XML-RPC Threatens Linux, Unix Systems

A gaggle of new threats that target computers running the Linux and Unix operating systems appears on the Internet.

A gaggle of new threats that target computers running the Linux and Unix operating systems appeared on the Internet last week, challenging administrators more accustomed to threats that target Windows systems.

Anti-virus companies and The SANS Institutes Internet Storm Center advised network administrators to be on the lookout for Internet-borne attacks that target a vulnerability in a common component known as XML-RPC (Remote Procedure Call) for PHP.

The attacks, including a worm, target popular Web applications that run on Linux and Unix systems, by default.

XML-RPC is a communications protocol that allows software running on different platforms to exchange data over the Internet by issuing XML-format RPCs.

XML-RPC for PHP is a version of the protocol written in PHP and used by many Web applications.

The ISC began receiving reports of attempts to exploit a known hole in some versions of XML-RPC for PHP late last month, followed by a spike in activity on Nov. 2, according to the ISC Web site.

By Nov. 5, ISC was receiving reports of a new variant of a Linux-based worm known as Lupper that was spreading on systems with vulnerable versions of XML-RPC for PHP.

To be vulnerable, PCs need to have XML-RPC for PHP installed, as well as a component that exposes it to the Internet, said Johannes Ullrich, chief technology officer at ISC.

At Boston College, in Chestnut Hill, Mass., administrators saw a large number of attempts to scan Apache or Microsoft Corp. IIS (Internet Information Services) Web servers for the vulnerable component late last week, said David Escalante, BCs director of computer security.

The attacks on BCs network targeted mostly Unix systems, though a Windows 2000 server was also scanned by an intruder who seemed to be in Germany, Escalante said.

The attacks challenged BC staff. XML-RPC for PHP is a standard component that is installed with a large number of Web applications, so server administrators often didnt know whether their server was running the vulnerable component.

/zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

"People who say [security] is just a Microsoft problem need to get their heads out of the sand. Vulnerabilities exist on many operating systems, and, as Microsoft does a better job with security, [malicious hackers] are going to look elsewhere," said Graham Cluley, senior technology consultant at anti-virus company Sophos plc., of Abingdon, England.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest open-source news, reviews and analysis.