On Monday 20 February 2006 15:09, no-need to-list wrote:
> http://securityresponse.symantec.com/avcenter/venc/data/linux.plupii.c.html
>
>
>
> When Linux.Plupii.C is executed, it performs the following actions:
>
>
> Opens a back door on UDP port 27015, which enables a remote attacker to
> have unauthorized access to the compromised computer.
>
>
> Generates IP addresses and uses them to build URLs which include the
> following strings:
>
>
> /cvs/
> /articles/mambo/
> /cvs/mambo/
> /blog/xmlrpc.php
> /blog/xmlsrv/xmlrpc.php
> /blogs/xmlsrv/xmlrpc.php
> /drupal/xmlrpc.php
> /phpgroupware/xmlrpc.php
> /wordpress/xmlrpc.php
> /xmlrpc/xmlrpc.php
I have seen a lot of these attacks om my web-server. What I have done, is to
create some of the php-files with a statement which do a redirect to
127.0.0.1/<whatever>
Example:
-------------- /blog/xmlrpc.php:
<php
header ("Location: http://127.0.0.1/blog/xmlrcp.php";);
?>
---------------
--
Jørn Dahl-Stamnes
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
