copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » UNIX (all) » Linux (all) » AA-2005.0023 -- Lupper (aka: Plupii) worm propagatin...
 

AA-2005.0023 -- Lupper (aka: Plupii) worm propagating via web application vulnerabilities
Date: 14 November 2005
References: AL-2005.016  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
AA-2005.0023                  AUSCERT Advisory

 Lupper (aka: Plupii) worm propagating via web application vulnerabilities
                             14 November 2005
- ---------------------------------------------------------------------------

        AusCERT Advisory Summary
        ------------------------

Product:           AWStats
                   PHP (XML-RPC)
                   Webhints
                   The Includer
Operating System:  Linux variants
Impact:            Execute Arbitrary Code/Commands
                   Inappropriate Access
Access:            Remote/Unauthenticated
CVE Names:         CAN-2005-2498 CAN-2005-2116 CVE-2005-1950
                   CAN-2005-1921

Ref:               AL-2005.016

Revision History:  November 14 2005: Fixed misspelling in title
                   November 11 2005: Initial Release

OVERVIEW

        There is a worm in the wild exploiting multiple web application 
        vulnerabilities. The targeted application vulnerabilities include 
        PHP XML-RPC as described in AL-2005.016 [1], AWStats, Webhints [2] 
        and The Includer [3].


MITIGATION

        AusCERT recommends that administrators of vulnerable Linux web 
        servers patch their systems or disable vulnerable services, if 
        possible.

        AWStats contains vulnerabilities which may not be patched in all 
        Linux distributions and as such AusCERT recommends that 
        administrators restrict access to AWStats to trusted hosts. Also, 
        AusCERT has found conflicting information about the actual 
        vulnerabilities targeted by this worm.

	More information can be obtained from the advisories released by
        Symantec [4], Computer Associates [5], TrendMicro [6], McAfee [7], 
        Sophos [8] and the SANS Handlers Diary [9].


REFERENCES

    1. AL-2005.016 -- XML-RPC PHP flaw allows remote code execution 
       http://www.auscert.org.au/5222

    2. Symantec Security Response - Linux.Plupii
       http://securityresponse.symantec.com/avcenter/venc/data/linux.plupii.html

    3. National Vulnerability Database (CVE-2005-1950)
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-1950

    4. National Vulnerability Database (CVE-2005-0689)
        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-0689

    5. Computer Associates - Linux/Lupper.B
       http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=47869

    6. TrendMicro - ELF_LUPPER.B
       http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ELF%5FLUPPER%2EB

    7. McAfee - Linux/Lupper.worm.b
       http://vil.nai.com/vil/content/v_136856.htm

    8. Sophos virus analysis: Linux/Lupper-B
       http://www.sophos.com/virusinfo/analyses/linuxlupperb.html

    9. XML RPC worm - New Variant - ELF_LUPPER.B
       http://isc.sans.org/diary.php?storyid=829


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQ3fIACh9+71yA2DNAQLckQP/WrqYl2gXW9nTDJI8Z5ICUHbyb/NJa6jP
rOvO/jUvk4SL8UziKQNba4jvm7HwegLmEFw+EwPJoYvc0e8LqJMyXrHKAEi/OyQ6
c3ap9jgDxAsrj7YBnz/J1ZpgDqfBAHvRijSg+lpk/ZDO1M4b1sMfkT+jiyKxqirD
DyAsNnaxLak=
=qwlt
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=34&it=5734