A new worm is targeting Linux systems by exploiting Web server flaws. Several antivirus firms say Lupper-A leaves backdoors on infected machines that could be used to launch distributed denial-of-service attacks and harvest e-mail addresses stored on the vulnerable Web servers.
Lupper doesn't seem to be spreading much at the moment. But since worm attacks against Linux systems are rare when compared to those affecting Windows, security researchers are keeping an eye on it.
According to Santa Clara, Calif.-based McAfee, Lupper spreads by exploiting Web servers that host vulnerable PHP/CGI scripts. "It is a modified derivative of the Linux/Slapper and BSD/Scalper worms from which it inherits the propagation strategy," McAfee said in its advisory. "The worm blindly attacks Web servers by sending malicious HTTP requests on Port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."
McAfee said the computers Lupper infects form a global network of compromised servers based on peer-to-peer communication principles. "This network can be used for distributed denial of service (DDoS) attacks or other purposes because it can accept remote commands," the firm added. "It is also capable of harvesting e-mail addresses stored in files on the Web server."
Islandia, N.Y.-based Computer Associates said in an advisory that Lupper also opens a UDP backdoor on Port 7111 that allows a remote controller unauthorized access to the affected machine.
Cupertino, Calif.-based Symantec has named the worm Linux.Plupii and said that when executed, it:
- Sends a notification message to an attacker at a remote IP address through UDP Port 7222;
- Opens a back door on UDP port 7222, which enables a remote attacker to have unauthorized access to the compromised computer;
- Generates URLs that include a variety of strings, which are listed in the firm's advisory;
- Sends HTTP requests to the URLs it generates and attempts to spread by exploiting an XML-RPC for PHP remote code injection vulnerability, an AWStats rawlog plugin logfile parameter input validation vulnerability and the Darryl Burgdorf Webhints remote command execution vulnerability;
- Attempts to download and execute a copy of itself from the following Web site: [http://]126.96.36.199/[REMOVED]/lupii; and
- Saves the copy of the worm it downloads as the following file: /tmp/lupii.
The Symantec advisory links to other bulletins with additional information on the vulnerabilities the worm exploits.
As antivirus firms monitor Lupper's movements, Danish vulnerability clearinghouse Secunia is warning of another Linux-based flaw.
A vulnerability in Linux-ftpd-ssl "is caused due to the unsafe use of the 'vsprintf()' function in the FTP server to generate replies in response to commands received from the FTP client," Secunia said. "This causes a stack-based buffer overflow when the output of a command exceeds 2,048 bytes. The vulnerability can be exploited by creating multiple levels of sub-directories with long names, and then issuing the 'XPWD' command when at the lowest level sub-directory. The resulting path name that is generated in response the 'XPWD' will exceed 2,048 bytes, overflowing the stack-buffer."
Secunia said users should guard against the flaw by granting only trusted users access to the FTP server.