Announcement

Collapse
No announcement yet.

phpBB Worm: Santy.A

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Callisto
    replied
    This worm affects webservers using the vulnerable versions of PHP and phpBB. Even if your site DOES NOT run phpBB, but if someone eles's site does (shared host), your site is vulnerable.



    What's going on: - It's looking for URLs containing "viewtopic.php" via Google
    - via the highlight exploit they use system() and fwrite() calls to place the worm code somewhere on the file system
    - php, htm files (and others) are overwritten in all directories accessible from the web root.

    Leave a comment:


  • Floris
    replied
    Announcement
    http://www.vbulletin.com/forum/showthread.php?t=124008

    Leave a comment:


  • Callisto
    replied
    NeverEverNoSanity WebWorm

    It doesn't directly affect vbulletin but it does hit the server using PHP. My site is down because of this worm. None of my files have changed on the site but any and all php files are redirected to the "This site is defaced" page. My generation is 17. The host knows of the problem and is installing the newest version of PHP on their servers. They have thousands of servers to address so hopefully they will be getting to mine soon.

    Leave a comment:


  • Floris
    replied
    If phpBB is run, it will exploit through that. .. trying to replace files and delete and stuff. Each account has different file setup and could be it deletes vB or IPB or any software files instead .. It is not a vBulletin issue.

    Leave a comment:


  • blazin
    replied
    there are other phpBB installations, none of them seem affected. For some reason the two files I lost that had writable permissions.

    I talked with my ISP about this, he says that there is no way that a phpBB vulernability could affect non-phpBB forums, or any other files on the server for that matter, because they couldnt get thru apache - and if they did that would be a bigger exploit with apache. I dont know enough about it to argue.

    Thoughts?

    Leave a comment:


  • akiy
    replied
    Originally posted by blazin
    Im confused. From what Ive read this targets phpBB forums. I got hit with this last night, but I run vBulletin.

    My newreply.php and newthread.php files were replaced with the "This site is defaced" message.

    Im running version 2.3.0.

    Any ideas? If there are phpBB forums on the same server as me do you think that could have done it?
    Yes. See this post on Slashdot:

    http://it.slashdot.org/comments.pl?s...3&cid=11153278

    Leave a comment:


  • blazin
    replied
    Im confused. From what Ive read this targets phpBB forums. I got hit with this last night, but I run vBulletin.

    My newreply.php and newthread.php files were replaced with the "This site is defaced" message.

    Im running version 2.3.0.

    Any ideas? If there are phpBB forums on the same server as me do you think that could have done it?

    Leave a comment:


  • Dennis Olson
    replied
    Sorry Zach - didn't know it had already been posted.

    Leave a comment:


  • Floris
    replied
    Always a shame to read this type of stuff. It is not cool to release such a worm on the internet just to cause some havoc. Kind of lame.

    Leave a comment:


  • ajaspers
    replied
    Originally posted by MetalGearMaster
    wow thats crazy, glad vB is written well enough that the worm cant attack

    MGM out
    vBulletin has had it's own security problems. The phpBB team patched this vulnerability in early November, so (IMO) it's your own fault if you got infected by this worm.

    Leave a comment:


  • MGM
    replied
    wow thats crazy, glad vB is written well enough that the worm cant attack

    MGM out

    Leave a comment:


  • Zachery
    replied
    One thread is all we need.

    Leave a comment:


  • BootsSiR
    replied
    Makes last weeks conversion to vB even sweeter!

    Leave a comment:


  • N8_115
    replied
    Ouch, I'm glad I switched from phpbb a while ago :P

    Leave a comment:


  • Dennis Olson
    replied
    WARNING - Worm using Google and phpBB to spread

    This is posted here solely as a public service. Since many of us may know someone who's on phpBB, this information might save them....
    ------------------------
    By Robert Lemos CNET News.com December 21, 2004, 11:01 AM PT

    A Web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday.

    The Santy worm uses a flaw in the widely used community forum software known as the PHP Bulletin Board (phpBB) to spread, according to updated analyses. The worm searches Google for sites using a vulnerable version of the software, antivirus firm Kaspersky said in a statement.

    Almost 40,000 sites may have already been infected. Using Microsoft's Search engine to scan for the phrase "NeverEverNoSanity"--part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits.

    "Santy.a is spreading rapidly," antivirus firm Kaspersky stated in a new release published Tuesday. "However, this does not directly affect users. Although the worm infects Web sites, it does not infect computers used to view those sites."

    The worm sends Google a specific search request, essentially asking for a list of vulnerable sites. Armed with the list, the worm then attempts to spread to those sites using a PHP request designed to exploit the phpBB bulletin board software.

    The worm is the latest twist on using Google as an attack tool, a practice known as Google hacking. It may also be the first time a program used Google to identify victims for an attack.

    Around 6 million sites appear to be running the phpBB software, according to a search of Google for the phrase "Powered by phpBB"--an acknowledgment appended to the bottom of any site that uses the software. "There are tons of these PHP bulletin board installs around," said Johannes Ullrich, chief technology officer of the Internet Storm Center, which tracks online threats. Initial analyses by the ISC had concluded that the flaw exploited by the worm occured in the software that interprets Web pages written scripting language PHP: Hypertext Preprocessor (PHP). That flaw was found last week.

    Using Google to determine vulnerable sites is not an academic exercise. The worm does exactly that: Once Santy infects a Web site, it searches Google for other sites running phpBB and then attempts to infect those sites as well.

    After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm.

    Google did not immediately comment on the worm, but a spokesman did say that the company had seen the information and had started to study the issue.

    The response, or lack thereof, frustrated some members of the antivirus community, who believed that the search giant could easily stop the worm by filtering out its search for victims.

    "We know exactly which searches to stop," said Mikko Hypponen, research director of antivirus firm F-Secure. "It would be trivial to stop this thing."

    Web sites using a vulnerable version of phpBB should upgrade, the phpBB Project site advises.

    http://news.zdnet.com/2100-1009_22-5...ml?tag=nl.e589


    also, there's a very good thread about it here:


    http://www.webmasterworld.com/forum10/7400.htm


    finally, F-Secure is saying it can be stopped if Google just stopped showing results for the search term it's using. it will be interesting to see what happens with this one


    http://www.f-secure.com/weblog/

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X