Information on the Net-worm

Started by aRedMoon December 21st, 2004 12:40 PM
  • 3207 views
  • 35 replies

aRedMoon

Wait for me outside the lines

Age 34
Male
Minnesota
Seen April 23rd, 2018
Posted September 10th, 2013
11,126 posts
19.2 Years
Source

A Web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday.

The Santy worm uses a flaw, announced last week, in the software that interprets Web pages written in the widely used scripting language PHP: Hypertext Preprocessor (PHP). However, rather than attempt to infect all Web sites running PHP, the worm instead targets a specific application--the PHP Bulletin Board (phpBB)--and searches Google for vulnerable sites, antivirus firm Kaspersky said in a statement.

Almost 40,000 sites may have already been infected. Using Microsoft's Search engine to scan for the phrase "NeverEverNoSanity"--part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits.

"Santy.a is spreading rapidly, and has caused an epidemic," antivirus firm Kaspersky stated in a new release published Tuesday. "However, this does not directly affect users. Although the worm infects Web sites, it does not infect computers used to view those sites."

The worm sends Google a specific search request, essentially asking for a list of vulnerable sites. Armed with the list, the worm then attempts to spread to those sites using a PHP request designed to exploit the phpBB bulletin board software.

The worm is the latest twist on using Google as an attack tool, a practice known as Google hacking. It may also be the first time that a program used Google to identify victims for an attack.
Around 6 million sites appear to be running the phpBB software, according to a search of Google for the phrase "Powered by phpBB"--an acknowledgment appended to the bottom of any site that use the software.

"There are tons of these PHP bulletin board installs around," said Johannes Ullrich, chief technology officer of the Internet Storm Center, which tracks online threats.

Using Google to determine vulnerable sites is not an academic exercise. The worm does exactly that: Once Santy infects a Web site, it searches Google for other sites running phpBB and then attempts to infect those sites as well.

After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm.

Google did not immediately comment on the worm, but a spokesman did say that the company had seen the information and had started to study the issue.

The response, or lack thereof, frustrated some members of the antivirus community, who believed that the search giant could easily stop the worm by filtering out its search for victims.

"We know exactly which searches to stop," said Mikko Hypponen, research director of antivirus firm F-Secure. "It would be trivial to stop this thing."

Web sites using a vulnerable version of PHP should upgrade, the phpBB Project site advises.
Wow... it's hard to think that Google can be used for something like that, isn't it? :/


v_V I just lost any and all faith in phpBB.
facebook \\ twitter \\ blog a.k.a life // tumblr // google+

june 10, 2003 = registered at old pc
march 24, 2004 = registered at new pc
june, 2004 = modded ;;; august, 2004 = quit/fired (point of debate)
december, 2004 = banned ;;; december 2, 2005 = unbanned
june 10, 2008 = omg... five years!
june 10, 2012 = countdown to nine years on pc...

Kipkip

Join the Revolution

Age 32
Seen June 24th, 2007
Posted October 18th, 2005
968 posts
19.4 Years
Source

Wow... it's hard to think that Google can be used for something like that, isn't it? :/


v_V I just lost any and all faith in phpBB.
phpBB is not the only one that can be infected. If the writers want to, they can write it for vB, IPB, openBB, or any other PHP forum becuase the hole is in PHP itself. That's why you need to upgrade to PHP 4.5.1 or PHP 5 I think.
Canada
Seen February 27th, 2005
Posted February 27th, 2005
731 posts
19.2 Years
Source

Wow... it's hard to think that Google can be used for something like that, isn't it? :/


v_V I just lost any and all faith in phpBB.
Is that the same logic that says MSIE is less secure than FireFox? If more people use certain software, then more viruses will be developed for that software, exposing the vulnerabilities in the code. If the stats were switched, so that more people used FireFox, then there would be more vulnerabilties found in FireFox's code than MSIE. Why develop a virus that will only affect a certain, small demographic? Since phpBB is more popular than other forum software -- since it's great and free -- more viruses will be developed for it than other forum software, just like MSIE.

