Linux.Plupii

Printer Friendly Page

Discovered: November 06, 2005
Updated: November 06, 2005 12:32:14 PM
Also Known As: Net-Worm.Linux.Lupper.a [Kaspersky]
Systems Affected: Linux

Linux.Plupii is a worm with back door capabilities that spreads by exploiting several Web server-related vulnerabilities.

Writeup By: Takayoshi Nakayama

Discovered: November 06, 2005
Updated: November 06, 2005 12:32:14 PM
Also Known As: Net-Worm.Linux.Lupper.a [Kaspersky]
Systems Affected: Linux

Linux.Plupii is a worm with back door capabilities that spreads by exploiting several Web server-related vulnerabilities.

When executed, the worm sends a notification message to the author of the threat to a remote IP address, through UDP port 7222.

The worm then opens a back door on UDP port 7222, which enables a remote attacker to have unauthorized access to the compromised computer.

Next, the worm generates URLs which include the following strings:
/cgi-bin/
/scgi-bin/
/awstats/
/cgi-bin/awstats/
/scgi-bin/awstats/
/cgi/awstats/
/scgi/awstats/
/scripts/
/cgi-bin/stats/
/scgi-bin/stats/
/stats/
/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
/blog/xmlrpc.php
/drupal/xmlrpc.php
/community/xmlrpc.php
/blogs/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogtest/xmlsrv/xmlrpc.php
/b2/xmlsrv/xmlrpc.php
/b2evo/xmlsrv/xmlrpc.php
/wordpress/xmlrpc.php
/phpgroupware/xmlrpc.php
/cgi-bin/includer.cgi
/scgi-bin/includer.cgi
/includer.cgi
/cgi-bin/include/includer.cgi
/scgi-bin/include/includer.cgi
/cgi-bin/inc/includer.cgi
/scgi-bin/inc/includer.cgi
/cgi-local/includer.cgi
/scgi-local/includer.cgi
/cgi/includer.cgi
/scgi/includer.cgi
/hints.pl
/cgi/hints.pl
/scgi/hints.pl
/cgi-bin/hints.pl
/scgi-bin/hints.pl
/hints/hints.pl
/cgi-bin/hints/hints.pl
/scgi-bin/hints/hints.pl
/webhints/hints.pl
/cgi-bin/webhints/hints.pl
/scgi-bin/webhints/hints.pl
/hints.cgi
/cgi/hints.cgi
/scgi/hints.cgi
/cgi-bin/hints.cgi
/scgi-bin/hints.cgi
/hints/hints.cgi
/cgi-bin/hints/hints.cgi
/scgi-bin/hints/hints.cgi
/webhints/hints.cgi
/cgi-bin/webhints/hints.cgi
/scgi-bin/webhints/hints.cgi

The worm then sends HTTP requests to the URLs it generates, and attempts to spread by exploiting the following Web server-related vulnerabilities:
The XML-RPC for PHP Remote Code Injection vulnerability (BID 14088)
The AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability (BID 10950)
The Darryl Burgdorf Webhints Remote Command Execution Vulnerability (BID 13930)

The worm then attempts to download and execute a copy of itself from the following Web site:
http://62.101.193.244/lupii

This copy of the worm will be saved as the following file:
/tmp/lupii

Writeup By: Takayoshi Nakayama

Discovered: November 06, 2005
Updated: November 06, 2005 12:32:14 PM
Also Known As: Net-Worm.Linux.Lupper.a [Kaspersky]
Systems Affected: Linux

The following instructions pertain to Symantec AntiVirus for Linux.

  1. Update the virus definitions.
  2. Run a full system scan.

1. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions. For Symantec AntiVirus for Linux, LiveUpdate definitions are updated daily.
  • Downloading the definitions using Intelligent Updater. The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them.

2. To run a full system scan

To run a full system scan in Linux, open a command line and type the following:

sav manualscan --scan /

If any files are detected, follow the instructions displayed by your antivirus program.

Writeup By: Takayoshi Nakayama