update on the linux worm
A quick digest of some updates from the last few hours on this issue:
1. The worm is based on 'kaiten', which has been going around in
different variants for a long time now.
2. This worm is new.
3. The first part exploits PHP applications, like these variants
normally do.
4. The second part spreads to other systems.
5. The worm connects to a botnet C&C based on two Fast-flux DNS RR's
which are not there anymore, and as they change, are taken down.
As always, more updates if necessary on: http://blog.securiteam.com
Thanks,
Gadi.
--
http://blogs.securiteam.com/
"Out of the box is where I live".
-- Cara "Starbuck" Thrace, Battlestar Galactica.