An article on eWeek gives the following synopsis of what the worm does:
When Plupii is successful in infecting a server, it then sends a notification message to an attacker at a remote IP address via UDP port 7222 or 7111. Which port it attacks appears to be hard-wired into the worm and thus represents two different versions of the same worm. Next, it opens a back door through one or the other of these ports. This enables an attacker to gain unauthorized access to the compromised system.
Linux.Plupii has several known methods of attack:
- Various XML-RPC servers embedded in common applications
- AWStats – popular webservers stats package. Versions prior to current v6.4
- Webhints – a PHP ‘Hint of the day’ script
The makers of WordPress state that versions prior to v1.5 are vulnerable. Versions after 1.5 use a different XML-RPC package.
As this worm gives the ability to execute arbitrary code on the server, this is a highly serious threat. Take the time to upgrade any known vulnerable packages.
Internet Storm Center
eWeek.com – New Worm Targets Linux Web Service Holes