Need information on the BUG-TRAVEL worm.

I was moving some content off an old, neglected webserver earlier, and much to my dismay, found that it had been "wormed" while I wasn't looking. The damn thing appears to have overwritten all the .html and .shtml files in the webroot and replaced them with this:

<html> <head> <title>:::BUG-TRAVEL OWNZ YOU::: #BugTravel - Mass</title> </head> <body bgcolor="#000000"> <dir> <li> <img border="0" src="http://www.xohacker.hpg.com.br/b.jpg" width="500" height="150"> <dl> <dd> <address> <center>[ Linux Mandrake release 8.0 (Traktopel) for i586 ]</center> <center>[ Kernel 2.4.3-20mdk on an i686 ]</center> <center>[ uid=0(root) gid=233(apache) groups=233(apache) ]</center> <center> [ Bug-Travel ] </center> </address> </dd> </dl> </li> </dir> <dir> <dl> <dd> <address align="center"> <center> <a href="mailto:admin@nofearserver.cjb.net">E-Mail</a></center> </address> </dd> </dir> </body> </html>

I've checked CERT and Google, but I can't find anything on this worm other than sites that have been hacked by it. I'd like to know what it is and how it spreads so that I can keep it from getting me again. Can anyone offer some help?

UPDATE: I found out what Bug-Travel is. It's not a worm. He's a defacer. Since there were no user account compromises, no port-scanning activity, etc., and since the HTML content on the box was derelict and largely slated for replacement, I didn't notice the attack until I actually took the system down and replaced it with a Red Hat 8.0 system. The defaced content turned up in a tar archive I was handling.

Anyhow, no long-term damage done. The HTML pages were placeholders, and the images and files were left intact. No port-scanning. No shell compromises. It's a reasonably harmless reminder not to be complacent about leaving systems up after they've outlived their usefulness.

Follow us:

Applications

COMPANY

PRODUCTS

COMMUNITY

CHOOSE LANGUAGE