• On MP3.com: Free music videos

November 7, 2005 5:12 PM PST

New worm targets Linux systems

A new worm that propagates by exploiting security vulnerabilities in Web server software is attacking Linux systems, antivirus companies warned on Monday.

The worm spreads by exploiting Web servers that host susceptible scripts at specific locations, according to antivirus software maker McAfee, which has named the worm "Lupper."

Lupper blindly attacks Web servers, installing and executing a copy of the worm when a vulnerable server is found, McAfee said in its description of the worm.

A backdoor is installed on infected servers, giving the attacker remote control over the system. The server joins a network of compromised systems, which can be used, for example, in attacks against other computers, according to McAfee.

The worm exploits three vulnerabilities to propagate: the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability, according to Symantec's online description of the worm.

The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf's Webhints is a hint generation script; no fixes are available for the script, according to Symantec's DeepSight Alert Services.

McAfee rates Lupper as low risk. Symantec, which calls the worm "Plupii," rates it medium risk, but notes that the worm has not been widely distributed. The SANS Internet Storm Center, which tracks network threats, reports some worm sightings.

Symantec and McAfee have updated their products to protect against the worm. If a system has been infected, Symantec recommends complete reinstallation of the system because it will be difficult to determine what else the computer has been exposed to, the company said.

See more CNET content tagged:
McAfee Inc., worm, Linux system, Symantec Corp., Web server

Add a Comment (Log in or register) 137 comments (Showing first 20 comments)
Ahh, where are all the Linux zealots now
by jamie.p.walsh November 7, 2005 6:10 PM PST
Take a look at any news regarding Windows vulnerabilities and you'll find one posting his/her big mouth 10 minutes later.
Reply to this comment View all 3 replies
Prolly...
by November 7, 2005 6:37 PM PST
Prolly trying to figure out how to fix this!! haha :)
Reply to this comment
Hah!
by Mendz November 7, 2005 6:39 PM PST
And another hah! :p
Reply to this comment
Take it Easy.
by Dead Soulman November 7, 2005 6:39 PM PST
Linux is more secure than Windows. If you had the chance to read carefully, it refers to outdated systems; which unfortunately there are quite a few out there in the core of the internet.
Reply to this comment View all 3 replies
This is one of the fundamental reasons...
by Captain_Spock November 7, 2005 6:40 PM PST
... we would personally and professionally prefer OS/2 Warp and OS/2 Warp Server for e-Business. Why not ask the "Russians" why they do too!
Reply to this comment View reply
Re: Linux Zealots
by Jenic November 7, 2005 7:00 PM PST
Uh if you actually read the article it mentions the vulnerabilities the worm exploits. None of those vulnerabilities are of Linux but rather 3rd party applications. It just so happens that the applications run on Linux.
Reply to this comment View all 2 replies
PHP seems like the weakest link ...
by My-Self November 8, 2005 12:41 AM PST
If you run PHP, you'd better take some measures like :
http://www.hardened-php.net/
Reply to this comment
Security and Total Cost of Ownership!
by Captain_Spock November 8, 2005 1:41 AM PST
It is rather strange that so................ many people around (including Windows and Linux users) the world put their "trust" in the ATMs that they use daily and for once do not consider the "reliable and secure "Old Work-Horse" that is called "OS/2" that undoubtedly would present a better business value and superior Total Cost of Ownership (TCO) scenario than Linux or Windows any day for the desktop environment. Why not stop using your ATMs!
Reply to this comment View all 4 replies
Not impressed....
by fireball74 November 8, 2005 2:21 AM PST
There is no such thing as a perfect piece of software.

I see a lot of people commenting that "Linux" is flawed and such. Well, yeah, Linux is flawed. Here's the kicked though: This exploit was written to take advantage of some published webserver exploits, not exploits in the Linux kernel.

Also, as the story notes, it depends on three different exploits to be present. If one or more of those exploits don't exist, it doesn't work. That's why it is good practice to keep a system patched and updated. *nix worms have been around forever, and will probably be around a long while yet. Don't expect a system to be perfectly secure, ever, especially if it's running 3rd party software that opens the system to any network, much less the Internet.
Reply to this comment View reply
Where is the Linux flaw?
by Johnny Mnemonic November 8, 2005 3:07 AM PST
Did I miss something?

I clicked on the story thinking I would
have to update my system or something.

AWSTATS is a rather obscure piece of software.
As I understand it, AWSTATS runs is a web-based
statitics tool. I imagine if it runs on Windows
the same issue would exist?

Correct me if I'm wrong. Thanks.
Reply to this comment View reply
It only took 10 Months to Exploit this flaw?
by Mallardd November 8, 2005 6:19 AM PST
These virus writers need to get on the ball quicker. If it where a Windows vurnerablity such a worm would have probably been released within a week of patching the flaw.
Reply to this comment
This is not a Linux Vulnerability!
by neelbhatt November 8, 2005 6:44 AM PST
This worm exploits three applications, not the Linux operating system.

