November 7, 2005 5:12 PM PST

New worm targets Linux systems

A new worm that propagates by exploiting security vulnerabilities in Web server software is attacking Linux systems, antivirus companies warned on Monday.

The worm spreads by exploiting Web servers that host susceptible scripts at specific locations, according to antivirus software maker McAfee, which has named the worm "Lupper."

Lupper blindly attacks Web servers, installing and executing a copy of the worm when a vulnerable server is found, McAfee said in its description of the worm.

A backdoor is installed on infected servers, giving the attacker remote control over the system. The server joins a network of compromised systems, which can be used, for example, in attacks against other computers, according to McAfee.

The worm exploits three vulnerabilities to propagate: the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability, according to Symantec's online description of the worm.

The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf's Webhints is a hint generation script; no fixes are available for the script, according to Symantec's DeepSight Alert Services.

McAfee rates Lupper as low risk. Symantec, which calls the worm "Plupii," rates it medium risk, but notes that the worm has not been widely distributed. The SANS Internet Storm Center, which tracks network threats, reports some worm sightings.

Symantec and McAfee have updated their products to protect against the worm. If a system has been infected, Symantec recommends complete reinstallation of the system because it will be difficult to determine what else the computer has been exposed to, the company said.

137 comments

Join the conversation!
Add your comment
Ahh, where are all the Linux zealots now
Take a look at any news regarding Windows vulnerabilities and you'll find one posting his/her big mouth 10 minutes later.
Posted by jamie.p.walsh (288 comments )
Reply Link Flag
So?
Then what's Your excuse?
Posted by Marcus Westrup (630 comments )
Link Flag
Re: Ahh, where are all the Linux zealots now
Hi Jamie,

This worm exploits three applications, not the Linux operating system.

The same applications would have been equally exploitable if they would be running on any other opeating system (Including different versions of Windows & even OS/2).

And no, I am not a Linux Zealot! :-). I work on Microsoft technologies.

It is very easy to be zealous about a particular company's products or a particular technology, and believe that everything else is just rubbish.

But this world will be a better place if we accept that each technology has its own advantages (and disadvantages) and has its own role to play in enabling people to do better than they would do without it.

Thanks & regards,
Neel.
Symantec Software.
<A HREF="http://www.geocities.com/nerdyneel">My Site</A>
Posted by neelbhatt (2 comments )
Link Flag
Linux Zealot
hahahaha!! We're standing back and watching everyone make a huge deal over exploits which have been easily patchable since the begining of this year! It's funny how these news sites only write articles about high risk Windows vulnerabilities, but every low risk Linux vulnerability that comes around. The only thing that doesn't have a patch is the Webhints package which no-one uses anyhow.

I want you to think about something:

These exploits are work on systems where PHP is given elevated privleges on the system. This is not default for any out of the box Linux distro. The administrator of these systems must explicitly grant PHP elevated access to their systems to make these Wiki systems work. The admins know full well the risk they are taking when they do this, and they should know better than to leave the Wiki software unpatched.

I find it totally amazing that we have dozens of HIGH RISK Windows exploits every month that can affect a Windows box without any user intervention. And you're getting all huffy over one low risk PHP exploit that has been patched for months and only affects systems running PHP with elevated privleges?

Give me a break. I don't care what OS you're running... NO OS prevents Admin stupidity. It's nice that you think Linux is that good though, that it can even prevent a super-user from making the system vulnerable. Linux distros come secure out of the box, if an admin decides to open it up for attack, how is that the fault of Linux?
Posted by irwinr (2 comments )
Link Flag
Prolly...
Prolly trying to figure out how to fix this!! haha :)
Posted by (8 comments )
Reply Link Flag
Hah!
And another hah! :p
Posted by Mendz (519 comments )
Reply Link Flag
Take it Easy.
Linux is more secure than Windows. If you had the chance to read carefully, it refers to outdated systems; which unfortunately there are quite a few out there in the core of the internet.
Posted by Dead Soulman (245 comments )
Reply Link Flag
Linux is not superior
Nice try, but Linux is *not* superior to Windows. There are very few virus writers for Linux, and a ton more for Windows.

The fact that such a serious flaw exists for Linux is just more evidence that Linux is no more secure than Windows Server systems.

Of course, when it happens on Linux, all of the Linux zealots proclaim: "Oh but it's not in the kernel", or "It's an older distribution!", or "but &lt;insert a different distro&gt; doesn't have the flaw so it's not Linux!"

