Saturday, November 26, 2005, 11:42 PM - General applicable solutions
McAfee has a description of the worm but not a way to get rid of it in an efficient way, or how to protect your system.
Another description and name at symantec: Linux.Plupii
Protection against the worm
Symantec is helpfull: See point 4 of technical details
An update for the xmlrpc problem will solve the vulnerability there. Link for the version: Click here
For awstats version 6.4 and up is safe.
Webhints is supposed to be not vulnerable, however it is included in the worm. A second look at it would be a wise thing to do. If you run webhints, block the communication ports for this worm just to make sure. Blocking data from and to 62.101.193.244 (the worm download location) is also a good precaution.
Style of attack
It looks like the worm does attack only on the IP address of the server, not name based. The easiest protection, is not to link the IP address of the server to cgi-bin or one of the mentioned files. This is done most easily with a virtual host definition in the apache configuration. A redirect index.html or php (whatever has your preference) to the real website on the server is after that enough to stop the worm.
Getting rid of the worm
Delete the worm. The name of the worm is lupii, just fgrep. If you have the worm, block UDP port 7111 & 7222 on the firewall, and you will run safely with the worm, but with you in control.
Some easy to implement other protections
includer.cgi: Long time known to have vulnerabilities. An up to date version should do the trick, else you should not be using this script at all.
Disclaimer: This comes ofcourse without any warranties!
| permalink | related link |
Back
