New Worm Plupii Targets Linux Web Service Holes: "The three vulnerabilities it attacks through are the XML-RPC for PHP Remote Code Injection vulnerability; the AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability; and the Darryl Burgdorf Webhints Remote Command Execution Vulnerability.
When Plupii is successful in infecting a server, it then sends a notification message to an attacker at a remote IP address via UDP port 7222 or 7111. .. Next, it opens a back door through one or the other of these ports. This enables an attacker to gain unauthorized access to the compromised system. Once in place, Plupii generates a variety of URLs .. in an attempt to find and infect other vulnerable systems.
The worm itself is easy to destroy. One need only delete the file: /tmp/lupii. The more significant problem is what the attacker may have downloaded to the server while it was active. Indeed, Symantec's Deepsight Alert Services recommends that, "Due to the ability of the remote user to perform so many different actions on the server computer, including installation of applications, it is highly recommended that compromised computers be completely reinstalled." " 8:11:15 PM