[WEB SECURITY] PHP XML-RPC Worm In The Wild
Nigel Houghton
nigel at sourcefire.com
Tue Nov 8 13:37:44 EST 2005
XML-RPC is only one of the attack vectors for this worm.
Spread of this worm appears to be very slow, as I am sure you
will be able to determine from your web logs. Here are the more
informative references:
SANS:
http://isc.sans.org/diary.php?storyid=823
McAfee:
http://vil.nai.com/vil/content/v_136821.htm
Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/linux.plupii.html
Bugtraq:
XML-RPC for PHP Remote Code Injection
http://www.securityfocus.com/bid/14088
Awstats Remote Command Execution
http://www.securityfocus.com/bid/12298
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1921
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0116
On 0, bugtraq at cgisecurity.net allegedly wrote:
> "Virus writers have created a Linux worm which uses a recently discovered vulnerability in XML-RPC
> for PHP, a popular open source component used in many applications, to attack vulnerable systems.
>
> XML-RPC for PHP features in many web application including PostNuke, Drupal, b2evolution, Xoops,
> WordPress, PHPGroupWare and TikiWiki. Most of these applications have been updated to address
> the security flaw." - The Register
>
> Link: http://linux.slashdot.org/article.pl?sid=05/11/08/140203&tid=220&tid=106
> Link: http://www.theregister.co.uk/2005/11/07/linux_worm/
>
> -z
> http://www.cgisecurity.com/
+--------------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
I require a window seat and an inflight Happy Meal, and no pickles!
God help you if I find pickles!
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
More information about the websecurity
mailing list