PHP Flaw Opens Web Servers to Attack

McAfee and Symantec warned on Monday of a new worm that is targeting PHP and CGI scripts stored at certain locations on vulnerable Web servers. Called "Lupper," the worm will install and execute itself, allowing a hacker to gain access to the system.

From there, an attacker could potentially link the server with other infected machine to launch attacks elsewhere, according to an advisory issued by the antivirus maker on Sunday. The recommended fix is a complete OS reinstall.

"This network can be used, for example, for Distributed Denial of Service attacks or other purposes because it can accept remote commands," McAfee wrote. "It is also capable of harvesting email addresses stored in files on the web server."

McAfee has rated the worm a low risk. According to the SANS Internet Storm Center, there have been some detections of the worm in the wild, but it has not been widely distributed thus far.

Servers running three types of applications are vulnerable to attack, according to Symantec, which is also monitoring the worm: XML-RPC for PHP, AWStats, and Darryl Bugdorf's Webhints.

Both security firms said that their most recent antivirus patches would protect against the vulnerability. Those hit by the worm are not so lucky: computers that have already been infected should be wiped clean and the operating system reinstalled, Symanted advised.

"Once the threat attacks a computer, it is difficult to determine what else the computer has been exposed to. In most cases, changes other than those made by the threat will not have occurred," the firm wrote in its advisory. "However, the author of the threat may have been able to use the threat to access the computer to make changes to it."