[Triumf-linux-managers] Warning - Linux worms using CPanel and WordPress
Andrew Daviel
advax at triumf.ca
Thu May 2 17:10:09 PDT 2013
A couple of alerts via SANS and others:
I don't know of any systems here using CPanel, but I might be wrong. It's
a remote administration tool commonly used on hosting farms.
Title: CDorked worm spreads through Linux servers, dropping Blackhole
Description: A new virus specifically targeting Linux systems with
CPanel installed, known as Linxu/CDorked, is currently making its way
through the Internet, dropping Blackhole exploit kits on infected
systems after replacing their copy of the local Apache server binary.
System administrators are urged to patch their systems to current
levels, and to disable remote access to CPanel except where strictly
necessary.
Reference:
http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html
Snort SID: 26527-26532
ClamAV: Linux/CDorked.A
Previous non-CPanel alert :
http://news.techworld.com/security/3444801/apache-web-servers-targeted-by-stealthy-cdorked-malware/?cmpid=TD1N1&no1x1&olo=daily%20newsletter
Title: WordPress brute force scanners spiking in the wild
Description: A rash of scanners brute-forcing their way into poorly
secured WordPress installations has been detected in the wild within the
last few weeks, rising to heretofore unseen levels of activity. Once
inside, the scanners typically drop web shells disguised as GIF files,
along with other malicious content such as exploit kits and the like.
Administrators are urged to ensure the use of secure, non-default
passwords for all WordPress installations.
Reference:
http://engineeringevil.com/2013/04/16/massive-brute-force-attack-targets-wordpress-sites-worldwide/
http://vrt-blog.snort.org/2012/06/web-shell-poses-as-gif.html
Snort SID: 23114, 26557
ClamAV: N/A
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-managers
mailing list