Please. I'm so sick of Linux zealots and their constant BS. Thank god for stories like this one that exposes Linux for what it really is: just another OS that has its share of problems.
Posted by DrakeLoneStar (22 comments )
Link Flag
Outdated or unparched?
I don't see anything in the article referring to outdated systems. If you meant unpatched systems... duh!
EVERY Windows virus in history has only applied to unpatched systems. So if you accept your logic, there were never viruses for current Windows systems!
If it was actually about outdated (i.e. non current versions) systems then that also applies to 75% of Windows flaws in the last year or so, since not many affect (or are critical on) Windows XP Service Pack 2 or Windows Server Service Pack 1.
Linux zealots would laugh at those arguments if used to defend Windows over a virus outbreak. Why trying them here?
Posted by Hernys (744 comments )
Link Flag
If you notice Linux is still the top hacked web server
Check out www.zone-h.com, Linux defacements on average have the highest high count for world wide hacks and defacements.

IMHO
Posted by ElmerFud (2 comments )
Link Flag
This is one of the fundamental reasons...
... we would personally and professionally prefer OS/2 Warp and OS/2 Warp Server for e-Business. Why not ask the "Russians" why they do too!
Posted by Captain_Spock (894 comments )
Reply Link Flag
Oops..
... personally and collectively.
Posted by Captain_Spock (894 comments )
Link Flag
Re: Linux Zealots
Uh if you actually read the article it mentions the vulnerabilities the worm exploits. None of those vulnerabilities are of Linux but rather 3rd party applications. It just so happens that the applications run on Linux.
Posted by Jenic (2 comments )
Reply Link Flag
also...
any decent sysadmin won't run apache or any linux webserver as a real user, so the worst that could happen would be a lost web page, which can probably be restored fairly quickly.
Posted by theguitarizt (5 comments )
Link Flag
Re: You
According to the bugtraq post, at least the PHP Remote Code Injection vulnerability ships with several Linux distros.

There is a trend to say that if it impacts Linux, it is an application problem, and if it impacts Windows, is a Windows problem.

In my opinion this is astroturfing.

I understand Linux is just a kernel, but several tools are considered part of Windows that are outside the kernel as well.

We can't fairly compare all vulns in the entire Windows platform to only the vulns in the Linux kernel.

For sake of trying to use a similar metric, I use this rule.

If it shipped with the distribution, it can be considered a vuln with GNU/Linux.

If it was not shipped with Windows or GNU/Linux, it is an application vuln.

There are obviously some gray areas with this, but in general it is a good way to stay on the same page.
Posted by Dachi (797 comments )
Link Flag
PHP seems like the weakest link ...
If you run PHP, you'd better take some measures like :
<a class="jive-link-external" href="http://www.hardened-php.net/" target="_newWindow">http://www.hardened-php.net/</a>
Posted by My-Self (242 comments )
Reply Link Flag
Security and Total Cost of Ownership!
It is rather strange that so................ many people around (including Windows and Linux users) the world put their "trust" in the ATMs that they use daily and for once do not consider the "reliable and secure "Old Work-Horse" that is called "OS/2" that undoubtedly would present a better business value and superior Total Cost of Ownership (TCO) scenario than Linux or Windows any day for the desktop environment. Why not stop using your ATMs!
Posted by Captain_Spock (894 comments )
Reply Link Flag
Rubish
I work for a major leader in the ATM industry. I can safely say that the majority of our ATMs run XENIX, a UNIX variant that was owned bt M$, now owned by SCO Group. I know that my bank actually uses Windows on their ATMs. I don't know of a single ATM in my area that runs OS/2. As far as I know, there were a few viruses out that took advantage of flaws in OS/2 also. Go figure....

Also, IBM stop supporting OS/2 a while back. Since you can't get manufacturer support, the TCO is moot. Companies want support, and even a great OS like OS/2, would fall short of expectations where newer hardware is concerned.

