No announcement yet.

Santy Worm Variations

  • Filter
  • Time
  • Show
Clear All
new posts

  • Santy Worm Variations

    Was bound to happen sooner or later
    Dean Clatworthy - Web Developer/Designer

  • #2
    Their first reaction to this was 'google bans us? ok, then we use yahoo now'.


    • #3
      Yes, I don't like this at all.

      I'm just investigating mod_security as a means to block any requests with 'perl' in the querystring, as that remains the one step that they have to perform to infect.

      Sure I'm up to date with Apache, PHP, vBulletin, etc... but am I 100% sure that I will be quick enough to upgrade/patch when new vunerabilities are found? Nope. Not such that I would risk my server.

      I've already blocked all LWP::Simple requests, just need to make it broader now as I know damn well how I'd code it to not require LWP::Simple or to modify the useragent.

      Not much fun at this time of year.
      London Fixed-gear and Single-speed


      • #4
        ya know, I have tons of these LWP things showing up on my who's online.

        As per the other post on this topic, I added this code to my .htaccess file:

        SetEnvIfNoCase User-Agent ".*lwp.*" spambot=1
        <Limit GET POST PUT>
           Order allow,deny
           deny from env=spambot
           allow from all
        ...I did this last night, around 1am, and this morning there are still a ton of these things floating around my server.

        Do I have to stop and restart the web server to get them off?


        • #5
          The First version of Santy affected the popular free discussion Forum software, it's now able to affect any PHP website out there.
          Thats the biggest load of FUD i have ever seen. Completly untrue.
          Christopher Padfield
          Web Based Helpdesk
          DeskPRO v3.0.3 Released - Download Demo Now!


          • #6
            How can that be true?! I thought I could only harm the server because of a security hole?! How can it affect servers which have never ran that software?!
            That's the end of that!


            • #7
              It is true to an extent, its more like, it can attack any PHP script out there, the script has to have some type of security flaw to be affected, so vB is safe.


              • #8
                Its 4.3.9 and lower that is effected.


                • #9
                  Is there a list of what the new worms look after? I really hope my scripts are safe *g*
                  That's the end of that!


                  • #10
                    Originally posted by chrispadfield
                    Thats the biggest load of FUD i have ever seen. Completly untrue.
                    Well, from what I've read at misc places this week, it's implying that due to the variations in the worm, it's not just exploiting phpBB vulnrabilities now, it's exploiting the reported PHP vulnrabilites. If that made any sense
                    Dean Clatworthy - Web Developer/Designer


                    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.