New worm targets Linux systems

A new worm that propagates by exploiting security vulnerabilities in Web server software is attacking Linux systems, antivirus companies warned on Monday.

The worm spreads by exploiting Web servers that host susceptible scripts at specific locations, according to antivirus software maker McAfee, which has named the worm "Lupper."

Lupper blindly attacks Web servers, installing and executing a copy of the worm when a vulnerable server is found, McAfee said in its description of the worm.

A backdoor is installed on infected servers, giving the attacker remote control over the system. The server joins a network of compromised systems, which can be used, for example, in attacks against other computers, according to McAfee.

The worm exploits three vulnerabilities to propagate: the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability, according to Symantec's online description of the worm.

The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf's Webhints is a hint generation script; no fixes are available for the script, according to Symantec's DeepSight Alert Services.

McAfee rates Lupper as low risk. Symantec, which calls the worm "Plupii," rates it medium risk, but notes that the worm has not been widely distributed. The SANS Internet Storm Center, which tracks network threats, reports some worm sightings.

Symantec and McAfee have updated their products to protect against the worm. If a system has been infected, Symantec recommends complete reinstallation of the system because it will be difficult to determine what else the computer has been exposed to, the company said.

[jamie.p.walsh]

Ahh, where are all the Linux zealots now

Take a look at any news regarding Windows vulnerabilities and you'll find one posting his/her big mouth 10 minutes later.

Prolly...

Prolly trying to figure out how to fix this!! haha

[Mendz]

Hah!

And another hah!

[Dead Soulman]

Take it Easy.

Linux is more secure than Windows. If you had the chance to read carefully, it refers to outdated systems; which unfortunately there are quite a few out there in the core of the internet.

[Captain_Spock]

This is one of the fundamental reasons...

... we would personally and professionally prefer OS/2 Warp and OS/2 Warp Server for e-Business. Why not ask the "Russians" why they do too!

[Jenic]

Re: Linux Zealots

Uh if you actually read the article it mentions the vulnerabilities the worm exploits. None of those vulnerabilities are of Linux but rather 3rd party applications. It just so happens that the applications run on Linux.

[My-Self]

PHP seems like the weakest link ...

If you run PHP, you'd better take some measures like :
http://www.hardened-php.net/

[Captain_Spock]

Security and Total Cost of Ownership!

It is rather strange that so................ many people around (including Windows and Linux users) the world put their "trust" in the ATMs that they use daily and for once do not consider the "reliable and secure "Old Work-Horse" that is called "OS/2" that undoubtedly would present a better business value and superior Total Cost of Ownership (TCO) scenario than Linux or Windows any day for the desktop environment. Why not stop using your ATMs!

[fireball74]

Not impressed....

There is no such thing as a perfect piece of software.

I see a lot of people commenting that "Linux" is flawed and such. Well, yeah, Linux is flawed. Here's the kicked though: This exploit was written to take advantage of some published webserver exploits, not exploits in the Linux kernel.

Also, as the story notes, it depends on three different exploits to be present. If one or more of those exploits don't exist, it doesn't work. That's why it is good practice to keep a system patched and updated. *nix worms have been around forever, and will probably be around a long while yet. Don't expect a system to be perfectly secure, ever, especially if it's running 3rd party software that opens the system to any network, much less the Internet.

[Johnny Mnemonic]

Where is the Linux flaw?

Did I miss something?

I clicked on the story thinking I would
have to update my system or something.

AWSTATS is a rather obscure piece of software.
As I understand it, AWSTATS runs is a web-based
statitics tool. I imagine if it runs on Windows
the same issue would exist?

Correct me if I'm wrong. Thanks.

[Mallardd]

It only took 10 Months to Exploit this flaw?

These virus writers need to get on the ball quicker. If it where a Windows vurnerablity such a worm would have probably been released within a week of patching the flaw.

[neelbhatt]

This is not a Linux Vulnerability!

