Autor Tópico: McAfee reporta o aparecimento do Linux/Lupper.worm  (Lida 4080 vezes)

Offline FaBMak

  • Administrador
  • Usuário Ubuntu
  • *****
  • Mensagens: 718
    • Ver perfil
    • fabmak://website
McAfee reporta o aparecimento do Linux/Lupper.worm
« Online: 08 de Novembro de 2005, 23:45 »
A McAfee anunciou a descoberta do worm Linux/Lupper.worm, variante do Linux/Slapper, no último domingo, 6/11/2005. De acordo com o anúncio, o worm em questão ataca servidores web sem verificar se a vulnerabilidade necessária para a infecção existe. A própria McAfee considera o risco representado por este código malicioso como baixo, tanto para usuários corporativos quanto para domésticos.

De acordo com a empresa,

    O worm ataca cegamente servidores web mandando requisições http maliciosas para a porta 80. Se o servidor-alvo está executando um dos scripts vulneráveis em URLs específicas e está configurado para permitir executar comando de shell externamente e baixar arquivos remotos no ambiente PHP/CGI, uma cópia do worm poderia ser baixada e executada.

Não é uma situação crítica, mas um serviço desatualizado, ou com configurações de acesso incorretas, pode tornar-se vítima deste worm. Apesar do baixo risco, é recomendável verificar se o seu ambiente não corre riscos.

Reproduzo, a seguir, o texto original da descrição da McAfee:

    Virus Summary
    Virus Name Risk Assessment
    Linux/Lupper.worm
    Corporate User : Low
    Home User : Low

    Virus Information
    Discovery Date: 11/06/2005
    Origin: Unknown
    Length: Varies
    Type: Virus
    SubType: Internet Worm
    Minimum DAT: 4622 (11/07/2005)
    Updated DAT: 4622 (11/07/2005)
    Minimum Engine: 4.4.00
    Description Added: 11/06/2005
    Description Updated: 11/06/2005 2:23 PM (PT)

    Virus Characteristics

    This worm spreads by exploiting web servers hosting vulnerable PHP/CGI scripts. It is a modified derivative of the Linux/Slapper and BSD/Scalper worms from which it inherits the propagation strategy. It scans an entire class B subnet created by randomly choosing the first byte from an hard-coded list of A classes and randomly generating the second byte.

    The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed.

    Like its precedents, the infected computers form a global network of compromised servers based on peer to peer communication principles. This network can be used, for example, for Distributed Denial of Service (DDoS) attacks or other purposes because it can accept remote commands. It is also capable of harvesting email addresses stored in files on the web server.

    Symptoms

    Presence of the following file:

    * /tmp/lupii

    One of the following ports are listening:

    * UDP 7111
    * UDP 7222

    Method Of Infection

    This worm spreads by exploiting specific PHP/CGI script vulnerabilities that could be hosted on the following URLs:

    * http://[website]/cgi-bin/
    * http://[website]/scgi-bin/
    * http://[website]/cgi-bin/awstats/
    * http://[website]/scgi-bin/awstats/
    * http://[website]/cgi/awstats/
    * http://[website]/scgi/awstats/
    * http://[website]/scripts/
    * http://[website]/cgi-bin/stats/
    * http://[website]/scgi-bin/stats/
    * http://[website]/stats/
    * http://[website]/xmlrpc.php
    * http://[website]/xmlrpc/xmlrpc.php
    * http://[website]/xmlsrv/xmlrpc.php
    * http://[website]/blog/xmlrpc.php
    * http://[website]/drupal/xmlrpc.php
    * http://[website]/community/xmlrpc.php
    * http://[website]/blogs/xmlrpc.php
    * http://[website]/blogs/xmlsrv/xmlrpc.php
    * http://[website]/blog/xmlsrv/xmlrpc.php
    * http://[website]/blogtest/xmlsrv/xmlrpc.php
    * http://[website]/b2/xmlsrv/xmlrpc.php
    * http://[website]/b2evo/xmlsrv/xmlrpc.php
    * http://[website]/wordpress/xmlrpc.php
    * http://[website]/phpgroupware/xmlrpc.php
    * http://[website]/cgi-bin/includer.cgi
    * http://[website]/sgi-cgi/includer.cgi
    * http://[website]/includer/cgi
    * http://[website]/cgi-bin/include/includer.cgi
    * http://[website]/scgi-bin/include/includer.cgi
    * http://[website]/cgi-bin/inc/includer.cgi
    * http://[website]/scgi-bin/inc/includer.cgi
    * http://[website]/cgi-local/includer.cgi
    * http://[website]/scgi-local/includer.cgi
    * http://[website]/cgi/includer.cgi
    * http://[website]/scgi/includer.cgi
    * http://[website]/hints.pl
    * http://[website]/cgi/hints.pl
    * http://[website]/scgi/hints.pl
    * http://[website]/cgi-bin/hints.pl
    * http://[website]/scgi-bin/hints.pl
    * http://[website]/hints/hints.pl
    * http://[website]/cgi-bin/webhints/hints.pl
    * http://[website]/scgi-bin/webhints/hints.pl
    * http://[website]/hints.cgi
    * http://[website]http://[website]/cgi/hints.cgi
    * http://[website]/scgi/hints.cgi
    * http://[website]/cgi-bin/hints.cgi
    * http://[website]/scgi-bin/hints.cgi
    * http://[website]/hints/hints.cgi
    * http://[website]/cgi-bin/hints/hints.cgi
    * http://[website]/scgi-bin/hints/hints.cgi
    * http://[website]/webhints/hints.cgi
    * http://[website]/cgi-bin/webhints/hints.cgi
    * http://[website]/scgi-bin/webhints/hints.cgi

    Removal Instructions
    AVERT recommends to always use latest DATs and engine . This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants
    Name Type Sub Type Differences
    no known variants

    Aliases
    Name
    no known aliases

Fonte: Linux Day Log
"Não creias impossível o que apenas improvável parece". (Shakespeare)
fabmak://website | http://twitter.com/fabmak

RenatoPG

  • Visitante
McAfee reporta o aparecimento do Linux/Lupper.worm
« Resposta #1 Online: 09 de Novembro de 2005, 00:19 »
Ann.... qual antivírus de acesso livre  bom p/ linux?
Configurei o Firewall mas é bom sempre ter em mãos um antivírus.

Offline Marcus VBP

  • Usuário Ubuntu
  • *
  • Mensagens: 355
  • Anuncie aqui!
    • Ver perfil
    • http://www.marcusvbp.com.br
McAfee reporta o aparecimento do Linux/Lupper.worm
« Resposta #2 Online: 09 de Novembro de 2005, 06:46 »
hehehe
ele afeta os sitemas q usam xmlrpc, que por coincidencia eu uso... =|

Renato, axo qeu nao existe um antivirus especificamente para virus de linux, pois eles sao muito muito raros.
nao tenho certeza,  mas eu axo q os anti virus do linux servem pra escanear maquinas windows infectadas na rede, eheheh

abraço.