||||
Symantec.com > Security Response > Threats and Risks > Linux.Plupii
PRINT THIS PAGE

Linux.Plupii

Risk Level 2: Low

Printer Friendly Page

Discovered: November 6, 2005
Updated: November 6, 2005 12:32:14 PM
Also Known As: Net-Worm.Linux.Lupper.a [Kaspersky]
Systems Affected: Linux

Linux.Plupii is a worm with back door capabilities that spreads by exploiting several Web server-related vulnerabilities.

When executed, the worm sends a notification message to the author of the threat to a remote IP address, through UDP port 7222.

The worm then opens a back door on UDP port 7222, which enables a remote attacker to have unauthorized access to the compromised computer.

Next, the worm generates URLs which include the following strings:
/cgi-bin/
/scgi-bin/
/awstats/
/cgi-bin/awstats/
/scgi-bin/awstats/
/cgi/awstats/
/scgi/awstats/
/scripts/
/cgi-bin/stats/
/scgi-bin/stats/
/stats/
/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
/blog/xmlrpc.php
/drupal/xmlrpc.php
/community/xmlrpc.php
/blogs/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogtest/xmlsrv/xmlrpc.php
/b2/xmlsrv/xmlrpc.php
/b2evo/xmlsrv/xmlrpc.php
/wordpress/xmlrpc.php
/phpgroupware/xmlrpc.php
/cgi-bin/includer.cgi
/scgi-bin/includer.cgi
/includer.cgi
/cgi-bin/include/includer.cgi
/scgi-bin/include/includer.cgi
/cgi-bin/inc/includer.cgi
/scgi-bin/inc/includer.cgi
/cgi-local/includer.cgi
/scgi-local/includer.cgi
/cgi/includer.cgi
/scgi/includer.cgi
/hints.pl
/cgi/hints.pl
/scgi/hints.pl
/cgi-bin/hints.pl
/scgi-bin/hints.pl
/hints/hints.pl
/cgi-bin/hints/hints.pl
/scgi-bin/hints/hints.pl
/webhints/hints.pl
/cgi-bin/webhints/hints.pl
/scgi-bin/webhints/hints.pl
/hints.cgi
/cgi/hints.cgi
/scgi/hints.cgi
/cgi-bin/hints.cgi
/scgi-bin/hints.cgi
/hints/hints.cgi
/cgi-bin/hints/hints.cgi
/scgi-bin/hints/hints.cgi
/webhints/hints.cgi
/cgi-bin/webhints/hints.cgi
/scgi-bin/webhints/hints.cgi

The worm then sends HTTP requests to the URLs it generates, and attempts to spread by exploiting the following Web server-related vulnerabilities:
The XML-RPC for PHP Remote Code Injection vulnerability (BID 14088)
The AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability (BID 10950)
The Darryl Burgdorf Webhints Remote Command Execution Vulnerability (BID 13930)

The worm then attempts to download and execute a copy of itself from the following Web site:
http://62.101.193.244/lupii

This copy of the worm will be saved as the following file:
/tmp/lupii

Writeup By: Takayoshi Nakayama
Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS