[WEB SECURITY] PHP XML-RPC Worm In The Wild
Hayes, Bill
Bill.Hayes at owh.com
Tue Nov 8 14:56:11 EST 2005
Also, someone has changed the binary name of this worm in order to
bypass simple filtering. The current SANS Internet Storm Center's
handler's long mentions this.
Bill...
-----Original Message-----
From: Nigel Houghton [mailto:nigel at sourcefire.com]
Sent: Tuesday, November 08, 2005 12:38 PM
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] PHP XML-RPC Worm In The Wild
XML-RPC is only one of the attack vectors for this worm.
Spread of this worm appears to be very slow, as I am sure you
will be able to determine from your web logs. Here are the more
informative references:
SANS:
http://isc.sans.org/diary.php?storyid=823
McAfee:
http://vil.nai.com/vil/content/v_136821.htm
Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/linux.plupii.htm
l
Bugtraq:
XML-RPC for PHP Remote Code Injection
http://www.securityfocus.com/bid/14088
Awstats Remote Command Execution
http://www.securityfocus.com/bid/12298
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1921
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0116
On 0, bugtraq at cgisecurity.net allegedly wrote:
> "Virus writers have created a Linux worm which uses a recently
discovered vulnerability in XML-RPC
> for PHP, a popular open source component used in many applications, to
attack vulnerable systems.
>
> XML-RPC for PHP features in many web application including PostNuke,
Drupal, b2evolution, Xoops,
> WordPress, PHPGroupWare and TikiWiki. Most of these applications have
been updated to address
> the security flaw." - The Register
>
> Link:
http://linux.slashdot.org/article.pl?sid=05/11/08/140203&tid=220&tid=106
> Link: http://www.theregister.co.uk/2005/11/07/linux_worm/
>
> -z
> http://www.cgisecurity.com/
+--------------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
I require a window seat and an inflight Happy Meal, and no pickles!
God help you if I find pickles!
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
More information about the websecurity
mailing list