phpBB Worm: Santy.A

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • akiy
    Senior Member
    • Apr 2000
    • 157

    phpBB Worm: Santy.A

    Your customizable and curated collection of the best in trusted news plus coverage of sports, entertainment, money, weather, travel, health and lifestyle, combined with Outlook/Hotmail, Facebook, Twitter, Bing, Skype and more.


    "A new computer worm that attacks bulletin board services spread silently and quickly around the Internet Tuesday, infecting at least 38,000 systems within a few hours, experts said. The worm does not attack home computers, but consumers might encounter its effects. Bulletin boards that are infected will show a simple text message: "This site is defaced!!! This site is defaced!!! NeverEverNoSanity."

    "The worm only attacks widely used message board software called PHP Bulletin Board."
    AikiWeb Aikido Information
  • _| () R | Z
    Senior Member
    • Oct 2002
    • 641

    #2
    Originally Posted by Zachery
    John originally presented vBulletin to Infopop, they didn't take it, so he took it and sold it

    Originally Posted by Martin
    We had to do a lot of arm twisting to get him to do it, though. I would imagine he still hates us.

    Comment

    • _| () R | Z
      Senior Member
      • Oct 2002
      • 641

      #3
      update; ive read on gathering.tweakers.net (biggest tech forum in the world, in dutch) that also invision boards & sites without forums are being targetted. so i think the worm is related to the php flaw?
      Originally Posted by Zachery
      John originally presented vBulletin to Infopop, they didn't take it, so he took it and sold it

      Originally Posted by Martin
      We had to do a lot of arm twisting to get him to do it, though. I would imagine he still hates us.

      Comment

      • Erwin
        Senior Member
        • Jan 2002
        • 2088

        #4
        Interesting stuff.
        Avatar Chat

        Comment

        • akiy
          Senior Member
          • Apr 2000
          • 157

          #5
          Articles state that the worm looks for vulnerable versions of phpBB to infect using Google.

          I wonder if this is a good argument for leaving off version numbers of your software from your website?
          AikiWeb Aikido Information

          Comment

          • Dean C
            Senior Member
            • Mar 2002
            • 4571
            • 3.5.x

            #6
            Wow this is a nasty worm, I wonder if it drops the database too
            Dean Clatworthy - Web Developer/Designer

            Comment

            • Scott MacVicar
              Former vBulletin Developer
              • Dec 2000
              • 13286

              #7
              I have a copy of the virus and it purely targets phpBB, it was a highlight flaw from november which allows you execute commands remotely on the system. In this case it fetches a perl script which it writes out and then executes.

              The script then replaces
              .htm .php .asp .shtm .jsp .phtm with

              HTML Code:
              <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
               		<HTML><HEAD><TITLE>This siteis defaced!!!</TITLE></HEAD>
               		<BODY bgcolor="#000000" text="#FF0000">
               		<H1>This site is defaced!!!</H1>
               		<HR><ADDRESS><b>NeverEverNoSanity WebWorm generation } 
               		.  $generation .q{.</b></ADDRESS>
               		</BODY></HTML>
              It then fetches some fresh URL's from google to attack.
              Scott MacVicar

              My Blog | Twitter

              Comment

              • Nombie Wan
                Senior Member
                • Apr 2003
                • 202
                • 3.0.0 'Gold'

                #8
                Thanks for the post Scott, much appreciated.
                http://www.teamxbox.com

                Comment

                • Dennis Olson
                  Senior Member
                  • Oct 2002
                  • 2789

                  #9
                  WARNING - Worm using Google and phpBB to spread

                  This is posted here solely as a public service. Since many of us may know someone who's on phpBB, this information might save them....
                  ------------------------
                  By Robert Lemos CNET News.com December 21, 2004, 11:01 AM PT

                  A Web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday.

                  The Santy worm uses a flaw in the widely used community forum software known as the PHP Bulletin Board (phpBB) to spread, according to updated analyses. The worm searches Google for sites using a vulnerable version of the software, antivirus firm Kaspersky said in a statement.

                  Almost 40,000 sites may have already been infected. Using Microsoft's Search engine to scan for the phrase "NeverEverNoSanity"--part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits.

                  "Santy.a is spreading rapidly," antivirus firm Kaspersky stated in a new release published Tuesday. "However, this does not directly affect users. Although the worm infects Web sites, it does not infect computers used to view those sites."

                  The worm sends Google a specific search request, essentially asking for a list of vulnerable sites. Armed with the list, the worm then attempts to spread to those sites using a PHP request designed to exploit the phpBB bulletin board software.

                  The worm is the latest twist on using Google as an attack tool, a practice known as Google hacking. It may also be the first time a program used Google to identify victims for an attack.

                  Around 6 million sites appear to be running the phpBB software, according to a search of Google for the phrase "Powered by phpBB"--an acknowledgment appended to the bottom of any site that uses the software. "There are tons of these PHP bulletin board installs around," said Johannes Ullrich, chief technology officer of the Internet Storm Center, which tracks online threats. Initial analyses by the ISC had concluded that the flaw exploited by the worm occured in the software that interprets Web pages written scripting language PHP: Hypertext Preprocessor (PHP). That flaw was found last week.

                  Using Google to determine vulnerable sites is not an academic exercise. The worm does exactly that: Once Santy infects a Web site, it searches Google for other sites running phpBB and then attempts to infect those sites as well.

                  After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm.

                  Google did not immediately comment on the worm, but a spokesman did say that the company had seen the information and had started to study the issue.

                  The response, or lack thereof, frustrated some members of the antivirus community, who believed that the search giant could easily stop the worm by filtering out its search for victims.

                  "We know exactly which searches to stop," said Mikko Hypponen, research director of antivirus firm F-Secure. "It would be trivial to stop this thing."

                  Web sites using a vulnerable version of phpBB should upgrade, the phpBB Project site advises.




                  also, there's a very good thread about it here:





                  finally, F-Secure is saying it can be stopped if Google just stopped showing results for the search term it's using. it will be interesting to see what happens with this one


                  Comment

                  • N8_115
                    Member
                    • Dec 2004
                    • 55
                    • 3.0.3

                    #10
                    Ouch, I'm glad I switched from phpbb a while ago :P
                    N8
                    Used Oilfield Equipment | Drilling Rigs For Sale

                    Comment

                    • BootsSiR
                      Senior Member
                      • Dec 2004
                      • 239

                      #11
                      Makes last weeks conversion to vB even sweeter!
                      Reality Check!

                      Comment

                      • Zachery
                        Former vBulletin Support
                        • Jul 2002
                        • 59097

                        #12
                        One thread is all we need.

                        Comment

                        • MGM
                          Senior Member
                          • Aug 2002
                          • 3653
                          • 3.6.x

                          #13
                          wow thats crazy, glad vB is written well enough that the worm cant attack

                          MGM out

                          Comment

                          • ajaspers
                            Senior Member
                            • Sep 2003
                            • 132
                            • 3.8.x

                            #14
                            Originally posted by MetalGearMaster
                            wow thats crazy, glad vB is written well enough that the worm cant attack

                            MGM out
                            vBulletin has had it's own security problems. The phpBB team patched this vulnerability in early November, so (IMO) it's your own fault if you got infected by this worm.

                            Comment

                            • Floris
                              Senior Member
                              • Dec 2001
                              • 37767

                              #15
                              Always a shame to read this type of stuff. It is not cool to release such a worm on the internet just to cause some havoc. Kind of lame.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...