Announcement

Collapse
No announcement yet.

phpBB Worm: Santy.A

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Nombie Wan
    replied
    Thanks for the post Scott, much appreciated.

    Leave a comment:


  • Scott MacVicar
    replied
    I have a copy of the virus and it purely targets phpBB, it was a highlight flaw from november which allows you execute commands remotely on the system. In this case it fetches a perl script which it writes out and then executes.

    The script then replaces
    .htm .php .asp .shtm .jsp .phtm with

    HTML Code:
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
     		<HTML><HEAD><TITLE>This siteis defaced!!!</TITLE></HEAD>
     		<BODY bgcolor="#000000" text="#FF0000">
     		<H1>This site is defaced!!!</H1>
     		<HR><ADDRESS><b>NeverEverNoSanity WebWorm generation } 
     		.  $generation .q{.</b></ADDRESS>
     		</BODY></HTML>
    It then fetches some fresh URL's from google to attack.

    Leave a comment:


  • Dean C
    replied
    Wow this is a nasty worm, I wonder if it drops the database too

    Leave a comment:


  • akiy
    replied
    Articles state that the worm looks for vulnerable versions of phpBB to infect using Google.

    I wonder if this is a good argument for leaving off version numbers of your software from your website?

    Leave a comment:


  • Erwin
    replied
    Interesting stuff.

    Leave a comment:


  • _| () R | Z
    replied
    update; ive read on gathering.tweakers.net (biggest tech forum in the world, in dutch) that also invision boards & sites without forums are being targetted. so i think the worm is related to the php flaw?

    Leave a comment:


  • _| () R | Z
    replied
    http://www.viruslist.com/en/viruses/...?virusid=68388

    Leave a comment:


  • akiy
    started a topic phpBB Worm: Santy.A

    phpBB Worm: Santy.A

    http://www.msnbc.msn.com/id/6742668/

    "A new computer worm that attacks bulletin board services spread silently and quickly around the Internet Tuesday, infecting at least 38,000 systems within a few hours, experts said. The worm does not attack home computers, but consumers might encounter its effects. Bulletin boards that are infected will show a simple text message: "This site is defaced!!! This site is defaced!!! NeverEverNoSanity."

    "The worm only attacks widely used message board software called PHP Bulletin Board."
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X