Linux “Lupper-b” Worm

Recently there have been a number of remotely exploitable vulnerabilities for Linux that have been widely used by remote attackers. I see alot of vulnerability probes on machines directly connected to the Internet, the most common probes are for the Awstats and XML-RPC vulnerbilities.

This week I noticed a variation of these probes that indicated something new was afoot. After a bit of googling on the actual wget request used during the probe I discovered there is a new version of the “Lupper” Linux worm on the loose. “Lupper-b” as it is called, uses a quartet of remotely exploitable vulnerabilities to install itself to host systems.

The four vulnerabilities are found in the Awstats, XML-RPC, Webhints and Includer applications. The worm itself carries a proxy server and backdoor shell on UDP port 7222, I have also seen mention of an IRC bot included in some cases.

Interestingly enough, while googling the attack string looking for information I actually googled up a vulnerable server or two (or 50, who’s counting?). All in all it’s a fairly slick worm in that it has a combined exploit capacity and a UDP back door shell.

The paths to vulnerable applications are as follows:
“Trying to exploit the AWStats vulnerability, the worm attempts to submit its commands to the awstats.pl script at the following locations:

/cgi-bin/awstats.pl
/scgi-bin/awstats.pl
/awstats/awstats.pl
/cgi-bin/awstats/awstats.pl
/scgi-bin/awstats/awstats.pl
/cgi/awstats/awstats.pl
/scgi/awstats/awstats.pl
/scripts/awstats.pl
/cgi-bin/awstats/awstats.pl
/scgi-bin/awstats/awstats.pl
/cgi-bin/stats/awstats.pl
/scgi-bin/stats/awstats.pl
/stats/awstats.pl

Trying to exploit the XML-RPC vulnerability, the worm attempts to submit its commands to the following scripts:

/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
/blog/xmlrpc.php
/drupal/xmlrpc.php
/community/xmlrpc.php
/blogs/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogtest/xmlsrv/xmlrpc.php
/b2/xmlsrv/xmlrpc.php
/b2evo/xmlsrv/xmlrpc.php
/wordpress/xmlrpc.php
/phpgroupware/xmlrpc.php

Trying to exploit the Webhints vulnerability, the worm attempts to submit its commands to the following scripts:

/hints.pl
/cgi/hints.pl
/scgi/hints.pl
/cgi-bin/hints.pl
/scgi-bin/hints.pl
/hints/hints.pl
/cgi-bin/hints/hints.pl
/scgi-bin/hints/hints.pl
/webhints/hints.pl
/cgi-bin/webhints/hints.pl
/scgi-bin/webhints/hints.pl
/hints.cgi
/cgi/hints.cgi
/scgi/hints.cgi
/cgi-bin/hints.cgi
/scgi-bin/hints.cgi
/hints/hints.cgi
/cgi-bin/hints/hints.cgi
/scgi-bin/hints/hints.cgi
/webhints/hints.cgi
/cgi-bin/webhints/hints.cgi
/scgi-bin/webhints/hints.cgi

Trying to exploit the Includer vulnerability, the worm attempts to submit its commands to the following scripts:

/cgi-bin/includer.cgi
/scgi-bin/includer.cgi
/includer.cgi
/cgi-bin/include/includer.cgi
/scgi-bin/include/includer.cgi
/cgi-bin/inc/includer.cgi
/scgi-bin/inc/includer.cgi
/cgi-local/includer.cgi
/scgi-local/includer.cgi
/cgi/includer.cgi
/scgi/includer.cgi”

A full writeup on the worm is available from Computer Associates, be sure to follow the links on the specific vulnerabilities so you get the full gist of the attack vector.

16 Responses to “Linux “Lupper-b” Worm”

  1. When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get several e-mails
    with the same comment. Is there any way you
    can remove people from that service? Thanks!

  2. Hmm it looks like your site ate my first comment (it was super
    long) so I guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying your blog.

    I as well am an aspiring blog blogger but I’m still
    new to everything. Do you have any suggestions for beginner blog writers?
    I’d certainly appreciate it.

  3. An outstanding share! I’ve just forwarded this onto a coworker who has been conducting a little research on this.
    And he actually ordered me dinner simply because I stumbled
    upon it for him… lol. So allow me to reword this….
    Thank YOU for the meal!! But yeah, thanx for spending some time to discuss this topic here
    on your web page.

  4. Hello there, just became alert to your blog through Google, and
    found that it’s truly informative. I’m going to watch out for brussels.
    I will appreciate if you continue this in future. Many people
    will be benefited from your writing. Cheers!

  5. I know this if off topic but I’m looking into starting my
    own weblog and was wondering what all is required
    to get setup? I’m assuming having a blog like yours would cost a
    pretty penny? I’m not very web smart so I’m not 100% certain. Any suggestions
    or advice would be greatly appreciated. Thank you

  6. Pretty! This has been a really wonderful post. Thanks for supplying these details.

  7. What a material of un-ambiguity and preserveness of precious knowledge regarding unexpected feelings.

  8. First of all I would like to say superb blog! I had a quick question in which I’d like to ask
    if you don’t mind. I was interested to know how you center yourself and clear your
    head before writing. I’ve had a tough time clearing my mind
    in getting my ideas out there. I truly do take pleasure in writing but it just seems like the first
    10 to 15 minutes are wasted simply just trying to figure out how to begin.
    Any ideas or tips? Thank you!

  9. What’s up to all, how is everything, I think every one is getting more
    from this website, and your views are nice in favor of new viewers.

  10. After I initially left a comment I seem to have clicked on the -Notify me when new comments are added- checkbox and from now on every time a
    comment is added I get 4 emails with the exact same comment.
    There has to be a means you are able to remove me from that service?

    Thank you!

  11. I was wondering if you ever considered changing the layout of
    your blog? Its very well written; I love what youve got to say.

    But maybe you could a little more in the way of content so people
    could connect with it better. Youve got an awful lot of text for only having one or two images.
    Maybe you could space it out better?

  12. I really like your blog.. very nice colors & theme. Did
    you design this website yourself or did you hire someone
    to do it for you? Plz reply as I’m looking to create my own blog and
    would like to know where u got this from. thanks

  13. Wonderful items from you, man. I have take into account your stuff prior to and you are simply too great.

    I actually like what you’ve got here, really like what you
    are stating and the way in which in which you assert it.
    You’re making it entertaining and you still take care of to stay it smart.
    I can not wait to read far more from you. That is actually
    a tremendous site.

  14. Hey there great blog! Does running a blog like this take
    a great deal of work? I have absolutely no understanding of
    coding however I was hoping to start my own blog soon. Anyways, should you have any recommendations
    or tips for new blog owners please share. I know this is off
    subject however I just needed to ask. Thank you!

  15. You’re so interesting! I do not believe I’ve read through anything like this before.
    So nice to find somebody with unique thoughts on this topic.
    Really.. many thanks for starting this up. This site is something
    that is needed on the internet, someone with a
    bit of originality!

  16. Very quickly this site will be famous amid all blogging and
    site-building people, due to it’s nice articles or reviews

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: