phpBB Worm: Santy.A

**Dennis Olson** · Tue 21 Dec '04, 5:49pm

Sorry Zach - didn't know it had already been posted.

**blazin** · Tue 21 Dec '04, 8:19pm

Im confused. From what Ive read this targets phpBB forums. I got hit with this last night, but I run vBulletin.

My newreply.php and newthread.php files were replaced with the "This site is defaced" message.

Im running version 2.3.0.

Any ideas? If there are phpBB forums on the same server as me do you think that could have done it?

**akiy** · Tue 21 Dec '04, 9:02pm

Originally posted by blazin

Im confused. From what Ive read this targets phpBB forums. I got hit with this last night, but I run vBulletin.

My newreply.php and newthread.php files were replaced with the "This site is defaced" message.

Im running version 2.3.0.

Any ideas? If there are phpBB forums on the same server as me do you think that could have done it?

Yes. See this post on Slashdot:

Net Worm Uses Google to Spread - Slashdot

http://it.slashdot.org/comments.pl?sid=133543&cid=11153278

Yes and no. It will protect your boards from being targeted by the Google component of the worm. However, if your boards are running on a shared server, and someone else has a vulnerable version of phpBB installed on their space, you could still be vulnerable. The worm is designed to poke around onc...

**blazin** · Tue 21 Dec '04, 10:20pm

there are other phpBB installations, none of them seem affected. For some reason the two files I lost that had writable permissions.

I talked with my ISP about this, he says that there is no way that a phpBB vulernability could affect non-phpBB forums, or any other files on the server for that matter, because they couldnt get thru apache - and if they did that would be a bigger exploit with apache. I dont know enough about it to argue.

Thoughts?

**Floris** · Wed 22 Dec '04, 8:40am

If phpBB is run, it will exploit through that. .. trying to replace files and delete and stuff. Each account has different file setup and could be it deletes vB or IPB or any software files instead .. It is not a vBulletin issue.

**Callisto** · Thu 23 Dec '04, 12:48am

NeverEverNoSanity WebWorm

It doesn't directly affect vbulletin but it does hit the server using PHP. My site is down because of this worm. None of my files have changed on the site but any and all php files are redirected to the "This site is defaced" page. My generation is 17. The host knows of the problem and is installing the newest version of PHP on their servers. They have thousands of servers to address so hopefully they will be getting to mine soon.

**Floris** · Thu 23 Dec '04, 12:53am

Announcement
http://www.vbulletin.com/forum/showthread.php?t=124008

**Callisto** · Thu 23 Dec '04, 1:15am

This worm affects webservers using the vulnerable versions of PHP and phpBB. Even if your site DOES NOT run phpBB, but if someone eles's site does (shared host), your site is vulnerable.

What's going on: - It's looking for URLs containing "viewtopic.php" via Google
- via the highlight exploit they use system() and fwrite() calls to place the worm code somewhere on the file system
- php, htm files (and others) are overwritten in all directories accessible from the web root.

phpBB Worm: Santy.A

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment