On 7 Nov 2005 at 15:13, Antonio Olivares wrote: > > > --- James Kosin <jkosin@xxxxxxxxxxxxxxxxxx> wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: RIPEMD160 > > > > Antonio Olivares wrote: > > > > >Dear List, > > > A strange worm is going around the web. It attacks > > >some vulnerabilities in PHP. > > > There is a current very nasty probe going around which combines some perl and php vulnerabilities. The problem is not in either Linux or Apache, but in perl or php scripts added on by the webmasters. It first probes 13 locations in which "awstats.pl" could reside, then tries 16 variants of "xmlrpc.php" probes, finishing up with a couple dozen locations for "hints.pl". If any of these probes are successful, it does a wget to download the trojan from a malware site. If you have not updated the applicable programs, it is a matter of short time before your box starts calling home to the malware site. Updates allegedly exist for each vulnerable script. The website http://isc.sans.org did a very thorough writeup on this yesterday and everyone running these scripts should check that page for details : http://isc.sans.org/diary.php?date=2005-11-05 See http://www.frsirt.com/english/advisories/2005/0750 for details on the webhints problem (other languages besides English are available) See http://secunia.com/advisories/14299/ on the awstats.pl vulnerability As regards xmlrpc.php, from http://isc.sans.org/diary.php?date=2005-11-05 : > You can find the details of the vulnerability at: > http://www.gulftech.org/?node=research&article_id=00088-07022005 > http://www.securityfocus.com/bid/14088/ > http://secunia.com/advisories/15852/ > > For a list of vulnerable applications, please refer to: > http://www.securityfocus.com/bid/14088/info > http://www.osvdb.org/17793 > > If you are running a vulnerable version, you are advised to upgrade immediately: > http://www.securityfocus.com/bid/14088/solution Hope this helps. benm
