McAfee reporta o aparecimento do Linux/Lupper.worm

[FaBMak]

A McAfee anunciou a descoberta do worm Linux/Lupper.worm, variante do Linux/Slapper, no último domingo, 6/11/2005. De acordo com o anúncio, o worm em questão ataca servidores web sem verificar se a vulnerabilidade necessária para a infecção existe. A própria McAfee considera o risco representado por este código malicioso como baixo, tanto para usuários corporativos quanto para domésticos.

De acordo com a empresa,

   O worm ataca cegamente servidores web mandando requisições http maliciosas para a porta 80. Se o servidor-alvo está executando um dos scripts vulneráveis em URLs específicas e está configurado para permitir executar comando de shell externamente e baixar arquivos remotos no ambiente PHP/CGI, uma cópia do worm poderia ser baixada e executada.

Não é uma situação crítica, mas um serviço desatualizado, ou com configurações de acesso incorretas, pode tornar-se vítima deste worm. Apesar do baixo risco, é recomendável verificar se o seu ambiente não corre riscos.

Reproduzo, a seguir, o texto original da descrição da McAfee:

   Virus Summary
   Virus Name Risk Assessment
   Linux/Lupper.worm
   Corporate User : Low
   Home User : Low

   Virus Information
   Discovery Date: 11/06/2005
   Origin: Unknown
   Length: Varies
   Type: Virus
   SubType: Internet Worm
   Minimum DAT: 4622 (11/07/2005)
   Updated DAT: 4622 (11/07/2005)
   Minimum Engine: 4.4.00
   Description Added: 11/06/2005
   Description Updated: 11/06/2005 2:23 PM (PT)

   Virus Characteristics

   This worm spreads by exploiting web servers hosting vulnerable PHP/CGI scripts. It is a modified derivative of the Linux/Slapper and BSD/Scalper worms from which it inherits the propagation strategy. It scans an entire class B subnet created by randomly choosing the first byte from an hard-coded list of A classes and randomly generating the second byte.

   The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed.

   Like its precedents, the infected computers form a global network of compromised servers based on peer to peer communication principles. This network can be used, for example, for Distributed Denial of Service (DDoS) attacks or other purposes because it can accept remote commands. It is also capable of harvesting email addresses stored in files on the web server.

   Symptoms

   Presence of the following file:

   * /tmp/lupii

   One of the following ports are listening:

   * UDP 7111
   * UDP 7222

   Method Of Infection

   This worm spreads by exploiting specific PHP/CGI script vulnerabilities that could be hosted on the following URLs:

   * http://[website]/cgi-bin/
   * http://[website]/scgi-bin/
   * http://[website]/cgi-bin/awstats/
   * http://[website]/scgi-bin/awstats/
   * http://[website]/cgi/awstats/
   * http://[website]/scgi/awstats/
   * http://[website]/scripts/
   * http://[website]/cgi-bin/stats/
   * http://[website]/scgi-bin/stats/
   * http://[website]/stats/
   * http://[website]/xmlrpc.php
   * http://[website]/xmlrpc/xmlrpc.php
   * http://[website]/xmlsrv/xmlrpc.php
   * http://[website]/blog/xmlrpc.php
   * http://[website]/drupal/xmlrpc.php
   * http://[website]/community/xmlrpc.php
   * http://[website]/blogs/xmlrpc.php
   * http://[website]/blogs/xmlsrv/xmlrpc.php
   * http://[website]/blog/xmlsrv/xmlrpc.php
   * http://[website]/blogtest/xmlsrv/xmlrpc.php
   * http://[website]/b2/xmlsrv/xmlrpc.php
   * http://[website]/b2evo/xmlsrv/xmlrpc.php
   * http://[website]/wordpress/xmlrpc.php
   * http://[website]/phpgroupware/xmlrpc.php
   * http://[website]/cgi-bin/includer.cgi
   * http://[website]/sgi-cgi/includer.cgi
   * http://[website]/includer/cgi
   * http://[website]/cgi-bin/include/includer.cgi
   * http://[website]/scgi-bin/include/includer.cgi
   * http://[website]/cgi-bin/inc/includer.cgi
   * http://[website]/scgi-bin/inc/includer.cgi
   * http://[website]/cgi-local/includer.cgi
   * http://[website]/scgi-local/includer.cgi
   * http://[website]/cgi/includer.cgi
   * http://[website]/scgi/includer.cgi
   * http://[website]/hints.pl
   * http://[website]/cgi/hints.pl
   * http://[website]/scgi/hints.pl
   * http://[website]/cgi-bin/hints.pl
   * http://[website]/scgi-bin/hints.pl
   * http://[website]/hints/hints.pl
   * http://[website]/cgi-bin/webhints/hints.pl
   * http://[website]/scgi-bin/webhints/hints.pl
   * http://[website]/hints.cgi
   * http://[website]http://[website]/cgi/hints.cgi
   * http://[website]/scgi/hints.cgi
   * http://[website]/cgi-bin/hints.cgi
   * http://[website]/scgi-bin/hints.cgi
   * http://[website]/hints/hints.cgi
   * http://[website]/cgi-bin/hints/hints.cgi
   * http://[website]/scgi-bin/hints/hints.cgi
   * http://[website]/webhints/hints.cgi
   * http://[website]/cgi-bin/webhints/hints.cgi
   * http://[website]/scgi-bin/webhints/hints.cgi

   Removal Instructions
   AVERT recommends to always use latest DATs and engine . This threat will be cleaned if you have this combination.

   Additional Windows ME/XP removal considerations

   Variants
   Name Type Sub Type Differences
   no known variants

   Aliases
   Name
   no known aliases

Fonte: Linux Day Log

[RenatoPG]

Ann.... qual antivírus de acesso livre  bom p/ linux?
Configurei o Firewall mas é bom sempre ter em mãos um antivírus.

[Marcus VBP]

hehehe
ele afeta os sitemas q usam xmlrpc, que por coincidencia eu uso... =|

Renato, axo qeu nao existe um antivirus especificamente para virus de linux, pois eles sao muito muito raros.
nao tenho certeza,  mas eu axo q os anti virus do linux servem pra escanear maquinas windows infectadas na rede, eheheh

abraço.