[WEB SECURITY] PHP XML-RPC Worm In The Wild

Nigel Houghton nigel at sourcefire.com
Tue Nov 8 13:37:44 EST 2005


XML-RPC is only one of the attack vectors for this worm.

Spread of this worm appears to be very slow, as I am sure you 
will be able to determine from your web logs. Here are the more 
informative references:

SANS:
http://isc.sans.org/diary.php?storyid=823

McAfee:
http://vil.nai.com/vil/content/v_136821.htm

Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/linux.plupii.html

Bugtraq:
XML-RPC for PHP Remote Code Injection
http://www.securityfocus.com/bid/14088
Awstats Remote Command Execution
http://www.securityfocus.com/bid/12298

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1921
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0116

On  0, bugtraq at cgisecurity.net allegedly wrote:
> "Virus writers have created a Linux worm which uses a recently discovered vulnerability in XML-RPC 
> for PHP, a popular open source component used in many applications, to attack vulnerable systems.
> 
> XML-RPC for PHP features in many web application including PostNuke, Drupal, b2evolution, Xoops, 
> WordPress, PHPGroupWare and TikiWiki. Most of these applications have been updated to address 
> the security flaw." - The Register
> 
> Link: http://linux.slashdot.org/article.pl?sid=05/11/08/140203&tid=220&tid=106
> Link: http://www.theregister.co.uk/2005/11/07/linux_worm/
> 
> -z
> http://www.cgisecurity.com/

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

 I require a window seat and an inflight Happy Meal, and no pickles! 
 God help you if I find pickles!

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list