November 7, 2005
Unix-based BBS admins or bloggers beware - the Linux Slapper worm has been given a facelift and this time you're the target. The worm exploits a vulnerability in xmlrpc.php, a file commonly included in BBS and weblog software. A second exploit lies in a vulerability in AWStats, a web hit statistics package. A third exploit leverages a flaw in WebHints, which can lead to remote system access.
As is too often the case, the Linux worm has been assigned different names by antivirus vendors: McAfee, Computer Associates, and Sophos call it Linux/Lupper, Symantec calls it Linux.Plupii, Kaspersky as Backdoor.Linux.Small, Trend Micro as ELF_LUPPER.A, and ClamAV as Exploit.Linux.Lupii.
According to LURHQ, the worm code used is from the Slapper worm, with the SSL exploit replaced with the aforementioned exloits.
Impact of the worm
The Linux/Lupper worm (aka Linux.Plupii, Backdoor.Linux.Small, ELF_LUPPER.A, and Exploit.Linux.Lupii) opens a backdoor on UDP port 7222. To spread, it sends specially crafted HTTP POST requests to hard-coded URLs which are typical locations of the vulnerable xmlrpc.php file and sends GET requests to a range of hard-code URLS typical of the location of the flawed awstats.pl. These exploits allow it to download a copy of itself to the target system.
Sign of infection
To detect the presence of Linux/Lupper (aka Linux.Plupii, Backdoor.Linux.Small, ELF_LUPPER.A, and Exploit.Linux.Lupii), search for the presence of the following file:
/tmp/lupiiPrevention/Remediation
Delete lupii if found. The backdoor on UDP port 7222 could have led to further exposure, so examine your system carefully for other signs of compromise. Update both the xmlrpc.php (XML-RPC for PHP Remote Code Injection vulnerability) and awstats.pl (AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability) files with newer, patched versions.
No patch is currently available for the WebHints remote system access exploit, commonly referred to as the 'Darryl Burgdorf Webhints Remote Command Execution Vulnerability'.