The same applications would have been equally exploitable if they would be running on any other opeating system (Including different versions of Windows & even OS/2).

Authors should select their titles more catiuosly.

It is very easy to be zealous about a particular company's products or a particular technology, and believe that everything else is just rubbish.

But this world will be a better place if we accept that each technology has its own advantages (and disadvantages) and has its own role to play in enabling people to do better than they would do without it.

Thanks & regards,
Neel.

My Site
Reply to this comment
Does this mean Linux is mainstream
by Tanjore November 8, 2005 6:59 AM PST
I guess this mean linux is no more a hobby OS and now has more mainstream and eventually flaws in the OS or the software installed on it or will be exploited.
Reply to this comment
Uh huh
by Jenic November 8, 2005 7:11 AM PST
Ya, Linux is bigger now so people will start to take notice. But the author of this article intentionally named it wrong. This is not a Linux problem, as many of the other comments say. Its an XML problem in that certain thirdparty applications are being exploited. When windows gets a flaw, its on windows software. No one blames Windows for a flaw in another program and we should do the same with Linux.
Reply to this comment
Tension
by November 8, 2005 7:13 AM PST
I can't believe the amount of "I'm right and you
guys suck" attitudes there are on the comments
here. Windows and linux both have their
zealots. I believe both can be secured if kept
updated and not run as adminstrator.

Small exploits have been used for years to
compromise web servers running linux, freebsd,
etc. Same thing said for windows of all
flavors.

If you really worry about security then why not
run openbsd? Its geared towards security and
you could easily pop a nice gui-based
adminstration on it to have an easy to
administer server.

I am a bit inclined to use a linux server than a
windows one though. Linux has alot more
adminstrative abilities than windows. Windows
has never made it partically easy to find hidden
processes. Windows also doesn't provide as much
choice as you might one for a dedicated server.
You tend to run too many services on a windows
server and it takes alot of tweaking to get it
perfect. Perhaps Vista will solve this with
their custom install options.

Some Linux distributions on the other hand don't
assume you want alot of useless apps installed.
Just install debian sarge with nothing but a
firewall and apache for a web server. You save
alot of disk space and time.

Go with what work for you but I do like to save
money by not paying for windows or microsoft's
web software. Now lets all calm down and
understand that there is plenty of opinions out
there.
Reply to this comment View all 3 replies
Most of you missed my point
by jamie.p.walsh November 8, 2005 9:38 AM PST
My point was not to get into the debate of Windows v Linux, but the veracity to which Linux lovers jump on stories regarding Windows flaws.
Reply to this comment View all 2 replies
Not sure if you've noticed.
by Justin Shreve November 8, 2005 12:00 PM PST
But the three vulnerabilities are all from third party software and that's not installed by default.

Nice try though.
Reply to this comment
Not the most hacked, the most defaced
by mwa423 November 8, 2005 2:17 PM PST
Zone-h only tracks defacements and not actual hacks. Millions of computers are hacked every day that are not running web servers.
Reply to this comment View reply
Out of the box
by Bill Dautrive November 8, 2005 9:03 PM PST
The fact of the matter is that a linux install, out of the box is far tighter then you could ever make windows, unless you unplug the wundows box from the internet permanently.

Windows might have something similar to a root/user config, but the majority of windows apps can not run in a limited account. Windows is near unusable in a limited account.

As for this problem it is not a Linux issue. It is also been fixed for quite some time. That is another major difference between windows and open source. Windows vulnerabilities, normally do not even get acknowleged until a problem occurs, and then a half-assed workaround is implemented. Open source vulnerabilities are more often then not found and fixed in days. That is a huge difference.

Another point, the whole "windows gets attacked more because of market share" argument is bogus. IIS servers have the majority share of vulnerabilities, but a small market share. Where are all the massive amounts of live code attacking Apache? MICROSOFT PRODUCTS GET ATTACKED MORE OFTEN BECAUSE IT IS EASIER.

Try to write a virus for any *nix variant, including OSX that will spread itself. When you give up 12 month later, go ahead and spend 15 minutes writing one for windows and then come here and say that windows is more secure.
Reply to this comment
My server was infected by this *#** worm
by johanesvennson November 9, 2005 5:45 AM PST
And I've even tried to keep my web server up to date with security patches. The attacker somehow also gained root privileges and erased my server log files. I'm off to reinstall the entire thing. Damn...
Reply to this comment View all 2 replies
 See all 137 Comments >>
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
You Need The Speed of Norton 2009
Introducing Norton Internet Security™2009

Click Here!
With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

Click Here!
The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement
Click Here

Inside CNET News

Scroll Left Scroll Right