A new worm is attacking Linux-based systems by taking advantage of security vulnerabilities in web servers.
The worm has been called “Lupper” by McAfee and “Plupii” by Symantec which, with other internet security companies, have detected it in the wild.
The worm attacks web servers and tries to execute its payload on servers that are not fully protected against a number of known threats.
A backdoor is installed on infected servers, giving the attacker remote control over the system without the owner of the system knowing.
The server then joins a network of compromised systems which can be used to attack other computers as part of a botnet of “zombie” computers.
The worm exploits three web server vulnerabilities to propagate itself: the XML-RPC for PHP Remote Code Injection vulnerability, the AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability, and the Darryl Burgdorf Webhints Remote Command Execution Vulnerability.
No security patch is available for the last vulnerability, although fixes are available to block the first two threats.
The worm tries to spread itself through UDP port 7222, which is also used to open a backdoor for remote attackers.
So far the worm has not spread widely said both security companies, partly because the server vulnerabilities it exploits are widely known about, although the SANS internet security institute says it has seen some systems hit already.
If a machine has been infected, Symantec recommends complete reinstallation of the operating system because it will be difficult to determine what else the computer has been exposed to, said the firm.