mypapit gnu/linux blog

Unix worm that exploits vulnerable PHP/CGI scripts

Posted by mypapit on 10 Nov 2005 in GNU/Linux, Other Operating System, Other Programming Language

Please secure and patch your PHP scripts, especially the one that uses xml-rpc protocol. The Linux/Lupper.worm (a variant of BSD/Scalper) might infect your system.

This worm spreads by exploiting specific PHP/CGI script vulnerabilities that could be hosted on the following URLs:

….
# http://[website]/stats/
# http://[website]/xmlrpc.php
# http://[website]/xmlrpc/xmlrpc.php
# http://[website]/xmlsrv/xmlrpc.php
# http://[website]/blog/xmlrpc.php
# http://[website]/drupal/xmlrpc.php
# http://[website]/community/xmlrpc.php
# http://[website]/blogs/xmlrpc.php
# http://[website]/blogs/xmlsrv/xmlrpc.php
# http://[website]/blog/xmlsrv/xmlrpc.php
# http://[website]/blogtest/xmlsrv/xmlrpc.php
# http://[website]/b2/xmlsrv/xmlrpc.php
# http://[website]/b2evo/xmlsrv/xmlrpc.php
# http://[website]/wordpress/xmlrpc.php
# http://[website]/phpgroupware/xmlrpc.php
…

Source : McAfee virus information library

Bookmark this article

• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

Keep updated with this website! : Subscribe to your email

blog blogs browser computer Computers debian desktop firefox funny gnome google gutsy gutsy gibbon hardware hardy hardy heron internet laptop linux malaysia Mobile mozilla openoffice opensource open source personal security tips ubuntu windows

WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.

Recommended Reading

• Windows users – UWIN an alternative to CYGWIN
• Linux / Unix command line sex jokes
• Secure your computer from viruses and other threats
• NanoBlogger – a weblog engine in bash
• Gnomefiles – the GTK+ software repository
• How to use FTP filesystem on Ubuntu using CurlFtpFS

1. jlchannel Said:
   November 11th, 2005 at 10:09 am

   Opps, one of my server Log Watch show as below:

   /WebCalendar/tools/send_reminders.php?incl … m%20-rf%20sess*: 10 Time(s)
   /_vti_bin/_vti_aut/fp30reg.dll: 31 Time(s)
   /awstats/awstats.pl?configdir=|echo;echo%2 … cho%20YYY;echo|: 83 Time(s)
   /blog/xmlrpc.php: 82 Time(s)
   /blog/xmlsrv/xmlrpc.php: 81 Time(s)
   /blogs/xmlsrv/xmlrpc.php: 80 Time(s)
   /cgi-bin/awstats.pl?configdir=|echo;echo%2 … cho%20YYY;echo|: 82 Time(s)
   /cgi-bin/awstats/awstats.pl?configdir=|ech … cho%20YYY;echo|: 82 Time(s)
   /drupal/xmlrpc.php: 80 Time(s)
   /phpgroupware/xmlrpc.php: 79 Time(s)
   /webcalendar/tools/send_reminders.php?incl … m%20-rf%20sess*: 10 Time(s)
   /wordpress/xmlrpc.php: 79 Time(s)
   /xmlrpc.php: 161 Time(s)
   /xmlrpc/xmlrpc.php: 79 Time(s)
   /xmlsrv/xmlrpc.php: 79 Time(s)

2. mypapit Said:
   November 11th, 2005 at 12:01 pm

   Seems like somebody is trying to find vulnerabilities at that location…

3. still using XML-RPC for PHP? Beware at Ah Knight’s Blog Said:
   November 11th, 2005 at 12:14 pm

   [...] 1 mypapit gnu/linux blog Trackback on Nov 10th, 2005 at 7:08 pm [...]

4. Windows vs Mac Security Said:
   August 25th, 2006 at 9:57 am

   [...] Re:UNIX and viruses (Score:0, Flamebait) by PixieDust (971386) on Wednesday August 23, @02:10PM (#15964214) Of course. How silly of us To think that it could be possible for Unix to be vulnerable to a virus or worm, or other such malware? [zdnet.co.uk] I mean, it isn’t like there are any threats [mypapit.net] out there that could possibly infect a *nix based system. [securityfocus.com] [...]