Forum Worm is on the loose.

[bazooka]

It searches google for victims.
http://news.zdnet.com/2100-1009_22-5499725.html?tag=nl.e589

Net worm using Google to spread
By Robert Lemos CNET News.com December 21, 2004, 11:01 AM PT

A Web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday.

The Santy worm uses a flaw in the widely used community forum software known as the PHP Bulletin Board (phpBB) to spread, according to updated analyses. The worm searches Google for sites using a vulnerable version of the software, antivirus firm Kaspersky said in a statement.

Almost 40,000 sites may have already been infected. Using Microsoft's Search engine to scan for the phrase "NeverEverNoSanity"--part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits.

"Santy.a is spreading rapidly," antivirus firm Kaspersky stated in a new release published Tuesday. "However, this does not directly affect users. Although the worm infects Web sites, it does not infect computers used to view those sites."

The worm sends Google a specific search request, essentially asking for a list of vulnerable sites. Armed with the list, the worm then attempts to spread to those sites using a PHP request designed to exploit the phpBB bulletin board software.

The worm is the latest twist on using Google as an attack tool, a practice known as Google hacking. It may also be the first time a program used Google to identify victims for an attack.
Around 6 million sites appear to be running the phpBB software, according to a search of Google for the phrase "Powered by phpBB"--an acknowledgment appended to the bottom of any site that uses the software.

"There are tons of these PHP bulletin board installs around," said Johannes Ullrich, chief technology officer of the Internet Storm Center, which tracks online threats. Initial analyses by the ISC had concluded that the flaw exploited by the worm occured in the software that interprets Web pages written scripting language PHP: Hypertext Preprocessor (PHP). That flaw was found last week.

Using Google to determine vulnerable sites is not an academic exercise. The worm does exactly that: Once Santy infects a Web site, it searches Google for other sites running phpBB and then attempts to infect those sites as well.

After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm.

Google did not immediately comment on the worm, but a spokesman did say that the company had seen the information and had started to study the issue.

The response, or lack thereof, frustrated some members of the antivirus community, who believed that the search giant could easily stop the worm by filtering out its search for victims.

"We know exactly which searches to stop," said Mikko Hypponen, research director of antivirus firm F-Secure. "It would be trivial to stop this thing."

Web sites using a vulnerable version of phpBB should upgrade, the phpBB Project site advises.

[stiltman]

Damn it, beat me to it

Baldrick is covered, right?

[Baldrick]

Nope...can't upgrade to php 4.3.10 yet.

[Baldrick]

or maybe I can...will try tomorrow.

[Josef K]

So that's what this is... It came back briefly this afternoon but now it's down again. This suggests it repeatedly attacks each site it tries to affect.

[jimmalenko]

So I gather that the end user isn't affected, only the web server the website is hosted on ?

[canadateck]

Is there something wrong with some of the Thread links? I keep getting this...


Warning: Empty regular expression in /var/www/html/videohelp/forum/viewtopic.php on line 1283

Warning: Empty regular expression in /var/www/html/videohelp/forum/viewtopic.php on line 1350

Warning: Empty regular expression in /var/www/html/videohelp/forum/viewtopic.php on line 1350

Warning: Empty regular expression in /var/www/html/videohelp/forum/viewtopic.php on line 1350

Warning: Empty regular expression in /var/www/html/videohelp/forum/viewtopic.php on line 1283

Warning: Empty regular expression in /var/www/html/videohelp/forum/viewtopic.php on line 1350

[BJ_M]

[canadateck]

Thought it was just me.


test

Fixed?

[BJ_M]

edit your last post and it will fix it

[canadateck]

Nope.

[BJ_M]

does for me -- just hit edit and and dont even have to change a thing ..

[canadateck]

All good now.

[Baldrick]

canadateck: It should be fixed now.