You might as well go back to DOS, Amiga, or any other vintage computing platform.
Posted by fireball74 (80 comments )
Link Flag
ATMs run Windows
The banks of course primarily DO consider TCO. This is why the vast majority of ATMS run Windows.
Posted by richto (895 comments )
Link Flag
Poor Guy...
...just can't come to terms with the death (long ago) of OS/2. I honestly think you post this silliness for comic relief, and it works! I crack up every time I read one of your OS/2 posts. LOL
Posted by J_Satch (571 comments )
Link Flag
ATMs
Having worked on ATMs for a number of years prior to getting into IT (now an MSCE but still enjoy OS/2 [http://since 2.0|http://since 2.0] and Linux more) I can recall Diebold ATMs running OS/2 v2.x and Fujitsu ATMs at Target stores running Microsoft OS/2 1.3! I would agree that OS/2 (now ecomstation 1.2) is reliable and that is confirmed in my opinion having seen banks use Warp server on some of their back end systems. However, I do recall some ATMs were also transitioning off OS/2...probably more due to lack of support by IBM or other pressures. My only practical criticisms of OS/2 are: there is no secure login (boots right into a desktop),the lack of drivers for many newer RAIDIDE/SCSI controllers/Fiber HBAs, and lack of management in an enterprise environment. Each OS has its pros/cons and place in the grand scheme of things; we all should know by now many times the decision to use a particular OS is not always because it makes the best technical sense. I would echo others comments indicating regardless of the OS any software required for the OS to run has to be considered part of the OS and that admins need to know how to keeps their servers/workstations as secure as possible. OS/2 buff that I am I just don't see the "undoubted" TCO justification given the aforementioned criticisms not to mention the relative lack of applications.
Posted by OS2dude (1 comment )
Link Flag
Not impressed....
There is no such thing as a perfect piece of software.

I see a lot of people commenting that "Linux" is flawed and such. Well, yeah, Linux is flawed. Here's the kicked though: This exploit was written to take advantage of some published webserver exploits, not exploits in the Linux kernel.

Also, as the story notes, it depends on three different exploits to be present. If one or more of those exploits don't exist, it doesn't work. That's why it is good practice to keep a system patched and updated. *nix worms have been around forever, and will probably be around a long while yet. Don't expect a system to be perfectly secure, ever, especially if it's running 3rd party software that opens the system to any network, much less the Internet.
Posted by fireball74 (80 comments )
Reply Link Flag
Typical linux zealot reply
"It's not the kernel."

Well most Windows security flaws were also "not in the kernel." In fact, almost all of them revolved around the web server (IIS), or Outlook/Office (client apps.). And out of those, most had to be user initiated.

But wait, since it happened on Windows, it must all be the OS, where if it happened on Linux, it certainly isn't Linux fault since it "didn't happen in the kernel."

*Puleeze*

Stop with the BS and hypocrisy - it's getting real tiring.

People run the OS and the accompanying programs/services - not just the kernel.

The bottom line is: for people running Linux, there are security flaws, and you are at risk - regardless if it is strictly in the kernel or not.
Posted by DrakeLoneStar (22 comments )
Link Flag
Where is the Linux flaw?
Did I miss something?

I clicked on the story thinking I would
have to update my system or something.

AWSTATS is a rather obscure piece of software.
As I understand it, AWSTATS runs is a web-based
statitics tool. I imagine if it runs on Windows
the same issue would exist?

Correct me if I'm wrong. Thanks.
Posted by Johnny Mnemonic (374 comments )
Reply Link Flag
bolted together bits of software
The flaw is the whole concept of Linux as bolted together pieces of software. Its a nightmare to keep systems updated, and to even be sure if a vulnerability effects you.
This is why patching and updating Windows 2003 server based systems is soo much less expensive than Linux. Also of course also that they have far fewer vulnerabilities than Linux, and those that they do have are on average fixed faster.
Posted by richto (895 comments )
Link Flag
It only took 10 Months to Exploit this flaw?
These virus writers need to get on the ball quicker. If it where a Windows vurnerablity such a worm would have probably been released within a week of patching the flaw.
Posted by Mallardd (47 comments )
Reply Link Flag
This is not a Linux Vulnerability!
This worm exploits three applications, not the Linux operating system.

The same applications would have been equally exploitable if they would be running on any other opeating system (Including different versions of Windows &#38; even OS/2).

Authors should select their titles more catiuosly.

It is very easy to be zealous about a particular company's products or a particular technology, and believe that everything else is just rubbish.

But this world will be a better place if we accept that each technology has its own advantages (and disadvantages) and has its own role to play in enabling people to do better than they would do without it.

Thanks &#38; regards,
Neel.

<A HREF="http://www.geocities.com/nerdyneel">My Site</A>
Posted by neelbhatt (2 comments )
Reply Link Flag
Does this mean Linux is mainstream
I guess this mean linux is no more a hobby OS and now has more mainstream and eventually flaws in the OS or the software installed on it or will be exploited.
Posted by Tanjore (322 comments )
Reply Link Flag
Uh huh
Ya, Linux is bigger now so people will start to take notice. But the author of this article intentionally named it wrong. This is not a Linux problem, as many of the other comments say. Its an XML problem in that certain thirdparty applications are being exploited. When windows gets a flaw, its on windows software. No one blames Windows for a flaw in another program and we should do the same with Linux.
Posted by Jenic (2 comments )
Reply Link Flag
Tension
I can't believe the amount of "I'm right and you
guys suck" attitudes there are on the comments
here. Windows and linux both have their
zealots. I believe both can be secured if kept
updated and not run as adminstrator.