This worm exploits three applications, not the Linux operating system.

The same applications would have been equally exploitable if they would be running on any other opeating system (Including different versions of Windows & even OS/2).

Authors should select their titles more catiuosly.

It is very easy to be zealous about a particular company's products or a particular technology, and believe that everything else is just rubbish.

But this world will be a better place if we accept that each technology has its own advantages (and disadvantages) and has its own role to play in enabling people to do better than they would do without it.

Thanks & regards,
Neel.

My Site

[Tanjore]

Does this mean Linux is mainstream

I guess this mean linux is no more a hobby OS and now has more mainstream and eventually flaws in the OS or the software installed on it or will be exploited.

[Jenic]

Uh huh

Ya, Linux is bigger now so people will start to take notice. But the author of this article intentionally named it wrong. This is not a Linux problem, as many of the other comments say. Its an XML problem in that certain thirdparty applications are being exploited. When windows gets a flaw, its on windows software. No one blames Windows for a flaw in another program and we should do the same with Linux.

Tension

I can't believe the amount of "I'm right and you
guys suck" attitudes there are on the comments
here. Windows and linux both have their
zealots. I believe both can be secured if kept
updated and not run as adminstrator.

Small exploits have been used for years to
compromise web servers running linux, freebsd,
etc. Same thing said for windows of all
flavors.

If you really worry about security then why not
run openbsd? Its geared towards security and
you could easily pop a nice gui-based
adminstration on it to have an easy to
administer server.

I am a bit inclined to use a linux server than a
windows one though. Linux has alot more
adminstrative abilities than windows. Windows
has never made it partically easy to find hidden
processes. Windows also doesn't provide as much
choice as you might one for a dedicated server.
You tend to run too many services on a windows
server and it takes alot of tweaking to get it
perfect. Perhaps Vista will solve this with
their custom install options.

Some Linux distributions on the other hand don't
assume you want alot of useless apps installed.
Just install debian sarge with nothing but a
firewall and apache for a web server. You save
alot of disk space and time.

Go with what work for you but I do like to save
money by not paying for windows or microsoft's
web software. Now lets all calm down and
understand that there is plenty of opinions out
there.

[jamie.p.walsh]

Most of you missed my point

My point was not to get into the debate of Windows v Linux, but the veracity to which Linux lovers jump on stories regarding Windows flaws.

[Justin Shreve]

Not sure if you've noticed.

But the three vulnerabilities are all from third party software and that's not installed by default.

Nice try though.

[mwa423]

Not the most hacked, the most defaced

Zone-h only tracks defacements and not actual hacks. Millions of computers are hacked every day that are not running web servers.

[Bill Dautrive]

Out of the box

The fact of the matter is that a linux install, out of the box is far tighter then you could ever make windows, unless you unplug the wundows box from the internet permanently.

Windows might have something similar to a root/user config, but the majority of windows apps can not run in a limited account. Windows is near unusable in a limited account.

As for this problem it is not a Linux issue. It is also been fixed for quite some time. That is another major difference between windows and open source. Windows vulnerabilities, normally do not even get acknowleged until a problem occurs, and then a half-assed workaround is implemented. Open source vulnerabilities are more often then not found and fixed in days. That is a huge difference.

Another point, the whole "windows gets attacked more because of market share" argument is bogus. IIS servers have the majority share of vulnerabilities, but a small market share. Where are all the massive amounts of live code attacking Apache? MICROSOFT PRODUCTS GET ATTACKED MORE OFTEN BECAUSE IT IS EASIER.

Try to write a virus for any *nix variant, including OSX that will spread itself. When you give up 12 month later, go ahead and spend 15 minutes writing one for windows and then come here and say that windows is more secure.

[johanesvennson]

My server was infected by this *#** worm

And I've even tried to keep my web server up to date with security patches. The attacker somehow also gained root privileges and erased my server log files. I'm off to reinstall the entire thing. Damn...