New worm targets Linux systems

A new worm that propagates by exploiting security vulnerabilities in Web server software is attacking Linux systems, antivirus companies warned on Monday.

The worm spreads by exploiting Web servers that host susceptible scripts at specific locations, according to antivirus software maker McAfee, which has named the worm "Lupper."

Lupper blindly attacks Web servers, installing and executing a copy of the worm when a vulnerable server is found, McAfee said in its description of the worm.

A backdoor is installed on infected servers, giving the attacker remote control over the system. The server joins a network of compromised systems, which can be used, for example, in attacks against other computers, according to McAfee.

The worm exploits three vulnerabilities to propagate: the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability, according to Symantec's online description of the worm.

The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf's Webhints is a hint generation script; no fixes are available for the script, according to Symantec's DeepSight Alert Services.

McAfee rates Lupper as low risk. Symantec, which calls the worm "Plupii," rates it medium risk, but notes that the worm has not been widely distributed. The SANS Internet Storm Center, which tracks network threats, reports some worm sightings.

Symantec and McAfee have updated their products to protect against the worm. If a system has been infected, Symantec recommends complete reinstallation of the system because it will be difficult to determine what else the computer has been exposed to, the company said.

[jamie.p.walsh]

Ahh, where are all the Linux zealots now

Take a look at any news regarding Windows vulnerabilities and you'll find one posting his/her big mouth 10 minutes later.

[Marcus Westrup]

So?

Then what's Your excuse?

[neelbhatt]

Re: Ahh, where are all the Linux zealots now

Hi Jamie,

This worm exploits three applications, not the Linux operating system.

The same applications would have been equally exploitable if they would be running on any other opeating system (Including different versions of Windows & even OS/2).

And no, I am not a Linux Zealot! :-). I work on Microsoft technologies.

It is very easy to be zealous about a particular company's products or a particular technology, and believe that everything else is just rubbish.

But this world will be a better place if we accept that each technology has its own advantages (and disadvantages) and has its own role to play in enabling people to do better than they would do without it.

Thanks & regards,
Neel.
Symantec Software.
My Site

[irwinr]

Linux Zealot

hahahaha!! We're standing back and watching everyone make a huge deal over exploits which have been easily patchable since the begining of this year! It's funny how these news sites only write articles about high risk Windows vulnerabilities, but every low risk Linux vulnerability that comes around. The only thing that doesn't have a patch is the Webhints package which no-one uses anyhow.

I want you to think about something:

These exploits are work on systems where PHP is given elevated privleges on the system. This is not default for any out of the box Linux distro. The administrator of these systems must explicitly grant PHP elevated access to their systems to make these Wiki systems work. The admins know full well the risk they are taking when they do this, and they should know better than to leave the Wiki software unpatched.

I find it totally amazing that we have dozens of HIGH RISK Windows exploits every month that can affect a Windows box without any user intervention. And you're getting all huffy over one low risk PHP exploit that has been patched for months and only affects systems running PHP with elevated privleges?

Give me a break. I don't care what OS you're running... NO OS prevents Admin stupidity. It's nice that you think Linux is that good though, that it can even prevent a super-user from making the system vulnerable. Linux distros come secure out of the box, if an admin decides to open it up for attack, how is that the fault of Linux?

Prolly...

Prolly trying to figure out how to fix this!! haha :)

[Mendz]

Hah!

And another hah! :p

[Dead Soulman]

Take it Easy.

Linux is more secure than Windows. If you had the chance to read carefully, it refers to outdated systems; which unfortunately there are quite a few out there in the core of the internet.

[DrakeLoneStar]

Linux is not superior

Nice try, but Linux is *not* superior to Windows. There are very few virus writers for Linux, and a ton more for Windows.

The fact that such a serious flaw exists for Linux is just more evidence that Linux is no more secure than Windows Server systems.

Of course, when it happens on Linux, all of the Linux zealots proclaim: "Oh but it's not in the kernel", or "It's an older distribution!", or "but <insert a different distro> doesn't have the flaw so it's not Linux!"

Please. I'm so sick of Linux zealots and their constant BS. Thank god for stories like this one that exposes Linux for what it really is: just another OS that has its share of problems.

[Hernys]

Outdated or unparched?

I don't see anything in the article referring to outdated systems. If you meant unpatched systems... duh!
EVERY Windows virus in history has only applied to unpatched systems. So if you accept your logic, there were never viruses for current Windows systems!
If it was actually about outdated (i.e. non current versions) systems then that also applies to 75% of Windows flaws in the last year or so, since not many affect (or are critical on) Windows XP Service Pack 2 or Windows Server Service Pack 1.
Linux zealots would laugh at those arguments if used to defend Windows over a virus outbreak. Why trying them here?

