A McAfee anunciou a
descoberta do worm Linux/Lupper.worm, variante do Linux/Slapper, no último domingo, 6/11/2005. De acordo com o anúncio, o worm em questão ataca servidores web sem verificar se a vulnerabilidade necessária para a infecção existe. A própria McAfee considera o risco representado por este código malicioso como baixo, tanto para usuários corporativos quanto para domésticos.
De acordo com a empresa,
O worm ataca cegamente servidores web mandando requisições http maliciosas para a porta 80. Se o servidor-alvo está executando um dos scripts vulneráveis em URLs específicas e está configurado para permitir executar comando de shell externamente e baixar arquivos remotos no ambiente PHP/CGI, uma cópia do worm poderia ser baixada e executada.
Não é uma situação crítica, mas um serviço desatualizado, ou com configurações de acesso incorretas, pode tornar-se vítima deste worm. Apesar do baixo risco, é recomendável verificar se o seu ambiente não corre riscos.
Reproduzo, a seguir, o texto original da descrição da McAfee:
Virus Summary
Virus Name Risk Assessment
Linux/Lupper.worm
Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 11/06/2005
Origin: Unknown
Length: Varies
Type: Virus
SubType: Internet Worm
Minimum DAT: 4622 (11/07/2005)
Updated DAT: 4622 (11/07/2005)
Minimum Engine: 4.4.00
Description Added: 11/06/2005
Description Updated: 11/06/2005 2:23 PM (PT)
Virus Characteristics
This worm spreads by exploiting web servers hosting vulnerable PHP/CGI scripts. It is a modified derivative of the Linux/Slapper and BSD/Scalper worms from which it inherits the propagation strategy. It scans an entire class B subnet created by randomly choosing the first byte from an hard-coded list of A classes and randomly generating the second byte.
The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed.
Like its precedents, the infected computers form a global network of compromised servers based on peer to peer communication principles. This network can be used, for example, for Distributed Denial of Service (DDoS) attacks or other purposes because it can accept remote commands. It is also capable of harvesting email addresses stored in files on the web server.
Symptoms
Presence of the following file:
* /tmp/lupii
One of the following ports are listening:
* UDP 7111
* UDP 7222
Method Of Infection
This worm spreads by exploiting specific PHP/CGI script vulnerabilities that could be hosted on the following URLs:
* http://[website]/cgi-bin/
* http://[website]/scgi-bin/
* http://[website]/cgi-bin/awstats/
* http://[website]/scgi-bin/awstats/
* http://[website]/cgi/awstats/
* http://[website]/scgi/awstats/
* http://[website]/scripts/
* http://[website]/cgi-bin/stats/
* http://[website]/scgi-bin/stats/
* http://[website]/stats/
* http://[website]/xmlrpc.php
* http://[website]/xmlrpc/xmlrpc.php
* http://[website]/xmlsrv/xmlrpc.php
* http://[website]/blog/xmlrpc.php
* http://[website]/drupal/xmlrpc.php
* http://[website]/community/xmlrpc.php
* http://[website]/blogs/xmlrpc.php
* http://[website]/blogs/xmlsrv/xmlrpc.php
* http://[website]/blog/xmlsrv/xmlrpc.php
* http://[website]/blogtest/xmlsrv/xmlrpc.php
* http://[website]/b2/xmlsrv/xmlrpc.php
* http://[website]/b2evo/xmlsrv/xmlrpc.php
* http://[website]/wordpress/xmlrpc.php
* http://[website]/phpgroupware/xmlrpc.php
* http://[website]/cgi-bin/includer.cgi
* http://[website]/sgi-cgi/includer.cgi
* http://[website]/includer/cgi
* http://[website]/cgi-bin/include/includer.cgi
* http://[website]/scgi-bin/include/includer.cgi
* http://[website]/cgi-bin/inc/includer.cgi
* http://[website]/scgi-bin/inc/includer.cgi
* http://[website]/cgi-local/includer.cgi
* http://[website]/scgi-local/includer.cgi
* http://[website]/cgi/includer.cgi
* http://[website]/scgi/includer.cgi
* http://[website]/hints.pl
* http://[website]/cgi/hints.pl
* http://[website]/scgi/hints.pl
* http://[website]/cgi-bin/hints.pl
* http://[website]/scgi-bin/hints.pl
* http://[website]/hints/hints.pl
* http://[website]/cgi-bin/webhints/hints.pl
* http://[website]/scgi-bin/webhints/hints.pl
* http://[website]/hints.cgi
* http://[website]http://[website]/cgi/hints.cgi
* http://[website]/scgi/hints.cgi
* http://[website]/cgi-bin/hints.cgi
* http://[website]/scgi-bin/hints.cgi
* http://[website]/hints/hints.cgi
* http://[website]/cgi-bin/hints/hints.cgi
* http://[website]/scgi-bin/hints/hints.cgi
* http://[website]/webhints/hints.cgi
* http://[website]/cgi-bin/webhints/hints.cgi
* http://[website]/scgi-bin/webhints/hints.cgi
Removal Instructions
AVERT recommends to always use latest DATs and engine . This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Name Type Sub Type Differences
no known variants
Aliases
Name
no known aliases
Fonte:
Linux Day Log