You are here:	About>Computing & Technology>Antivirus Software> Linux & Unix Viruses> Slapper worm gets facelift: Linux Lupper worm, aka Plupi and Lupii

Newsletters & RSS Email to a friend Submit to Digg

Slapper Worm Gets Facelift

From Mary Landesman,
Your Guide to Antivirus Software.
FREE Newsletter. Sign Up Now!

November 7, 2005

Unix-based BBS admins or bloggers beware - the Linux Slapper worm has been given a facelift and this time you're the target. The worm exploits a vulnerability in xmlrpc.php, a file commonly included in BBS and weblog software. A second exploit lies in a vulerability in AWStats, a web hit statistics package. A third exploit leverages a flaw in WebHints, which can lead to remote system access.

As is too often the case, the Linux worm has been assigned different names by antivirus vendors: McAfee, Computer Associates, and Sophos call it Linux/Lupper, Symantec calls it Linux.Plupii, Kaspersky as Backdoor.Linux.Small, Trend Micro as ELF_LUPPER.A, and ClamAV as Exploit.Linux.Lupii.

According to LURHQ, the worm code used is from the Slapper worm, with the SSL exploit replaced with the aforementioned exloits.

Impact of the worm
The Linux/Lupper worm (aka Linux.Plupii, Backdoor.Linux.Small, ELF_LUPPER.A, and Exploit.Linux.Lupii) opens a backdoor on UDP port 7222. To spread, it sends specially crafted HTTP POST requests to hard-coded URLs which are typical locations of the vulnerable xmlrpc.php file and sends GET requests to a range of hard-code URLS typical of the location of the flawed awstats.pl. These exploits allow it to download a copy of itself to the target system.

Sign of infection
To detect the presence of Linux/Lupper (aka Linux.Plupii, Backdoor.Linux.Small, ELF_LUPPER.A, and Exploit.Linux.Lupii), search for the presence of the following file:

/tmp/lupii

Prevention/Remediation
Delete lupii if found. The backdoor on UDP port 7222 could have led to further exposure, so examine your system carefully for other signs of compromise. Update both the xmlrpc.php (XML-RPC for PHP Remote Code Injection vulnerability) and awstats.pl (AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability) files with newer, patched versions.

No patch is currently available for the WebHints remote system access exploit, commonly referred to as the 'Darryl Burgdorf Webhints Remote Command Execution Vulnerability'.

Did FBI Ignore Code Red Warning?Lupper Worm Targets Linux Zero Day Exploits: The Holy Grail Apache Worm Discovered Dangerous Exploit Targets JPEG Flaw

Las Vegas on a Budget

Find a Bargain Hotel Deals Cheap Eats Free Attractions Entertainment for Less

What's Hot

HIPS vs Behavior Blocking PC Tools ThreatFire Review Freedom Worm AAAAAAA@AAA.AAA Panda Titanium Antivirus

All Topics | Email Article | |

Advertising Info \| News & Events \| Work at About \| SiteMap \| Reprints \| Help	Our Story \| Be a Guide
User Agreement \| Ethics Policy \| Patent Info. \| Privacy Policy	©2008 About, Inc., A part of The New York Times Company. All rights reserved.

Advertising Info \| News & Events \| Work at About \| SiteMap \| Reprints \| Help	Our Story \| Be a Guide
User Agreement \| Ethics Policy \| Patent Info. \| Privacy Policy	©2008 About, Inc., A part of The New York Times Company. All rights reserved.

Most Popular

Slapper Worm Gets Facelift

Related Articles

Las Vegas on a Budget

What's Hot