Re: Linux worm crawls the web, what to do to protect our systems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7 Nov 2005 at 15:13, Antonio Olivares wrote:

> 
> 
> --- James Kosin <jkosin@xxxxxxxxxxxxxxxxxx> wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: RIPEMD160
> >  
> > Antonio Olivares wrote:
> > 
> > >Dear List,
> > > A strange worm is going around the web. It attacks
> > >some vulnerabilities in PHP.
> > >

There is a current very nasty probe going around which combines 
some perl and php vulnerabilities. The problem is not in either 
Linux or Apache, but in perl or php scripts added on by the 
webmasters. 

It first probes 13 locations in which "awstats.pl"  could reside, then 
tries 16 variants of "xmlrpc.php" probes, finishing up with a couple 
dozen locations for "hints.pl". If any of these probes are successful, 
it does a wget to download the trojan from a malware site. 

If you have not updated the applicable programs, it is a matter of 
short time before your box starts calling home to the malware site. 
Updates allegedly exist for each vulnerable script.

The website http://isc.sans.org did a very thorough writeup on this 
yesterday and everyone running these scripts should  check that 
page for details :

http://isc.sans.org/diary.php?date=2005-11-05 

See http://www.frsirt.com/english/advisories/2005/0750  for details 
on the webhints problem (other languages besides English are 
available)

See http://secunia.com/advisories/14299/ on the awstats.pl 
vulnerability

As regards xmlrpc.php, from 
http://isc.sans.org/diary.php?date=2005-11-05 :

> You can find the details of the vulnerability at:
> http://www.gulftech.org/?node=research&article_id=00088-07022005
> http://www.securityfocus.com/bid/14088/
> http://secunia.com/advisories/15852/
> 
> For a list of vulnerable applications, please refer to:
> http://www.securityfocus.com/bid/14088/info
> http://www.osvdb.org/17793
> 
> If you are running a vulnerable version, you are advised to upgrade immediately:
> http://www.securityfocus.com/bid/14088/solution

Hope this helps.

benm



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux