On 11/5/2005 4:43 PM +0200, [EMAIL PROTECTED] wrote:
Hi,
I couldn't help it and I ran the program, of course with a sniffer on.
Syntax: lupii <IP_address_of_the_reporting_host> Here's what I found:
1. runs on RedHat Enterprise Workstation 4
2. opens up udp:7222
3. Exchanges some info with <IP_address_of_the_reporting_host> over udp
7222
4. remains active in the background
5. starts a SYN scan to port 80 on random destinations, this particular
example it used a class A address, keeping the first 2 octets unchanged
and changing just the last 2 octets of the address, in order from X.Y.0.0
to X.Y.z.w.
6. it doesn't seem to be downloading anything from the Internet
7. It tries several ways to infect the scanned system, all are based on
CGI command execution/code injection: awstats.pl, webhints, xml-rp for php
etc. You can see all these if you look at the program code.
I stopped the program but I have the capture.
Any news from anybody else ?
Tudor
Hi,
awstats had some security issues. Always keep it up to date and put it behind
username and password authentication.
Niek Baakman
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
