?

Log in

No account? Create an account

Previous Entry | Next Entry

I found the source of the server problems I had a little while ago, wherein I was told my server was attacking another. It appears the culprit was the Lupper worm, variant b, exploiting a vulnerable version of Wordpress on my server. I managed not to have heard about it at the time, having unsubscribed from the high-traffic bugtraq list without any real plans as to how I was going to learn about newly-discovered security vulnerabilities.

Comments

( 9 comments — Leave a comment )
thewronghands
Feb. 14th, 2006 06:22 pm (UTC)
Oh, that's interesting. (If it makes you feel any better, I hadn't heard of it either.) How did you discover it?
radhardened
Feb. 14th, 2006 07:26 pm (UTC)
I looked through enough of my web server logs to see the magic word 'wordpress', basically. I'd seen a lot of exploit attempts involving other things like awstats, but they were all things that aren't on my server, thus my confusion over how the worm could've gotten in. I was running a pretty old version of wordpress; at the time this worm was publicized, the latest version of wp wasn't vulnerable.
pwinkler
Feb. 14th, 2006 07:08 pm (UTC)
According to my brother, who seems to be pretty big in the WP scene (asymptomatic.net, redalt.com), WP doesn't use the library that's vulnerable to the XMLRPC exploit. "The reports were wrong to include it". Take that for what you will, but perhaps the problem lies elsewhere.
radhardened
Feb. 14th, 2006 07:34 pm (UTC)
Then it seems odd to me to read advice from the developers to either update to a version that includes a security fix or delete xmlrpc.php from one's Wordpress directory.
pwinkler
Feb. 14th, 2006 08:20 pm (UTC)
Yeah, I'll have to double-check with him. He's probably only thinking of the latest version. He spends alot of time in development on new stuff and upgrading his installations.
pwinkler
Feb. 19th, 2006 02:20 am (UTC)
Alright, so I just got this convoluted explanation from him that, after alot of clarifying questions, makes things make more sense. Essentially, WP is not vulnerable to the XMLRPC exploit that takes advantage of the vulnerability in PHP's XMLRPC library. This is the vulnerability that Lupper exploits. The reports claiming it's related to WP are therefore incorrect.

Apparently, WP uses its own copy of XMLRPC because not all PHP installations have it (it's an extension) and WP uses RPCXML. There was a completely different SQL injection vulnerability in the XMLRPC script included with WP, about which the page you pointed to warns. AFAIK, this is not exploited by Lupper.
radhardened
Feb. 20th, 2006 03:35 pm (UTC)
Ah. Thanks for the investigation. I see how the people reporting that XMLRPC vulnerability would have gotten that confused.
pwinkler
Feb. 20th, 2006 07:04 pm (UTC)
I honestly don't know how people are supposed to keep up with this stuff. I asked my brother his advice and he said something like "I dunno... I just update WP when they tell me I should.". As someone in the security industry, this is the kind of stuff that frightens me more than anything else. No matter how much effort you put into a fix, if you can't inform people and get them to upgrade, it doesn't really matter. There's so much different stuff on people's machines that it's near impossible to keep all of it up-to-date all the time.
puzzlement
Feb. 14th, 2006 08:47 pm (UTC)
Re the problem of finding out about vulnerabilities without subscribing to bugtraq, my system tends to be:

1. make sure I'm on distro-security-announce, to get announcements about security updates that are related to distro supported packages
2. make sure I'm subscribed to project-announce for software that I install from non-distro sources
3. limit the number of projects I install from non-distro sources

This is probably not as reliable as reading every post on bugtraq, however, it's never going to be the case that I have the ability to read every post on bugtraq...
( 9 comments — Leave a comment )