[WEB SECURITY] PHP XML-RPC Worm In The Wild

Hayes, Bill Bill.Hayes at owh.com
Tue Nov 8 14:56:11 EST 2005


Also, someone has changed the binary name of this worm in order to
bypass simple filtering. The current SANS Internet Storm Center's
handler's long mentions this.

Bill...

-----Original Message-----
From: Nigel Houghton [mailto:nigel at sourcefire.com]
Sent: Tuesday, November 08, 2005 12:38 PM
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] PHP XML-RPC Worm In The Wild


XML-RPC is only one of the attack vectors for this worm.

Spread of this worm appears to be very slow, as I am sure you 
will be able to determine from your web logs. Here are the more 
informative references:

SANS:
http://isc.sans.org/diary.php?storyid=823

McAfee:
http://vil.nai.com/vil/content/v_136821.htm

Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/linux.plupii.htm
l

Bugtraq:
XML-RPC for PHP Remote Code Injection
http://www.securityfocus.com/bid/14088
Awstats Remote Command Execution
http://www.securityfocus.com/bid/12298

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1921
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0116

On  0, bugtraq at cgisecurity.net allegedly wrote:
> "Virus writers have created a Linux worm which uses a recently
discovered vulnerability in XML-RPC 
> for PHP, a popular open source component used in many applications, to
attack vulnerable systems.
> 
> XML-RPC for PHP features in many web application including PostNuke,
Drupal, b2evolution, Xoops, 
> WordPress, PHPGroupWare and TikiWiki. Most of these applications have
been updated to address 
> the security flaw." - The Register
> 
> Link:
http://linux.slashdot.org/article.pl?sid=05/11/08/140203&tid=220&tid=106
> Link: http://www.theregister.co.uk/2005/11/07/linux_worm/
> 
> -z
> http://www.cgisecurity.com/

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

 I require a window seat and an inflight Happy Meal, and no pickles! 
 God help you if I find pickles!

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list