Manage updates with the Download App
November 7, 2005 5:12 PM PST
New worm targets Linux systems
- Related Stories
-
'Critical' Windows fix coming for PCs
November 3, 2005 -
Halloween treat for Oracle: A database worm
November 1, 2005 -
Linux lasting longer against Net attacks
December 22, 2004
The worm spreads by exploiting Web servers that host susceptible scripts at specific locations, according to antivirus software maker McAfee, which has named the worm "Lupper."
Lupper blindly attacks Web servers, installing and executing a copy of the worm when a vulnerable server is found, McAfee said in its description of the worm.
A backdoor is installed on infected servers, giving the attacker remote control over the system. The server joins a network of compromised systems, which can be used, for example, in attacks against other computers, according to McAfee.
The worm exploits three vulnerabilities to propagate: the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability, according to Symantec's online description of the worm.
The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf's Webhints is a hint generation script; no fixes are available for the script, according to Symantec's DeepSight Alert Services.
McAfee rates Lupper as low risk. Symantec, which calls the worm "Plupii," rates it medium risk, but notes that the worm has not been widely distributed. The SANS Internet Storm Center, which tracks network threats, reports some worm sightings.
Symantec and McAfee have updated their products to protect against the worm. If a system has been infected, Symantec recommends complete reinstallation of the system because it will be difficult to determine what else the computer has been exposed to, the company said.
137 comments
Join the conversation! Add your comment
This worm exploits three applications, not the Linux operating system.
The same applications would have been equally exploitable if they would be running on any other opeating system (Including different versions of Windows & even OS/2).
And no, I am not a Linux Zealot! :-). I work on Microsoft technologies.
It is very easy to be zealous about a particular company's products or a particular technology, and believe that everything else is just rubbish.
But this world will be a better place if we accept that each technology has its own advantages (and disadvantages) and has its own role to play in enabling people to do better than they would do without it.
Thanks & regards,
Neel.
Symantec Software.
<A HREF="http://www.geocities.com/nerdyneel">My Site</A>
I want you to think about something:
These exploits are work on systems where PHP is given elevated privleges on the system. This is not default for any out of the box Linux distro. The administrator of these systems must explicitly grant PHP elevated access to their systems to make these Wiki systems work. The admins know full well the risk they are taking when they do this, and they should know better than to leave the Wiki software unpatched.
I find it totally amazing that we have dozens of HIGH RISK Windows exploits every month that can affect a Windows box without any user intervention. And you're getting all huffy over one low risk PHP exploit that has been patched for months and only affects systems running PHP with elevated privleges?
Give me a break. I don't care what OS you're running... NO OS prevents Admin stupidity. It's nice that you think Linux is that good though, that it can even prevent a super-user from making the system vulnerable. Linux distros come secure out of the box, if an admin decides to open it up for attack, how is that the fault of Linux?
The fact that such a serious flaw exists for Linux is just more evidence that Linux is no more secure than Windows Server systems.
Of course, when it happens on Linux, all of the Linux zealots proclaim: "Oh but it's not in the kernel", or "It's an older distribution!", or "but <insert a different distro> doesn't have the flaw so it's not Linux!"
Please. I'm so sick of Linux zealots and their constant BS. Thank god for stories like this one that exposes Linux for what it really is: just another OS that has its share of problems.
EVERY Windows virus in history has only applied to unpatched systems. So if you accept your logic, there were never viruses for current Windows systems!
If it was actually about outdated (i.e. non current versions) systems then that also applies to 75% of Windows flaws in the last year or so, since not many affect (or are critical on) Windows XP Service Pack 2 or Windows Server Service Pack 1.
Linux zealots would laugh at those arguments if used to defend Windows over a virus outbreak. Why trying them here?
IMHO
There is a trend to say that if it impacts Linux, it is an application problem, and if it impacts Windows, is a Windows problem.
In my opinion this is astroturfing.
I understand Linux is just a kernel, but several tools are considered part of Windows that are outside the kernel as well.