aRedMoon

Wait for me outside the lines

Age 34
Male
Minnesota
Seen April 23rd, 2018
Posted September 10th, 2013
11,126 posts
19.2 Years
Kip-kip: Yeah, I know, it's just one of those "Ugh, because of this, I got hacked v.v"

HellishHades: I know. v_v
facebook \\ twitter \\ blog a.k.a life // tumblr // google+

june 10, 2003 = registered at old pc
march 24, 2004 = registered at new pc
june, 2004 = modded ;;; august, 2004 = quit/fired (point of debate)
december, 2004 = banned ;;; december 2, 2005 = unbanned
june 10, 2008 = omg... five years!
june 10, 2012 = countdown to nine years on pc...
Age 32
www.pokedrome.info
Seen March 28th, 2005
Posted March 12th, 2005
1,778 posts
19.1 Years
This is Just an Inspiration for all hackers..*Shudders*
I mean If Google Can do this _---It can do 10000000x More...OMG!!!This might just be a new era in Hacking..Whoever made this Virus had this in Mind!And The next Target may just be PHP Sites--What can we do!
I am PCs one & only CC

Visit Pokemon Gaming Sphere We have just about anything you need on
-- Rom-Hacking Pokemon Games Pokemon Movies Webmasters Section Amazing Emulators& Downloads All needed sprites Hacks & many more.
Its the Newest & Hottest domain for your Needs.
[img=http://img226.exs.cx/img226/686/pgs5cl.png]


My Hack
Pokemon ThunderStar
has got the best Hack of the month award and has been stickied. Go visit the thread and Give your feelings about it.


Evil Twins with mvtm | Paired up with no one| Senior Member of Dark Xeno Revolution inc

Im seriously not able to keep up with my New Year Resolution of not joining any club. Toooo many Clubs here are tempting me.
Age 32
Oakland Ca
Seen December 29th, 2008
Posted August 11th, 2008
3,549 posts
19.3 Years
look at the damage
http://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial_s&hl=en&q=NeverEverNoSanity&btnG=Google+Search
one reason why i hate phpBB
Stop waiting for GSC Remakes! Play the fan made remakes!
I support these rom hacks:



Also, while you're here, check out my GSC music project:
Thread | PureVolume

aRedMoon

Wait for me outside the lines

Age 34
Male
Minnesota
Seen April 23rd, 2018
Posted September 10th, 2013
11,126 posts
19.2 Years
It can be modified to look for any forum software, it's just that phpBB, being quite popular, got struck first.
i use smf. and i am safe ^_^
No you aren't. =3~
if PC does get hacked, it was meant to... just fate doing it's job again.
All it does is destroy the php files, and I'd think that Steve has a back-up so he could just reupload 'em.
*Runs to bedroom and sobs*
I feel your pain *pats*
Colette, did your forum get hacked? *laughs* XD
Uncalled for.
facebook \\ twitter \\ blog a.k.a life // tumblr // google+

june 10, 2003 = registered at old pc
march 24, 2004 = registered at new pc
june, 2004 = modded ;;; august, 2004 = quit/fired (point of debate)
december, 2004 = banned ;;; december 2, 2005 = unbanned
june 10, 2008 = omg... five years!
june 10, 2012 = countdown to nine years on pc...

aRedMoon

Wait for me outside the lines

Age 34
Male
Minnesota
Seen April 23rd, 2018
Posted September 10th, 2013
11,126 posts
19.2 Years
Lol, if only we could really do that...
facebook \\ twitter \\ blog a.k.a life // tumblr // google+

june 10, 2003 = registered at old pc
march 24, 2004 = registered at new pc
june, 2004 = modded ;;; august, 2004 = quit/fired (point of debate)
december, 2004 = banned ;;; december 2, 2005 = unbanned
june 10, 2008 = omg... five years!
june 10, 2012 = countdown to nine years on pc...
Age 32
Oakland Ca
Seen December 29th, 2008
Posted August 11th, 2008
3,549 posts
19.3 Years
It can be modified to look for any forum software, it's just that phpBB, being quite popular, got struck first.No you aren't. =3~All it does is destroy the php files, and I'd think that Steve has a back-up so he could just reupload 'em.I feel your pain *pats*Uncalled for.
im safe for now =3
Stop waiting for GSC Remakes! Play the fan made remakes!
I support these rom hacks:



Also, while you're here, check out my GSC music project:
Thread | PureVolume

aRedMoon

Wait for me outside the lines

Age 34
Male
Minnesota
Seen April 23rd, 2018
Posted September 10th, 2013
11,126 posts
19.2 Years
Or so you think =3~~

*ph34rz*
facebook \\ twitter \\ blog a.k.a life // tumblr // google+

june 10, 2003 = registered at old pc
march 24, 2004 = registered at new pc
june, 2004 = modded ;;; august, 2004 = quit/fired (point of debate)
december, 2004 = banned ;;; december 2, 2005 = unbanned
june 10, 2008 = omg... five years!
june 10, 2012 = countdown to nine years on pc...

Kipkip

Join the Revolution

Age 32
Seen June 24th, 2007
Posted October 18th, 2005
968 posts
19.4 Years
According to this:
http://securityresponse.symantec.com/avcenter/venc/data/perl.santy.html
It only affects phpBB forums that are prior to phpBB 2.0.11 which it the latest version. Google has stopped the virus from searching at it's site so now there shouldn't be much of a problem anymore. Here's also how to get you phpBB forum back after an attack.
Well, having gone 24 hours without sleep between fixing up my board and work, I thoughtr I should make the idiot's guide to all this, because I feel like quite the idiot. You'll hear a lot of people saying things like "just reupload the files" but that didn't work for me at all, so here's your ultra-simple step-by-step guide.

And remember, there are no stupid questions.

1. Download phpbb 2.0.11

2. Unzip it.

3. Open config.php and change the values for userdatabase, username, and userpassword to the values for your SQL. If you do not know the dbname, username, and password for your database you will need to ask your host for help in this matter.

<?php


//
// phpBB 2.x auto-generated config file
// Do not change anything in this file!
//

$dbms "mysql";

$dbhost "localhost";
$dbname "userdatabase";
$dbuser "username";
$dbpasswd "userpassword";

$table_prefix "phpbb_";

define('PHPBB_INSTALLED'true);

?>
Not screwing up at this stage is important! Make sure there are no extra lines, because if there are you will end up completely lost until your more php-saavy friend says "Well no duh it doesn't work, you probably have an extra space above the first line of congif.php". And your friends showing you that you suck at the internet isn't good.

4. Delete the old directory entirely. You may want to backup your avatars, pips, and smilies first, because for security purposes it is much safer to delete this.

5. Upload the files for php 2.0.11 just like you did when you first made your board.

6. Run http://www.yourdomain.com/yourphpbburl/install/update_to_php2011.php

If you can't figure out how to change that into your URL, you fail at life.

Or you need to let me know to explain that better.

7. At this point, if nothing has gone wrong and all your templates have also been replaced, it should work. If you are missing templates you'll need to go into the SQL and switch it to subSilver manually.
Originaly posted at phpBB's support forum.
Seen December 27th, 2018
Posted May 10th, 2009
766 posts
18.9 Years
According to TechWorld, Google has patched it, and the threat is declared to an end.
http://www.techworld.com/security/news/index.cfm?newsID=2854

Perl.Santy.A was declared a Category 2 virus, with a high spread and medium damage. The list I posted earlier was not the blacklist for future attacks, but what has already happened. This appeared to be a collaboration of hackers.

Only two words that I hate now: SCRIPT KIDDIES. They aren't so bad this time actually. They made 300 forums go down.

aRedMoon

Wait for me outside the lines

Age 34
Male
Minnesota
Seen April 23rd, 2018
Posted September 10th, 2013
11,126 posts
19.2 Years
I read it was over 40,000 o.O;;

And yes, it's finally stopped. >_<
facebook \\ twitter \\ blog a.k.a life // tumblr // google+

june 10, 2003 = registered at old pc
march 24, 2004 = registered at new pc
june, 2004 = modded ;;; august, 2004 = quit/fired (point of debate)
december, 2004 = banned ;;; december 2, 2005 = unbanned
june 10, 2008 = omg... five years!
june 10, 2012 = countdown to nine years on pc...