Small exploits have been used for years to
compromise web servers running linux, freebsd,
etc. Same thing said for windows of all
flavors.

If you really worry about security then why not
run openbsd? Its geared towards security and
you could easily pop a nice gui-based
adminstration on it to have an easy to
administer server.

I am a bit inclined to use a linux server than a
windows one though. Linux has alot more
adminstrative abilities than windows. Windows
has never made it partically easy to find hidden
processes. Windows also doesn't provide as much
choice as you might one for a dedicated server.
You tend to run too many services on a windows
server and it takes alot of tweaking to get it
perfect. Perhaps Vista will solve this with
their custom install options.

Some Linux distributions on the other hand don't
assume you want alot of useless apps installed.
Just install debian sarge with nothing but a
firewall and apache for a web server. You save
alot of disk space and time.

Go with what work for you but I do like to save
money by not paying for windows or microsoft's
web software. Now lets all calm down and
understand that there is plenty of opinions out
there.
Posted by (6 comments )
Reply Link Flag
I second this notion....
...instead of "See I told you so" we should be more about how to imporve technology overall. While everyone is going to have their favorite OS, application, programming language, etc, the technology community should be focused on widespread improvement, innovation, advancement, and education. All the arguing just show how off track a lot techies have become.
Posted by VI Joker (231 comments )
Link Flag
We are just tired of the hypocrisy
I read your article, and I must say in response that a lot of us here are tired of the Linux zealots constantly bashing MS and Windows.

They have known all along that Linux has plenty of its own security flaws, but were unwilling to admit it.

Now something comes up that took advantage of these flaws, and the Linux zealots come out with "well it's not Linux' fault." or "it's not really Linux since it didn't happen in the kernel."

This is hypocrisy plain and simple.

I for one and tired of the Linux crowd.

Linux itself is subpar; I find it hard to install, lacking hardware support that takes *full* advantage of hardware as Windows does, fairly rough around the edges, horrible fonts, buggy applications, horrible printer, audio and network support, etc.

Yes, it is free... and I do not like Windows Activation policies... but Windows is worth every penny in frustration saved trying to get things to work in Linux.
Posted by DrakeLoneStar (22 comments )
Link Flag
Nice comments
However, it needs to be noted that running XP in a limited user mode renders your computer nearly useless. Many programs simply will not run, and to install apps you need admin rights, which in windows is all or none.

Windows permissions are decades behind, perhaps vista will advance it a bit, but will still be a performance and security nightmare because of MS's strange reluctance to dump two of the worst ideas in computing ever: the registry and ActiveX.
Posted by Bill Dautrive (1179 comments )
Link Flag
Most of you missed my point
My point was not to get into the debate of Windows v Linux, but the veracity to which Linux lovers jump on stories regarding Windows flaws.
Posted by jamie.p.walsh (288 comments )
Reply Link Flag
To reiterate...
... your point for the benefit of those latecomers.

I hope you don't mind if I paraphrase.

Because Windows is so flawed, the Linux Zealots (LZ's from now on) respond to the many reports of exploited vulnerabilities with derision and mocking laughter.

Now that there is a report of a vulnerability in three applications that run on Linux, the LZ's will run and cower as MCSE graduates rightlfully scorn the deluded minority.

Bout right?
Posted by joshuasmythe (32 comments )
Link Flag
Re: Most of you missed my point
&gt;My point was not to get into the debate of Windows v Linux, but the veracity to which Linux lovers jump on stories regarding Windows flaws.

Similar to the veracity to which Windows lovers (apparently like yourself) jump on stories regarding Linux flaws. Windows lovers will even jump on stories that aren't really Linux flaws just to find something to jump on.

A simple read of either the McAfee or Symantec pages shows that the security vulnerability is actually in PHP/CGI scripts that MAY be installed. It might even be on a Windows machine.

When a major Windows flaw in Internet Explorer is announced, it's a major problem. When a minor flaw in a script that might be installed on a Linux machine somewhere is announced, it's not a major problem. Didn't stop you from jumping on it anyway though did it?
Posted by mstone0802 (3 comments )
Link Flag
Not sure if you've noticed.
But the three vulnerabilities are all from third party software and that's not installed by default.

