They say the severity is low and I' m assuming that since it is being reported that it is being successfully blocked throughout, but it concerns me.
#Awstats 6.4 update
The attack can, for example, use the framename and update parameters.
#Awstats 6.4 full
The worm can also be stopped in the first place by avoiding all use of Webhints and using only patched versions of AWStats and PHP.Ĭheck out s for the latest open-source news, reviews and analysis.In the last couple weeks I am seeing a ton of messages like below. A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attackers to know where the config file is allocated, obtaining the full path of the server, a similar issue to CVE-2006-3682. and open source anti-viral programs like ClamAV now have signature files for the worm. Given that the list includes most major Linux 2.4 and 2.6 distributions, it can be presumed that any Linux running an application that employs one of the vulnerable programs may be at risk.Īccording to the Internet Storm Center, this worm is operating in the wild on the Internet.Īll the major anti-virus vendors, including Symantec Corp., McAfee Inc., and Computer Associates International Inc. Symantec also reported that many major Linux distributions, including Red Hat, SUSE and Turbolinux, can be impacted by this worm. Indeed, Symantecs Deepsight Alert Services recommends that, “Due to the ability of the remote user to perform so many different actions on the server computer, including installation of applications, it is highly recommended that compromised computers be completely reinstalled.” The more significant problem is what the attacker may have downloaded to the server while it was active. One need only delete the file: /tmp/lupii.
It uses these, via the default Web server port, 80, in an attempt to find and infect other vulnerable systems. Once in place, Plupii generates a variety of URLs. This enables an attacker to gain unauthorized access to the compromised system. All company, product and service names used in this website are for identification purposes only. Next, it opens a back door through one or the other of these ports. All product names, logos, and brands are property of their respective owners. Which port it attacks appears to be hard-wired into the worm and thus represents two different versions of the same worm. When Plupii is successful in infecting a server, it then sends a notification message to an attacker at a remote IP address via UDP port 7222 or 7111. There is, at this time, no known fix for the program. Versions 6.4, which came out in March, and higher are immune.įinally, Webhints is an older script program thats designed to set up and maintain a “Hint (Quote/Tip/Joke/Whatever) of the Day” page. Only servers which run AWStats 5.0 to 6.3 can be attacked. There are now fixes available for this hole for most systems.ĪWStats is a popular, open-source log-file analyzer. The XML-RPC hole commonly exists in blogging and Wiki programs.
#Awstats 6.4 code
The three vulnerabilities it attacks through are the XML-RPC for PHP Remote Code Injection vulnerability the AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability and the Darryl Burgdorf Webhints Remote Command Execution Vulnerability. It attempts to use three different Web-service security holes in its attempts to infect Linux-based systems that are running the vulnerable services. This worm, also known as Linux/Lupper.worm or luppi, is a blended threat. Over the last few days, a new worm, Linux.Plupii, which attacks Linux systems via Web-server related services, has made its appearance.
0 kommentar(er)