We can't fairly compare all vulns in the entire Windows platform to only the vulns in the Linux kernel.
For sake of trying to use a similar metric, I use this rule.
If it shipped with the distribution, it can be considered a vuln with GNU/Linux.
If it was not shipped with Windows or GNU/Linux, it is an application vuln.
There are obviously some gray areas with this, but in general it is a good way to stay on the same page.
<a class="jive-link-external" href="http://www.hardened-php.net/" target="_newWindow">http://www.hardened-php.net/</a>
Also, IBM stop supporting OS/2 a while back. Since you can't get manufacturer support, the TCO is moot. Companies want support, and even a great OS like OS/2, would fall short of expectations where newer hardware is concerned.
You might as well go back to DOS, Amiga, or any other vintage computing platform.
I see a lot of people commenting that "Linux" is flawed and such. Well, yeah, Linux is flawed. Here's the kicked though: This exploit was written to take advantage of some published webserver exploits, not exploits in the Linux kernel.
Also, as the story notes, it depends on three different exploits to be present. If one or more of those exploits don't exist, it doesn't work. That's why it is good practice to keep a system patched and updated. *nix worms have been around forever, and will probably be around a long while yet. Don't expect a system to be perfectly secure, ever, especially if it's running 3rd party software that opens the system to any network, much less the Internet.
Well most Windows security flaws were also "not in the kernel." In fact, almost all of them revolved around the web server (IIS), or Outlook/Office (client apps.). And out of those, most had to be user initiated.
But wait, since it happened on Windows, it must all be the OS, where if it happened on Linux, it certainly isn't Linux fault since it "didn't happen in the kernel."
*Puleeze*
Stop with the BS and hypocrisy - it's getting real tiring.
People run the OS and the accompanying programs/services - not just the kernel.
The bottom line is: for people running Linux, there are security flaws, and you are at risk - regardless if it is strictly in the kernel or not.
I clicked on the story thinking I would
have to update my system or something.
AWSTATS is a rather obscure piece of software.
As I understand it, AWSTATS runs is a web-based
statitics tool. I imagine if it runs on Windows
the same issue would exist?
Correct me if I'm wrong. Thanks.
This is why patching and updating Windows 2003 server based systems is soo much less expensive than Linux. Also of course also that they have far fewer vulnerabilities than Linux, and those that they do have are on average fixed faster.
The same applications would have been equally exploitable if they would be running on any other opeating system (Including different versions of Windows & even OS/2).
Authors should select their titles more catiuosly.
It is very easy to be zealous about a particular company's products or a particular technology, and believe that everything else is just rubbish.
But this world will be a better place if we accept that each technology has its own advantages (and disadvantages) and has its own role to play in enabling people to do better than they would do without it.
Thanks & regards,
Neel.
<A HREF="http://www.geocities.com/nerdyneel">My Site</A>
guys suck" attitudes there are on the comments
here. Windows and linux both have their
zealots. I believe both can be secured if kept
updated and not run as adminstrator.
Small exploits have been used for years to
compromise web servers running linux, freebsd,
etc. Same thing said for windows of all
flavors.
If you really worry about security then why not
run openbsd? Its geared towards security and
you could easily pop a nice gui-based
adminstration on it to have an easy to
administer server.
I am a bit inclined to use a linux server than a
windows one though. Linux has alot more
adminstrative abilities than windows. Windows
has never made it partically easy to find hidden
processes. Windows also doesn't provide as much
choice as you might one for a dedicated server.
You tend to run too many services on a windows
server and it takes alot of tweaking to get it
perfect. Perhaps Vista will solve this with
their custom install options.
Some Linux distributions on the other hand don't
assume you want alot of useless apps installed.
Just install debian sarge with nothing but a
firewall and apache for a web server. You save
alot of disk space and time.
Go with what work for you but I do like to save
money by not paying for windows or microsoft's
web software. Now lets all calm down and
understand that there is plenty of opinions out
there.
