[ale] New PHP Worm (Perl.Santy.A) affecting phpBB sites

Tue Dec 21 14:18:14 EST 2004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Risk:

A new PHP worm is spreading, defacing web sites running
phpPBB.  This worm overwrites all .php and .asp and .html files which
are writable to the user under which Apache is running, and replaces
their contents with "This site is defaced!!!" NeverEverNoSanity in
bold red.

Mitigation:

If you are running phpBB, please download the latest version
(2.0.11) or follow the workaround on the following site:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=248046

The 2.0.11 Version has been available since November 18, 2004.  Here
is the release:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636

Technical Information:

For more information on the worm, please see the following.

http://www.f-secure.com/weblog/
(quoted from f-secure.com)
- ---------------------------------

Vulnerable versions of phpBB   
Posted by Mikko @ 16:41 GMT

Apparently version 2.0.11 of phpBB is not vulnerable to the Santy
worm. That's according to the description of the apparent
vulnerability ("viewtopic.php highlight") posted to Securiteam's
site.

Users of older versions might want to check out these tips posted to
phpBB's own forum.

Also, this thread is discussing the same problem.

- ---------------------------------
Lots of sites have been defaced by Santy.A worm        
Posted by Alexey @ 15:58 GMT

If you try to search for defaced sites using the MSN Search Engine,
you will see an enormous amount of sites that have been defaced by
the Santy.A worm. Search using the following text string:

"This site is defaced!!!" NeverEverNoSanity

Click HERE to search defaced websites using the above mentioned
string.
http://beta.search.msn.com/results.aspx?q=%22This+site+is+defaced%21%2
1%21%22+NeverEverNoSanity
Or
http://tinyurl.com/4nvep

At this moment the search finds tens of thousands defaced websites!
It should be noted that some of the defaced sites have been restored
already, but many are still defaced...

- ---------------------------------

More on the new phpBB forum worm       
Posted by Mikko @ 15:46 GMT

This worm is written in Perl. It's searching vulnerable forum sites
via Google. When a suitable site is found, the worm uses a remote
exploit to gain access to it, defaces it and restarts random scanning
for new hosts.

There has been several serious holes in the phpBB software over the
years. One was discussed in Netcraft just days ago.

We don't know how many phpBB sites there are in the world, but Google
search for inurl:phpbb inurl:viewtopic gives over a million hits...

The first defacement we heard about happened today at around 15:00
GMT.

Official home page of phpBB does not mention this incident yet.

- ---------------------------------

New internet worm Santy spreading!     
Posted by Mikko @ 15:12 GMT

New worm Santy has started spreading. This one is infected only web
servers, not end user computers. In fact, it infects sites running
the popular phpBB discussion forum software.

Many sites are already affected...the end result typically looks like
this:

santy

We detect this worm as "Santy.A" with updates that are going out
right now.

- ---------------------------------

- --
Jonathan Glass
OIT - Information Security
Information Security Engineer III
Georgia Institute of Technology
Office: 404-385-6900

- --
Jonathan Glass
OIT - Information Security
Information Security Engineer III
Georgia Institute of Technology
Office: 404-385-6900
Cell: 404-444-4086

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQch17Ys71vWrUP8gEQJ2AACg26JaIME2QjnxEz+Wz53COuUNLDkAoPkr
iiRcQeNIuH1MLekKckkn2ZSM
=hZq6
-----END PGP SIGNATURE-----