A Linux worm (called "Mare.D" by some) that exploits an old PHP XML-RPC
has been sighted in the wild and was
on Sunday to the full-disclosure mailing list. An
later in the day makes it clear that this is a new attack, based on an earlier
worm, kaiten, and attempts to connect infected systems to a botnet.
The attack starts with a crafted XML-RPC request targeted at Wordpress,
Drupal, phpBB and other content management systems that were known to be
in June 2005, when this problem was first reported. The request contains
code which will be executed by PHP; this code, in turn, retrieves
another script from a (now defunct) server and executes it. The second
script then retrieves yet another pair of executables from the server;
these are the main payload of the attack.
The first of these programs is the 'spreader' which attempts to find other
vulnerable hosts and infect them. The other program, instead, connects to an
IRC server which functions as the 'command and control' (C&C) element
for a botnet. The irc server would instruct the client to download yet
another program which opens a backdoor shell when executed. It is
unknown what else the attacker planned with the bots as the C&C server
has been shut down.
It is interesting to note that this worm does not compromise root and
does not gain complete control of the host, but it does provide enough
privileges that makes it attractive for a botnet. The exploit will allow
the attacker to run with the permissions of the user who owns the httpd
process (typically 'apache' or 'httpd') which is sufficient to perform the
two most likely bot tasks: spamming and distributed denial of service.
On the flipside, because it did not gain root privileges, it cannot do very
much to hide itself and it should be very easy to detect on an infected
Overall, the impact of this attack is relatively small thanks, in part, to fast action
to shut down the servers providing the scripts and controlling the botnet.
it seems likely that the backdoor shell is running on some
hosts which got an "execute" command for that script before the servers were
terminated. Another possibility is that there are different versions of the
attack floating around, using different server addresses;
those servers may still be running.
As is the case for many malware attacks, this would only affect
systems that did not have up-to-date software. Eight months seems like
enough time to update affected systems, so the fact that there are still
vulnerable systems out there is a sad testament to how little attention
is paid to security by some, probably many, Linux system administrators.
More information about this exploit can be found in the Shadowserver
updates on this attack are being posted to the Securiteam
to post comments)