Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

PHP Flaw Opens Web Servers to Attack

By Ed Oswald, BetaNews

November 8, 2005, 12:50 PM

McAfee and Symantec warned on Monday of a new worm that is targeting PHP and CGI scripts stored at certain locations on vulnerable Web servers. Called "Lupper," the worm will install and execute itself, allowing a hacker to gain access to the system.

From there, an attacker could potentially link the server with other infected machine to launch attacks elsewhere, according to an advisory issued by the antivirus maker on Sunday. The recommended fix is a complete OS reinstall.

"This network can be used, for example, for Distributed Denial of Service attacks or other purposes because it can accept remote commands," McAfee wrote. "It is also capable of harvesting email addresses stored in files on the web server."

McAfee has rated the worm a low risk. According to the SANS Internet Storm Center, there have been some detections of the worm in the wild, but it has not been widely distributed thus far.

Servers running three types of applications are vulnerable to attack, according to Symantec, which is also monitoring the worm: XML-RPC for PHP, AWStats, and Darryl Bugdorf's Webhints.

Both security firms said that their most recent antivirus patches would protect against the vulnerability. Those hit by the worm are not so lucky: computers that have already been infected should be wiped clean and the operating system reinstalled, Symanted advised.

"Once the threat attacks a computer, it is difficult to determine what else the computer has been exposed to. In most cases, changes other than those made by the threat will not have occurred," the firm wrote in its advisory. "However, the author of the threat may have been able to use the threat to access the computer to make changes to it."

Add a Comment (5 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By The MAZZTer

posted Nov 9, 2005 - 12:39 PM

Ummm... this isn't a PHP flaw... this is a programmer flaw. If someone runs PHP scripts on their site that have security flaws, it's not PHP's fault. It's the script's.

I don't hear anyone blaming C++ for desktop program flaws.

Score: 0

By gawd21

posted Nov 8, 2005 - 1:03 PM

Damn. "The recommended fix is a complete OS reinstall." A bit rough. But look what they are supporting this on. "Once the threat attacks a computer, it is difficult to determine what else the computer has been exposed to. In most cases, changes other than those made by the threat will not have occurred," the firm wrote in its advisory. "However, the author of the threat may have been able to use the threat to access the computer to make changes to it."

I would rather take my chances and just monitor it for several weeks and not have to wipe. To much time and money would be lost.

Score: 0

By nate

posted Nov 8, 2005 - 1:27 PM

And risk that your customer and user data is potentially accessible? Dangerous move.

Rootkits on Linux and any operating system are bad news. Once binaries are replaced it can be hard to know what is compromised and what is safe. Malicious tools the replace standard ones, so you sometimes can't even see what's running.

Score: 0

By rijp

posted Nov 8, 2005 - 1:58 PM

Not really, if you know how to work SPYWARE, and Firewalls, this is a drastic measure. We got attacked, internally. WE got it under control, the problem is Symantec SUCKS! That's where the vulnerability is. You don't need to completely reinstall the OS, Maybe a repair.. that replaces all the original OS files, and the code can't execute if its clean.

They chose this route, but its not necessary. If you know how to deal with Windows, registry, and Spyware/Anti-virus software (good software that is) there isn't a problem.

Score: 0

By dgabriel

posted Nov 8, 2005 - 3:24 PM

Yeah, too bad you're not smart enough to realize this is a *nix vulnerability.

Score: 0

May 16 - 7:22 PM ET Google tries to make its spreadsheets more like wikis

May 16 - 5:41 PM ET Gates demonstrates touch UIs everywhere, including walls and furniture

May 16 - 5:30 PM ET Backup feature surprisingly removed from Windows Home Server refresh

May 16 - 5:05 PM ET Sony announces in-house video game lineup

May 16 - 3:50 PM ET Municipal Wi-Fi sustains fatal blow with likely loss of MetroFi

May 16 - 3:13 PM ET Sprint eyes 2008 for WiMAX launch, ahead of AT&T and Verizon LTE

May 16 - 2:34 PM ET Beta of an Outlook synchronization gadget for Google Apps

May 16 - 2:11 PM ET Yet another cross-site scripting vulnerability affects IE7 on XP

May 16 - 1:58 PM ET Yahoo's SearchScan irks some Web site owners

May 16 - 1:47 PM ET Report: Alltel's choice of LTE a big loss for WiMAX, UMB