldn't want to explain to my boss how someone hacked into our business software and stole the accounting, personal, and various other sensitive records of over $4 Million a year with major companies involved (such as Mowhawk, Shaw and Beulieu Carpets). So I choose security, I choose Open Source.

[Michael Goldsberry]

You're fired.

[RedBloodedAmerican]

Did you read the solutions to those (according to secunia) unpatched problems? Half of them are a joke!

"Solution: Ensure that systems have up-to-date anti-virus and spyware detection software installed"
"Solution: Restrict physical access to vulnerable systems. Disable USB support"
"Solution: Connect only to terminal services over trusted networks"
"Solution: Do not open untrusted ".mdb" database files"
"Solution: Don't view or process untrusted EMF files"
"Solution: Grant only trusted users access to affected systems"
heehee. At the end of each they should put "DUH!"!!!

Rule number one: no network is any more secure than the netadmin makes it, period. No matter what they run. I'll stick with MS. If the router is configured properly, then your boss has no worries in any case

[RedBloodedAmerican]

LOL! Mom, I'm gonna get you!

[youngtechster]

The fact that those vulnerabilities even exist CURRENTLY is the issue.

also, this 'worm' is an exploit of a vulnerability assessed at the end of June. Most software it effects has been patched already. If web administrators are up2date on their software, they have nothing to fear... the issue was resolved about early-mid July for Drupal (a CMS that I use).

[r9etb]

I'm still of the opinion that the reason MS gets most all of the virus attacks is simply because it is what most all use in the world.

That's probably a large part of it. There's also a religious aspect to it, though -- there's lots of folks who hate the infidel Microsoft.

If/as Linux becomes more pervasive, I think there will be many more nasty bugs written for it.

[N3WBI3]

with their zillions of eyeballs constantly scanning the open source code, Linux can't be targeted by worms and viruses...

Has anyone on this board said this? or is this just an attempt to mistate the position of people here?

[N3WBI3]

Or, alternatively, you're an ABMer zealot

You'll excuse me but the person between the two of you who spends more time and effort to attack an operating system is not Leapfrog so your attempts to smear him as a zealot seem misplaced and somewhat ironic.

[twntaipan]

You realize, of course, that FreeRepublic runs on Linux?

[N3WBI3]

RUle Number 1: Most serious incidents occure from the inside not outside..

[twntaipan]

Can somebody please explain why if Windows Server (pick your version is so good), why at least 3 of MSN.com's web server's are running FreeBSD?

Or can someone explain why Google runs all of it's site on Linux?

Or why Yahoo! runs it's site on FreeBSD?

[spacewarp]

I think your math is a little off.....

Securia, this site you're so gung-ho on showing us that rips apart the arguments to use Windows Server 2003, and instead use Gentoo Linux....

Windows Server 2003 has 79 vunerbilities on their site, while Gentoo has over 700!!!!

Seems like someone's not paying attention.

Windows Server 2003 is a very good environment. Period. I challenge you to show me a point where Windows Server 2003 is severely deficient in the product offerings. Not just "well, it's MS, so it has to stink". Not the religious arguments. If you haven't used it, then you need to stop blasting it. It's got a LOT of nice features.

I haven't used the Gentoo Linux build, but from the numbers you've shown, they look like a major danger as opposed to MS.

So, please stop the religious attacks on the MS/Linix wars. It doesn't help your side to post junk like that.

Paul

[N3WBI3]

Windows Server 2003 has 79 vunerbilities on their site, while Gentoo has over 700!!!!

Windows 2003: "Currently, 8 out of 71 Secunia advisories, is marked as "Unpatched" in the Secunia database."

Gentoo: "Currently, 0 out of 746 Secunia advisories, is marked as "Unpatched" in the Secunia database."

Of course given the differences in the licensing and, more importantly, the packaging of Linux distributions versus how Microsoft does theirs its really hard to compare 'Linux' and Windows on a one for shot. but Ive seen both camps use secunia, cert and other such numbers in a way anyone even close to even tempered on the subject should abhor..

[Bush2000]

Do you bother to read your own BS? Here's a perfect example: Secunia reports 746 vulnerabilities in Gentoo Linux, compared to 110 for Windows 2000 and 73 for Windows Server 2003. Wanna get 0wn3d? Use Linux. It leads the way in defacements and other server break-ins.

[Bush2000]

Read for comprehension. Where did I say that?

[Bush2000]

You'll excuse me but the person between the two of you who spends more time and effort to attack an operating system is not Leapfrog so your attempts to smear him as a zealot seem misplaced and somewhat ironic.

I didn't ask you. Begone.

[Bush2000]

You realize, of course, that FreeRepublic runs on Linux?

No wonder it runs so slowly and has regular downtime...

[Bush2000]

Or can someone explain why Google runs all of it's site on Linux? Or why Yahoo! runs it's site on FreeBSD?

Sure, they don't want to enrich their competition.

[N3WBI3]

So in other words a bunch of 'linux guys' that are 'your friends' said something that nobody here (at least that you can point to) agrees with is that about the point of your post?