Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: update on the linux worm
From: Boris Filipov <bfilipov () gmail com>
Date: Sun, 19 Feb 2006 21:26:37 +0000

I get these all the time:

195.4.223.70 - - [19/Feb/2006:14:31:09 +0000] "POST /xmlrpc.php HTTP/1.1" 404 271 195.4.223.70 - - [19/Feb/2006:14:31:11 +0000] "POST /blog/xmlrpc.php HTTP/1.1" 404 276 195.4.223.70 - - [19/Feb/2006:14:31:14 +0000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 283 195.4.223.70 - - [19/Feb/2006:14:31:16 +0000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 284 195.4.223.70 - - [19/Feb/2006:14:31:18 +0000] "POST /drupal/xmlrpc.php HTTP/1.1" 404 278 195.4.223.70 - - [19/Feb/2006:14:31:20 +0000] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 284 195.4.223.70 - - [19/Feb/2006:14:31:22 +0000] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 281 195.4.223.70 - - [19/Feb/2006:14:31:24 +0000] "POST /xmlrpc.php HTTP/1.1" 404 271 195.4.223.70 - - [19/Feb/2006:14:31:27 +0000] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 278

I guess it has to do something with the worm everybody is talking about.

Filbert wrote:

On Sunday 19 February 2006 16:27, Micheal Turner wrote:
Could you clarify what vulnerabilities are being
exploited in the PHP applications ?


To my knowledge: mambo, phpgroupware and wordpress.
I submitted a sample to Clamav AV yesterday.

AntiVir recognises it as Worm/Linux.Lupper.B, Kaspersky Anti-Virus as Net-Worm.Linux.Mare.e. Others don't.

F.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]