[ElmerFud]

If you notice Linux is still the top hacked web server

Check out www.zone-h.com, Linux defacements on average have the highest high count for world wide hacks and defacements.

IMHO

[Captain_Spock]

This is one of the fundamental reasons...

... we would personally and professionally prefer OS/2 Warp and OS/2 Warp Server for e-Business. Why not ask the "Russians" why they do too!

[Captain_Spock]

Oops..

... personally and collectively.

[Jenic]

Re: Linux Zealots

Uh if you actually read the article it mentions the vulnerabilities the worm exploits. None of those vulnerabilities are of Linux but rather 3rd party applications. It just so happens that the applications run on Linux.

[theguitarizt]

also...

any decent sysadmin won't run apache or any linux webserver as a real user, so the worst that could happen would be a lost web page, which can probably be restored fairly quickly.

[Dachi]

Re: You

According to the bugtraq post, at least the PHP Remote Code Injection vulnerability ships with several Linux distros.

There is a trend to say that if it impacts Linux, it is an application problem, and if it impacts Windows, is a Windows problem.

In my opinion this is astroturfing.

I understand Linux is just a kernel, but several tools are considered part of Windows that are outside the kernel as well.

We can't fairly compare all vulns in the entire Windows platform to only the vulns in the Linux kernel.

For sake of trying to use a similar metric, I use this rule.

If it shipped with the distribution, it can be considered a vuln with GNU/Linux.

If it was not shipped with Windows or GNU/Linux, it is an application vuln.

There are obviously some gray areas with this, but in general it is a good way to stay on the same page.

[My-Self]

PHP seems like the weakest link ...

If you run PHP, you'd better take some measures like :
http://www.hardened-php.net/

[Captain_Spock]

Security and Total Cost of Ownership!

It is rather strange that so................ many people around (including Windows and Linux users) the world put their "trust" in the ATMs that they use daily and for once do not consider the "reliable and secure "Old Work-Horse" that is called "OS/2" that undoubtedly would present a better business value and superior Total Cost of Ownership (TCO) scenario than Linux or Windows any day for the desktop environment. Why not stop using your ATMs!

[fireball74]

Rubish

I work for a major leader in the ATM industry. I can safely say that the majority of our ATMs run XENIX, a UNIX variant that was owned bt M$, now owned by SCO Group. I know that my bank actually uses Windows on their ATMs. I don't know of a single ATM in my area that runs OS/2. As far as I know, there were a few viruses out that took advantage of flaws in OS/2 also. Go figure....

Also, IBM stop supporting OS/2 a while back. Since you can't get manufacturer support, the TCO is moot. Companies want support, and even a great OS like OS/2, would fall short of expectations where newer hardware is concerned.

You might as well go back to DOS, Amiga, or any other vintage computing platform.

[richto]

ATMs run Windows

The banks of course primarily DO consider TCO. This is why the vast majority of ATMS run Windows.

[J_Satch]

Poor Guy...

...just can't come to terms with the death (long ago) of OS/2. I honestly think you post this silliness for comic relief, and it works! I crack up every time I read one of your OS/2 posts. LOL

[OS2dude]

ATMs

Having worked on ATMs for a number of years prior to getting into IT (now an MSCE but still enjoy OS/2 [http://since 2.0|http://since 2.0] and Linux more) I can recall Diebold ATMs running OS/2 v2.x and Fujitsu ATMs at Target stores running Microsoft OS/2 1.3! I would agree that OS/2 (now ecomstation 1.2) is reliable and that is confirmed in my opinion having seen banks use Warp server on some of their back end systems. However, I do recall some ATMs were also transitioning off OS/2...probably more due to lack of support by IBM or other pressures. My only practical criticisms of OS/2 are: there is no secure login (boots right into a desktop),the lack of drivers for many newer RAIDIDE/SCSI controllers/Fiber HBAs, and lack of management in an enterprise environment. Each OS has its pros/cons and place in the grand scheme of things; we all should know by now many times the decision to use a particular OS is not always because it makes the best technical sense. I would echo others comments indicating regardless of the OS any software required for the OS to run has to be considered part of the OS and that admins need to know how to keeps their servers/workstations as secure as possible. OS/2 buff that I am I just don't see the "undoubted" TCO justification given the aforementioned criticisms not to mention the relative lack of applications.

[fireball74]

Not impressed....

There is no such thing as a perfect piece of software.

I see a lot of people commenting that "Linux" is flawed and such. Well, yeah, Linux is flawed. Here's the kicked though: This exploit was written to take advantage of some published webserver exploits, not exploits in the Linux kernel.