Nice try though.
Posted by Justin Shreve (1 comment )
Reply Link Flag
Not the most hacked, the most defaced
Zone-h only tracks defacements and not actual hacks. Millions of computers are hacked every day that are not running web servers.
Posted by mwa423 (78 comments )
Reply Link Flag
Isn't it that...
... you hack to deface? :)
Posted by Mendz (519 comments )
Link Flag
Out of the box
The fact of the matter is that a linux install, out of the box is far tighter then you could ever make windows, unless you unplug the wundows box from the internet permanently.

Windows might have something similar to a root/user config, but the majority of windows apps can not run in a limited account. Windows is near unusable in a limited account.

As for this problem it is not a Linux issue. It is also been fixed for quite some time. That is another major difference between windows and open source. Windows vulnerabilities, normally do not even get acknowleged until a problem occurs, and then a half-assed workaround is implemented. Open source vulnerabilities are more often then not found and fixed in days. That is a huge difference.

Another point, the whole "windows gets attacked more because of market share" argument is bogus. IIS servers have the majority share of vulnerabilities, but a small market share. Where are all the massive amounts of live code attacking Apache? MICROSOFT PRODUCTS GET ATTACKED MORE OFTEN BECAUSE IT IS EASIER.

Try to write a virus for any *nix variant, including OSX that will spread itself. When you give up 12 month later, go ahead and spend 15 minutes writing one for windows and then come here and say that windows is more secure.
Posted by Bill Dautrive (1179 comments )
Reply Link Flag
My server was infected by this *#** worm
And I've even tried to keep my web server up to date with security patches. The attacker somehow also gained root privileges and erased my server log files. I'm off to reinstall the entire thing. Damn...
Posted by johanesvennson (2 comments )
Reply Link Flag
Good one!
Your funny. ;)
Posted by Johnny Mnemonic (374 comments )
Link Flag
Re: Infected server
Can you elaborate? I'm not trying to be funny, I really am curious. This specific vulnerability, someone else in the comment said it was 10 months old. And someone else said it require 3 different exploits to be used together.

I don't know if any of that is true. I went to php.net and checked the changelogs to try and see which version has an exploit vulnerability, but it's all greek to me.

The gaining of root priviledges is worrying. Were you running the server as root? Was your password strength good? Come on, be honest, or was is bunnylove123. And that's not my password! Don't try it ;)
Posted by joshuasmythe (32 comments )
Link Flag
php is heavily exploited
PHP is heavily exploited. Someone else pointed this out.. this is NOT A LINUX problem it is a PHP problem.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
WINDOWS VS LINUX
Most of the news stories lay an emphasiz on whether the virus or the wrorm affects open source (Linux) or Windows or even Mozilla. It is no longer a question of the brand name of the software whether it concerns a browser or an operating engine or a router. Cisco recently fired its star researcher when talked about the flaw contained in the software powering its highend routers. Probably the wireless adapters have a flaw in the software powering the adapters whether they are manufactured by sprint, linksys or the one I use and like D-Link.

The reason for not making so much fuss about the brand name or the product name is that the flaw or the virus has nothing to do with the product name or the brand name. It has to do with the internet infrastrure in place. If it remains in place the doom an gloom is in the future or in the karma of the internet.

This has been thoroughly discussed at
<a class="jive-link-external" href="http://www.newerawisp.blogspot.com/" target="_newWindow">http://www.newerawisp.blogspot.com/</a>

What makes the need for the new Infrastrure so urgent is that even the security softwares of most popular security systems like Symantac are not immune from the virus attacks.

Even the IT people have admitted that they are completely frustrated.

People need to hear about the new flaws. But let not these stories appear like they were first time appearances.
Posted by newerawisp (47 comments )
Reply Link Flag
The article is properly named
Now, whether you like it or not, lupper targets systems running linux (not windows systems, not OSX, not FreeBSD, etc.) Just like an IIS worms target windows systems.

(And yes, I'm well aware of the fact that this is not something in the OS)

Here's the thing, it's safe to say windows isn't too secure (has everybody forgotten sasser and..whatever the dcom worm was called.) But it's safer to say Microsoft software is insecure, that way you not only get windows in there, but you also get the benefit of all the iis worms and holes and the office/outlook holes.
Posted by mwa423 (78 comments )
Reply Link Flag
Incorrect
It targets system running certain, unpatched PHP elements. PHP has nothing to do with linux.
Posted by Bill Dautrive (1179 comments )
Link Flag
Do I win something for starting such a heated thread?
a T-shirt would be nice.
Posted by jamie.p.walsh (288 comments )
Reply Link Flag
Yes, because without you...
... no one would have posted any comments ;)
Posted by joshuasmythe (32 comments )
Reply Link Flag
oooh, sarcasm
if not, I appreciate the sentiment
Posted by jamie.p.walsh (288 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.