They have known all along that Linux has plenty of its own security flaws, but were unwilling to admit it.
Now something comes up that took advantage of these flaws, and the Linux zealots come out with "well it's not Linux' fault." or "it's not really Linux since it didn't happen in the kernel."
This is hypocrisy plain and simple.
I for one and tired of the Linux crowd.
Linux itself is subpar; I find it hard to install, lacking hardware support that takes *full* advantage of hardware as Windows does, fairly rough around the edges, horrible fonts, buggy applications, horrible printer, audio and network support, etc.
Yes, it is free... and I do not like Windows Activation policies... but Windows is worth every penny in frustration saved trying to get things to work in Linux.
Windows permissions are decades behind, perhaps vista will advance it a bit, but will still be a performance and security nightmare because of MS's strange reluctance to dump two of the worst ideas in computing ever: the registry and ActiveX.
I hope you don't mind if I paraphrase.
Because Windows is so flawed, the Linux Zealots (LZ's from now on) respond to the many reports of exploited vulnerabilities with derision and mocking laughter.
Now that there is a report of a vulnerability in three applications that run on Linux, the LZ's will run and cower as MCSE graduates rightlfully scorn the deluded minority.
Bout right?
Similar to the veracity to which Windows lovers (apparently like yourself) jump on stories regarding Linux flaws. Windows lovers will even jump on stories that aren't really Linux flaws just to find something to jump on.
A simple read of either the McAfee or Symantec pages shows that the security vulnerability is actually in PHP/CGI scripts that MAY be installed. It might even be on a Windows machine.
When a major Windows flaw in Internet Explorer is announced, it's a major problem. When a minor flaw in a script that might be installed on a Linux machine somewhere is announced, it's not a major problem. Didn't stop you from jumping on it anyway though did it?
Nice try though.
Windows might have something similar to a root/user config, but the majority of windows apps can not run in a limited account. Windows is near unusable in a limited account.
As for this problem it is not a Linux issue. It is also been fixed for quite some time. That is another major difference between windows and open source. Windows vulnerabilities, normally do not even get acknowleged until a problem occurs, and then a half-assed workaround is implemented. Open source vulnerabilities are more often then not found and fixed in days. That is a huge difference.
Another point, the whole "windows gets attacked more because of market share" argument is bogus. IIS servers have the majority share of vulnerabilities, but a small market share. Where are all the massive amounts of live code attacking Apache? MICROSOFT PRODUCTS GET ATTACKED MORE OFTEN BECAUSE IT IS EASIER.
Try to write a virus for any *nix variant, including OSX that will spread itself. When you give up 12 month later, go ahead and spend 15 minutes writing one for windows and then come here and say that windows is more secure.
I don't know if any of that is true. I went to php.net and checked the changelogs to try and see which version has an exploit vulnerability, but it's all greek to me.
The gaining of root priviledges is worrying. Were you running the server as root? Was your password strength good? Come on, be honest, or was is bunnylove123. And that's not my password! Don't try it ;)
The reason for not making so much fuss about the brand name or the product name is that the flaw or the virus has nothing to do with the product name or the brand name. It has to do with the internet infrastrure in place. If it remains in place the doom an gloom is in the future or in the karma of the internet.
This has been thoroughly discussed at
<a class="jive-link-external" href="http://www.newerawisp.blogspot.com/" target="_newWindow">http://www.newerawisp.blogspot.com/</a>
What makes the need for the new Infrastrure so urgent is that even the security softwares of most popular security systems like Symantac are not immune from the virus attacks.
Even the IT people have admitted that they are completely frustrated.
People need to hear about the new flaws. But let not these stories appear like they were first time appearances.
(And yes, I'm well aware of the fact that this is not something in the OS)
Here's the thing, it's safe to say windows isn't too secure (has everybody forgotten sasser and..whatever the dcom worm was called.) But it's safer to say Microsoft software is insecure, that way you not only get windows in there, but you also get the benefit of all the iis worms and holes and the office/outlook holes.