A new worm is attacking Linux-based systems by taking
advantage of security vulnerabilities in web servers.
The worm has been called “Lupper” by McAfee and “Plupii” by
Symantec which, with other internet security companies, have
detected it in the wild.
The worm attacks web servers and tries to execute its payload on
servers that are not fully protected against a number of known
threats.
A backdoor is installed on infected servers, giving the attacker
remote control over the system without the owner of the system
knowing.
The server then joins a network of compromised systems which can
be used to attack other computers as part of a botnet of “zombie”
computers.
The worm exploits three web server vulnerabilities to propagate
itself: the XML-RPC for PHP Remote Code Injection vulnerability,
the AWStats Rawlog Plugin Logfile Parameter Input Validation
vulnerability, and the Darryl Burgdorf Webhints Remote Command
Execution Vulnerability.
No security patch is available for the last vulnerability,
although fixes are available to block the first two threats.
The worm tries to spread itself through UDP port 7222, which is
also used to open a backdoor for remote attackers.
So far the worm has not spread widely said both security
companies, partly because the server vulnerabilities it exploits
are widely known about, although the SANS internet security
institute says it has seen some systems hit already.
If a machine has been infected, Symantec recommends complete
reinstallation of the operating system because it will be difficult
to determine what else the computer has been exposed to, said the
firm.