I can't find any php complete 4.3.10 rpm. I have to manually compile the php....million php settings and I don't know if turck mmcache will work. Must this happen right now...I want some holiday...............aASDLASKjdsaldk

[BJ_M]

http://voidmain.is-a-geek.net/files/php-4.3.10-0/

[Baldrick]

Thanks. But I'm thinking of setting up a linux test server first....I have lots of extensions for php and also mmcache that some say wont work with php4.3.10.

I have added some phpbb patches so hopefully wont the site get infected by the santy worm.

[Josef K]

I have added some phpbb patches so hopefully wont the site get infected by the santy worm.

After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X,"

You didn't mention the word 'backup' yet... Don't let us hungry children go without our VideoHelp.com on Christmas day! Don't make me have to visit the parents! Don't wanna spend Christmas without VH.com! Waaaa!

[ViRaL1]

I'm still recovering from the last outage. :P 8)

[thecoalman]

Baldrick,

Is this on an apache server? Check this out... http://www.phpbb.com/phpBB/viewtopic.php?t=249010

[Baldrick]

Baldrick,

Is this on an apache server? Check this out... http://www.phpbb.com/phpBB/viewtopic.php?t=249010

Added it yesterday...all pages with %2527 in the url are forbidden.

[Baldrick]

I have added some phpbb patches so hopefully wont the site get infected by the santy worm.

After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X,"

You didn't mention the word 'backup' yet... Don't let us hungry children go without our VideoHelp.com on Christmas day! Don't make me have to visit the parents! Don't wanna spend Christmas without VH.com! Waaaa!

I will ban your ip on christmas day...so don't worry...

[Josef K]

I will ban your ip on christmas day...so don't worry...

Ok, I phoned the parents to let them know in advance to expect one grumpy fella.

[thecoalman]

Don't know if this is some kind of coincidence but one of the google crawlers is constantly loading my phpbb FAQ page. I had an instance where it had loaded it 4 times, just the faq too. Also two spikes in bandwidth because of it, one on Sunday and one yesterday both of which were 4 times my normal bandwidth..... just thought I'd mention it.

[Josef K]

If it's any consolation, Google appear to be getting their act together on this. From this page:

Once Google started blocking these search queries the rate of infection tailed off sharply.

A message sent to Finnish security firm F-Secure by Google's security team said: "While a seven hour response for something like this is not outrageous, we think we can and should do better."

"We will be reviewing our procedures to improve our response time in the future to similar problems," the Google team said.

and

The worst of the attack now seems to be over as a search conducted on the morning of the 22 December produced only 1,440 hits for sites showing the text used in the defacement message.

[thecoalman]

If it's any consolation, Google appear to be getting their act together on this. From this page:

Probably a coincidence but the damn crawler is still there, how many times can it possibly look at the standard FAQ avaiable on every phpbb board. It's there right now..... It's downloaded it enough to come out to around 100MB... WTF

[Josef K]

Probably a coincidence but the damn crawler is still there, how many times can it possibly look at the standard FAQ avaiable on every phpbb board. It's there right now..... It's downloaded it enough to come out to around 100MB... WTF

Your problem doesn't appear to be the same as nothing has been deleted that you've mentioned. Maybe it's just Google tinkering with things. Why not go in and rename or temporarily delete your FAQ page so it can't be found?

[thecoalman]

Probably a coincidence but the damn crawler is still there, how many times can it possibly look at the standard FAQ avaiable on every phpbb board. It's there right now..... It's downloaded it enough to come out to around 100MB... WTF

Your problem doesn't appear to be the same as nothing has been deleted that you've mentioned. Maybe it's just Google tinkering with things. Why not go in and rename or temporarily delete your FAQ page so it can't be found?

There's other ways to deny it, it's just odd.

[thecoalman]

My server was upgraded to php4.3.10 by my hosting company sometime this afternoon.

[Garibaldi]

I could post a topic over at www.linuxquestions.org to find a complete rpm if you still need it.