RSSPHP Flaw Opens Web Servers to Attack
By Ed Oswald | Published November 8, 2005, 12:50 PM
McAfee and Symantec warned on Monday of a new worm that is targeting PHP and CGI scripts stored at certain locations on vulnerable Web servers. Called "Lupper," the worm will install and execute itself, allowing a hacker to gain access to the system.
From there, an attacker could potentially link the server with other infected machine to launch attacks elsewhere, according to an advisory issued by the antivirus maker on Sunday. The recommended fix is a complete OS reinstall.
"This network can be used, for example, for Distributed Denial of Service attacks or other purposes because it can accept remote commands," McAfee wrote. "It is also capable of harvesting email addresses stored in files on the web server."
McAfee has rated the worm a low risk. According to the SANS Internet Storm Center, there have been some detections of the worm in the wild, but it has not been widely distributed thus far.
Servers running three types of applications are vulnerable to attack, according to Symantec, which is also monitoring the worm: XML-RPC for PHP, AWStats, and Darryl Bugdorf's Webhints.
Both security firms said that their most recent antivirus patches would protect against the vulnerability. Those hit by the worm are not so lucky: computers that have already been infected should be wiped clean and the operating system reinstalled, Symanted advised.
"Once the threat attacks a computer, it is difficult to determine what else the computer has been exposed to. In most cases, changes other than those made by the threat will not have occurred," the firm wrote in its advisory. "However, the author of the threat may have been able to use the threat to access the computer to make changes to it."
Ummm... this isn't a PHP flaw... this is a programmer flaw. If someone runs PHP scripts on their site that have security flaws, it's not PHP's fault. It's the script's.
I don't hear anyone blaming C++ for desktop program flaws.
Score: 0
Damn. "The recommended fix is a complete OS reinstall." A bit rough. But look what they are supporting this on. "Once the threat attacks a computer, it is difficult to determine what else the computer has been exposed to. In most cases, changes other than those made by the threat will not have occurred," the firm wrote in its advisory. "However, the author of the threat may have been able to use the threat to access the computer to make changes to it."
I would rather take my chances and just monitor it for several weeks and not have to wipe. To much time and money would be lost.
Score: 0
And risk that your customer and user data is potentially accessible? Dangerous move.
Rootkits on Linux and any operating system are bad news. Once binaries are replaced it can be hard to know what is compromised and what is safe. Malicious tools the replace standard ones, so you sometimes can't even see what's running.
Score: 0
Not really, if you know how to work SPYWARE, and Firewalls, this is a drastic measure. We got attacked, internally. WE got it under control, the problem is Symantec SUCKS! That's where the vulnerability is. You don't need to completely reinstall the OS, Maybe a repair.. that replaces all the original OS files, and the code can't execute if its clean.
They chose this route, but its not necessary. If you know how to deal with Windows, registry, and Spyware/Anti-virus software (good software that is) there isn't a problem.
Score: 0
Yeah, too bad you're not smart enough to realize this is a *nix vulnerability.
Score: 0