Also, as the story notes, it depends on three different exploits to be present. If one or more of those exploits don't exist, it doesn't work. That's why it is good practice to keep a system patched and updated. *nix worms have been around forever, and will probably be around a long while yet. Don't expect a system to be perfectly secure, ever, especially if it's running 3rd party software that opens the system to any network, much less the Internet.

[DrakeLoneStar]

Typical linux zealot reply

"It's not the kernel."

Well most Windows security flaws were also "not in the kernel." In fact, almost all of them revolved around the web server (IIS), or Outlook/Office (client apps.). And out of those, most had to be user initiated.

But wait, since it happened on Windows, it must all be the OS, where if it happened on Linux, it certainly isn't Linux fault since it "didn't happen in the kernel."

*Puleeze*

Stop with the BS and hypocrisy - it's getting real tiring.

People run the OS and the accompanying programs/services - not just the kernel.

The bottom line is: for people running Linux, there are security flaws, and you are at risk - regardless if it is strictly in the kernel or not.

[Johnny Mnemonic]

Where is the Linux flaw?

Did I miss something?

I clicked on the story thinking I would
have to update my system or something.

AWSTATS is a rather obscure piece of software.
As I understand it, AWSTATS runs is a web-based
statitics tool. I imagine if it runs on Windows
the same issue would exist?

Correct me if I'm wrong. Thanks.

[richto]

bolted together bits of software

The flaw is the whole concept of Linux as bolted together pieces of software. Its a nightmare to keep systems updated, and to even be sure if a vulnerability effects you.
This is why patching and updating Windows 2003 server based systems is soo much less expensive than Linux. Also of course also that they have far fewer vulnerabilities than Linux, and those that they do have are on average fixed faster.

[Mallardd]

It only took 10 Months to Exploit this flaw?

These virus writers need to get on the ball quicker. If it where a Windows vurnerablity such a worm would have probably been released within a week of patching the flaw.

[neelbhatt]

This is not a Linux Vulnerability!

This worm exploits three applications, not the Linux operating system.

The same applications would have been equally exploitable if they would be running on any other opeating system (Including different versions of Windows & even OS/2).

Authors should select their titles more catiuosly.

It is very easy to be zealous about a particular company's products or a particular technology, and believe that everything else is just rubbish.

But this world will be a better place if we accept that each technology has its own advantages (and disadvantages) and has its own role to play in enabling people to do better than they would do without it.

Thanks & regards,
Neel.

My Site

[Tanjore]

Does this mean Linux is mainstream

I guess this mean linux is no more a hobby OS and now has more mainstream and eventually flaws in the OS or the software installed on it or will be exploited.

[Jenic]

Uh huh

Ya, Linux is bigger now so people will start to take notice. But the author of this article intentionally named it wrong. This is not a Linux problem, as many of the other comments say. Its an XML problem in that certain thirdparty applications are being exploited. When windows gets a flaw, its on windows software. No one blames Windows for a flaw in another program and we should do the same with Linux.

Tension

I can't believe the amount of "I'm right and you
guys suck" attitudes there are on the comments
here. Windows and linux both have their
zealots. I believe both can be secured if kept
updated and not run as adminstrator.

Small exploits have been used for years to
compromise web servers running linux, freebsd,
etc. Same thing said for windows of all
flavors.

If you really worry about security then why not
run openbsd? Its geared towards security and
you could easily pop a nice gui-based
adminstration on it to have an easy to
administer server.

I am a bit inclined to use a linux server than a
windows one though. Linux has alot more
adminstrative abilities than windows. Windows
has never made it partically easy to find hidden
processes. Windows also doesn't provide as much
choice as you might one for a dedicated server.
You tend to run too many services on a windows
server and it takes alot of tweaking to get it
perfect. Perhaps Vista will solve this with
their custom install options.

Some Linux distributions on the other hand don't
assume you want alot of useless apps installed.
Just install debian sarge with nothing but a
firewall and apache for a web server. You save
alot of disk space and time.

Go with what work for you but I do like to save
money by not paying for windows or microsoft's
web software. Now lets all calm down and
understand that there is plenty of opinions out
there.

[VI Joker]

I second this notion....

...instead of "See I told you so" we should be more about how to imporve technology overall. While everyone is going to have their favorite OS, application, programming language, etc, the technology community should be focused on widespread improvement, innovation, advancement, and education. All the arguing just show how off track a lot techies have become.

[DrakeLoneStar]

We are just tired of the hypocrisy

I read your article, and I must say in response that a lot of us here are tired of the Linux zealots constantly bashing MS and Windows.

