Discovered: February 19, 2006
Updated: February 19, 2006 5:49:41 PM
Also Known As: ELF_MARE.C [Trend], PERL_MARE.C [Trend], PERL_SHELLBOT.AI [Trend], Mare.D [F-Secure],
Systems Affected: Linux
Linux.Plupii.C is a worm with back door capabilities that spreads by exploiting vulnerabilities.
Once executed, the worm opens a back door on UDP port 27015, which enables a remote attacker to have unauthorized access to the compromised computer.
Next, the worm generates IP addresses and use them to build URLs which include the following strings:
/cvs/
/articles/mambo/
/cvs/mambo/
/blog/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/drupal/xmlrpc.php
/phpgroupware/xmlrpc.php
/wordpress/xmlrpc.php
/xmlrpc/xmlrpc.php
The worm then sends HTTP requests to the URLs it generates, and attempts to spread by exploiting the following Web server-related vulnerabilities:
The XML-RPC for PHP Remote Code Injection vulnerability (BID 14088)
The AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability (BID 10950)
The Darryl Burgdorf Webhints Remote Command Execution Vulnerability (BID 13930)
It is reported that the worm also spreads by exploiting the following vulnerability:
The Mambo Open Source Tar.PHP Remote File Include Vulnerability (BID 12608)
When the worm finds a vulnerable script on the compromised computer, it downloads and executes a malicious install script from the following Web site:
http://198.170.105.69/supina
On the attacked computer, the install script will attempt to download the following files in the /tmp/.temp folder:
http://198.170.105.69/cb (A copy of Linux.RST.B - MCID 6214)
http://198.170.105.69/https (A Perl script with IRC back door functionality.)
http://198.170.105.69/ping.txt (A Perl script that is a reverse shell back door.)
http://198.170.105.69/httpd
Next, the file /tmp/.temp/cb is executed and it will attempt to connect to 210.245.233.251 on port 8080 and will open a shell back door.
The script then executes the IRC back door from the file /tmp/.temp/https which attempts to connect on one of the following IRC servers:
eu.undernet.org
us.undernet.org
195.204.1.130
194.109.20.90
The worm joins a channel that contains the following string:
lametrapchan
The worm then waits for commands from a remote attacker.
The installation continues with the execution of /tmp/.temp/ping.txt which will try to connect to 210.245.233.251 on port 8080 and open a shell back door.
Writeup By: Costin Ionescu
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
