New Linux Web Services Worm – Linux.Plupii

by damonp on November 8, 2005

in Security

An article on eWeek gives the following synopsis of what the worm does:

When Plupii is successful in infecting a server, it then sends a notification message to an attacker at a remote IP address via UDP port 7222 or 7111. Which port it attacks appears to be hard-wired into the worm and thus represents two different versions of the same worm. Next, it opens a back door through one or the other of these ports. This enables an attacker to gain unauthorized access to the compromised system.

Linux.Plupii has several known methods of attack:

  • Various XML-RPC servers embedded in common applications
  • AWStats – popular webservers stats package. Versions prior to current v6.4
  • Webhints – a PHP ‘Hint of the day’ script

The makers of WordPress state that versions prior to v1.5 are vulnerable. Versions after 1.5 use a different XML-RPC package.

As this worm gives the ability to execute arbitrary code on the server, this is a highly serious threat. Take the time to upgrade any known vulnerable packages.

More information:
Internet Storm Center – New Worm Targets Linux Web Service Holes

Damon Parker is a freelance sysadmin and web developer in Texas. He specializes in server setup, server security and high performance server configurations. Need help setting up a web server or getting a server back online after a crash or hack? Email Damon

Leave a Comment

Previous post:

Next post: