Linux.Plupii aka Linux/Lupper.worm

Nov 8, 2005 15:40 GMT  ·  By

For the past few days, a new worm called Linux.Plupii or Linux/Lupper.worm has been crawling over the Internet trying to use three different web-service holes and infect Linux running systems.

The three security holes the worm attacks are the XML-RPC for PHP Remote Code Injection vulnerability, the AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability and the Darryl Burgdorf Webhints Remote Command Execution Vulnerability.

The first vulnerability, the XML-RPC for PHP, features in many web application including PostNuke, Drupal, b2evolution, Xoops, WordPress, PHPGroupWare and TikiWiki. Most of these applications have been updated to address the security flaw. AWStats is an open-source log-file analyzer. Only servers which run AWStats 5.0 to 6.3 can be attacked. Webhints is an older script program which sets up and maintains a "Hint of the Day" page (may it be a quote, a tip, a joke, etc). Version 1.3 is vulnerable to attack. So far, there hasn't been any fix published for this vulnerability.

When Plupii manages to infect a server, it automatically sends a notice to the attacker through ports 7222 or 7111, then it opens a backdoor which the hacker will use to takeover the system. Afterwards, Plupii generates a variety of URLs which it will use in an attempt to find and infect other vulnerable systems.