OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Full-disclosure] update on the linux worm

From: Boris Filipov (bfilipovgmail.com)
Date: Sun Feb 19 2006 - 15:26:37 CST

I get these all the time:

195.4.223.70 - - [19/Feb/2006:14:31:09 +0000] "POST /xmlrpc.php
HTTP/1.1" 404 271
195.4.223.70 - - [19/Feb/2006:14:31:11 +0000] "POST /blog/xmlrpc.php
HTTP/1.1" 404 276
195.4.223.70 - - [19/Feb/2006:14:31:14 +0000] "POST
/blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 283
195.4.223.70 - - [19/Feb/2006:14:31:16 +0000] "POST
/blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 284
195.4.223.70 - - [19/Feb/2006:14:31:18 +0000] "POST /drupal/xmlrpc.php
HTTP/1.1" 404 278
195.4.223.70 - - [19/Feb/2006:14:31:20 +0000] "POST
/phpgroupware/xmlrpc.php HTTP/1.1" 404 284
195.4.223.70 - - [19/Feb/2006:14:31:22 +0000] "POST
/wordpress/xmlrpc.php HTTP/1.1" 404 281
195.4.223.70 - - [19/Feb/2006:14:31:24 +0000] "POST /xmlrpc.php
HTTP/1.1" 404 271
195.4.223.70 - - [19/Feb/2006:14:31:27 +0000] "POST /xmlrpc/xmlrpc.php
HTTP/1.1" 404 278

I guess it has to do something with the worm everybody is talking about.

Filbert wrote:

>On Sunday 19 February 2006 16:27, Micheal Turner wrote:
>
>
>>Could you clarify what vulnerabilities are being
>>exploited in the PHP applications ?
>>
>>
>>
>
>To my knowledge: mambo, phpgroupware and wordpress.
>I submitted a sample to Clamav AV yesterday.
>
>AntiVir recognises it as Worm/Linux.Lupper.B, Kaspersky Anti-Virus as
>Net-Worm.Linux.Mare.e. Others don't.
>
>F.
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/