They have known all along that Linux has plenty of its own security flaws, but were unwilling to admit it.

Now something comes up that took advantage of these flaws, and the Linux zealots come out with "well it's not Linux' fault." or "it's not really Linux since it didn't happen in the kernel."

This is hypocrisy plain and simple.

I for one and tired of the Linux crowd.

Linux itself is subpar; I find it hard to install, lacking hardware support that takes *full* advantage of hardware as Windows does, fairly rough around the edges, horrible fonts, buggy applications, horrible printer, audio and network support, etc.

Yes, it is free... and I do not like Windows Activation policies... but Windows is worth every penny in frustration saved trying to get things to work in Linux.

[Bill Dautrive]

Nice comments

However, it needs to be noted that running XP in a limited user mode renders your computer nearly useless. Many programs simply will not run, and to install apps you need admin rights, which in windows is all or none.

Windows permissions are decades behind, perhaps vista will advance it a bit, but will still be a performance and security nightmare because of MS's strange reluctance to dump two of the worst ideas in computing ever: the registry and ActiveX.

[jamie.p.walsh]

Most of you missed my point

My point was not to get into the debate of Windows v Linux, but the veracity to which Linux lovers jump on stories regarding Windows flaws.

[joshuasmythe]

To reiterate...

... your point for the benefit of those latecomers.

I hope you don't mind if I paraphrase.

Because Windows is so flawed, the Linux Zealots (LZ's from now on) respond to the many reports of exploited vulnerabilities with derision and mocking laughter.

Now that there is a report of a vulnerability in three applications that run on Linux, the LZ's will run and cower as MCSE graduates rightlfully scorn the deluded minority.

Bout right?

[mstone0802]

Re: Most of you missed my point

>My point was not to get into the debate of Windows v Linux, but the veracity to which Linux lovers jump on stories regarding Windows flaws.

Similar to the veracity to which Windows lovers (apparently like yourself) jump on stories regarding Linux flaws. Windows lovers will even jump on stories that aren't really Linux flaws just to find something to jump on.

A simple read of either the McAfee or Symantec pages shows that the security vulnerability is actually in PHP/CGI scripts that MAY be installed. It might even be on a Windows machine.

When a major Windows flaw in Internet Explorer is announced, it's a major problem. When a minor flaw in a script that might be installed on a Linux machine somewhere is announced, it's not a major problem. Didn't stop you from jumping on it anyway though did it?

[Justin Shreve]

Not sure if you've noticed.

But the three vulnerabilities are all from third party software and that's not installed by default.

Nice try though.

[mwa423]

Not the most hacked, the most defaced

Zone-h only tracks defacements and not actual hacks. Millions of computers are hacked every day that are not running web servers.

[Mendz]

Isn't it that...

... you hack to deface? :)

[Bill Dautrive]

Out of the box

The fact of the matter is that a linux install, out of the box is far tighter then you could ever make windows, unless you unplug the wundows box from the internet permanently.

Windows might have something similar to a root/user config, but the majority of windows apps can not run in a limited account. Windows is near unusable in a limited account.

As for this problem it is not a Linux issue. It is also been fixed for quite some time. That is another major difference between windows and open source. Windows vulnerabilities, normally do not even get acknowleged until a problem occurs, and then a half-assed workaround is implemented. Open source vulnerabilities are more often then not found and fixed in days. That is a huge difference.

Another point, the whole "windows gets attacked more because of market share" argument is bogus. IIS servers have the majority share of vulnerabilities, but a small market share. Where are all the massive amounts of live code attacking Apache? MICROSOFT PRODUCTS GET ATTACKED MORE OFTEN BECAUSE IT IS EASIER.

Try to write a virus for any *nix variant, including OSX that will spread itself. When you give up 12 month later, go ahead and spend 15 minutes writing one for windows and then come here and say that windows is more secure.

[johanesvennson]

My server was infected by this *#** worm

And I've even tried to keep my web server up to date with security patches. The attacker somehow also gained root privileges and erased my server log files. I'm off to reinstall the entire thing. Damn...

[Johnny Mnemonic]

Good one!

Your funny. ;)

[joshuasmythe]

Re: Infected server

Can you elaborate? I'm not trying to be funny, I really am curious. This specific vulnerability, someone else in the comment said it was 10 months old. And someone else said it require 3 different exploits to be used together.

I don't know if any of that is true. I went to php.net and checked the changelogs to try and see which version has an exploit vulnerability, but it's all greek to me.

The gaining of root priviledges is worrying. Were you running the server as root? Was your password strength good? Come on, be honest, or was is bunnylove123. And that's not my password! Don't try it ;)