LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

The Lupper worm

The Lupper worm

Posted Nov 17, 2005 9:38 UTC (Thu) by rickmoen (subscriber, #6943)
In reply to: The Lupper worm by ggiunta
Parent article: The Lupper worm

Data point: Your assertion lacks merit as to Debian, for starters: That implementation appears to be furnished by package phpgroupware-xmlrpc, which would NOT be "installed by default with PHP". This is judging by the text of relevant Debian Security Advisories (DSAs).

Second data point: RHEL4 appears to put that library in package php-pear, likewise not "installed by default with PHP". (Fedora and Mandriva, ditto.)

Third data point: Gentoo Linux appears to put that library in package dev-php/PEAR- XML_RPC, likewise not "installed by default with PHP".

Fourth data point: I cannot find a Slackware package of any sort that includes it. Maybe you'll have better luck - or maybe it isn't packaged.

Fifth data point: Ubuntu Linux appears to put that library in package php4-pear. Comments as before.

In short, PEAR xmlrpc (like PHPXMLRPC) appears to be a library you have to go quite a ways out of your way to install, if using common distros' package regimes -- entirely without regard to the thing's presence in the upstream PEAR collection.

Disclaimer: I'm no expert on this, in part because the very idea of implementing the xml-rpc network protocol in PHP makes me distinctly queasy. But I'd still love it if I got sent a dollar in token consulting fees every time someone sends me on a research wild-goose chase. ;-)

Rick Moen
rick@linuxmafia.com

(Log in to post comments)

The Lupper worm

Posted Nov 21, 2005 1:01 UTC (Mon) by ggiunta (guest, #30983) [Link]

Thanks for spending your time doing all this research and posting it here.
I hope it really is of help to "the community" (even though it is posted a bit late with regards to the actual exploit details publication date, the mere fact that the 'lupper worm', having been released so recently, is making victim,s is a clear indicator that there is a great need of education for linux sysadmins).
BTW: 'going out of your way' might not be such an uncommon practice, if all you want is to have up and running in a short time such unusual web apps as message boards, blogs or cms.
(please note that I'm not trying to pass the blame in any way any onto the distro maintainers / kernel hackers. I was quite surprised too, when the exploit was revealed, to find out the sheer number of apps the lib had found its way into - and I am one of the maintainers...)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds