Net-Worm.Perl.Santy.a threatens Internet forums

Unknown Soldier

Unknown Soldier

Veteran
Kaspersky Lab, a leading developer of secure content management systems, has detected a new worm, Net-Worm.Perl.Santy.a. This worm infects certain web sites by exploiting a vulnerability in phpBB, a popular package used to create Internet forums. Santy.a is spreading rapidly, and has caused an epidemic. However, this does not directly affect end users - although the worm infects web sites, it does not infect computers used to view these sites.

Santy.a is something of a novelty - it creates a specially formulated Google search request, which results in a list of sites running vulnerable versions of phpBB. It then sends a request containing a procedure which will trigger the vulnerability to these sites. Once the attacked server processes the request, the worm will penetrate the site, gaining control over the resource. It then repeats this routine.

Once the worm has gained control over a site, it will scan all directories on the infected site. All files with the extensions .htm, .php, .asp, .shtm, .jsp and phtm will be overwritten with the text 'This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation'.

santy_1.gif


Apart from defacing infected sites with this text, the worm has no payload. It will not infect machines which are used to view infected sites. Kaspersky Lab recommends that all users of phpBB should upgrade to version 2.0.11 to prevent their sites from being defaced.

An urgent update to Kaspersky Anti-Virus databases has already been issued. Information about Santy.a can be found in the Kaspersky Virus Encyclopaedia.

News Source: Kaspersky Labs
 
its not just forums....
its hole in PHP

server admins need to upgrade to eeither 4.3.10 or 5.0.3

one of sites i made got it and there were no forums. its just that phpBB crowd fisrt noticed, so they started to alarm community. then it got out as "phpBB has hole", while the truth is that _ANY_ version of PHP less then 2 i mentioned have it.

4.3.10 is good cause it has some PHP5 stuff in it, while still being PHP4 basically, making it for easier transition to PHP5.

hope this helps.....
btw, i sent what i find out to ISP i use and they upgraded their version of PHP in less then one hour after i sent mail....
and i got "thank you very much" mail today :D



php.net said:
[15-Dec-2004] The PHP Development Team would like to announce the immediate release of PHP 4.3.10 and PHP 5.0.3. These are maintenance releases that in addition to non-critical bug fixes address several very serious security issues. All Users of PHP are strongly encouraged to upgrade to one of these releases as soon as possible.
Click to expand...


phpBB boards were used as it is easiest way of entering, since they are widespread and open sourced, so you can write malicious code more easily for phpBB then custom scripts/aplications that run other sites.
 
Silence: This is not true. There was a recent security hole in PHP, but this specific worm doesn't target it, it exploits a fault in phpBB itself.
 
Beafy said:
Silence: This is not true. There was a recent security hole in PHP, but this specific worm doesn't target it, it exploits a fault in phpBB itself.
Click to expand...

as i said.....one of sites i made was defaced by this worm.
there were _NO_ pbpBB boards on that site.

there are 2 possible explanations.
1) it effects beyond phpBB boards
2) it effect phpBB only, but then it spread on server

i dunno, but i read at leat 10 articles about this and they all pointed to upgrading to 4.3.10 or 5.0.3 where there is no problem.

when the site i made was defaced by worm, i contacted ISP and they said i should upgrade phpBB, but there was _NO_ phpBB on that site.
they were surprised as much as i was.
all their info pointed to phpBB.
but i digged and got that it is not phpBB, but PHP itself.
phpBB were used cause they are so common on the net.
its easier to write script that attacks phpBB then custom made scripts.
but hole _IS_ patched with 4.3.10 or 5.0.3
phpBB community was first to see it cause of widespread use of phpBB.
thats all.


btw.....less then hour after i sent them links and articles about this, my ISP changed from 4.3.8 to 4.3.10
if they upgraded...then i think i am right....
and they did....less then hour after i sent mail with links about whats really happneing.....
 
Option 2 is spot on :). The worm scans for all html, php etc files on the server and overwrites them.
 
Beafy said:
Option 2 is spot on :). The worm scans for all html, php etc files on the server and overwrites them.
Click to expand...


yes, unless you have upgraded your PHP.
then its useless.
read www.php.net
they recomnded upgrading 7 days ago...guess why.....
 
Jesus, have you actually looked at code of the worm and seen for yourself what it does? Please give me a link to *one* technically oriented site (meaning something better than cnet) which states that PHP itself is the culprit...

EDIT:
http://www.phpbb.com/phpBB/viewtopic.php?t=244451 is the update announcement from the phpbb developers themselves. No mention of problems with PHP itself (for *this* particular issue).
 
Beafy said:
Jesus, have you actually looked at code of the worm and seen for yourself what it does? Please give me a link to *one* technically oriented site (meaning something better than cnet) which states that PHP itself is the culprit...

EDIT:
http://www.phpbb.com/phpBB/viewtopic.php?t=244451 is the update announcement from the phpbb developers themselves. No mention of problems with PHP itself (for *this* particular issue).
Click to expand...

phpBB is targetted cause its widespread.
it is easier to make code for something used on so many sites then custom scripts.

but it IS using same hole you could apply to any 4.3.8 PHP server, if you knew php code that is running the site.....
so phpBB was/is scape goat here.
but volunerability isnt in phpBB, it is in core of PHP.

this is from phpBB.com
Recently a serious exploitable issue was discovered in PHP (the scripting language in which phpBB, IPB, vB, etc. are written) versions prior to 4.3.10. The problematical functions include unserialize and realpath. phpBB (along with a great many other scripts including IPB, vB, etc.) use these two functions as a matter of course.

It has come to our attention that code has now been released which uses this exploit in PHP to obtain confidential information in phpBB. Such information includes data contained in phpBB's config.php file. We therefore recommend the following:

1) If you maintain your own server be sure to upgrade to the newest available release of PHP (both versions 4 and 5). Be aware that at this time phpBB 2.0.x has problems functioning under PHP5 without modification.

2) If you pay for hosting ensure you hosting provider has upgraded thier installation of PHP (again remember that phpBB 2.0.x and other scripts will not function under PHP5 without modification).

Please do not submit this PHP issue to our security tracker, it is beyond our control. Fixed versions of PHP do exist and as above we encourage you to ensure your system is running such a version. Equally please examine any "hacking" issues you have carefully to ensure they are not caused by this PHP problem (rather than phpBB). Remember, this is not a phpBB exploit or problem, it's a PHP issue and thus can affect any PHP script which uses the noted functions.
Click to expand...

it says exactly what i said, all version of PHP prior to 4.3.10 are volunerable.
phpBB was used just cause so many sites use it.
thats all.


next time....bloody read......u have it on -> www.php.net and -> www.phpbb.com



read, then come back........please......
my ISP didnt upgrade in less then hour after i provided info if it wasnt real.
it _IS_ hole in older verions of PHP
 
(for *this* particular issue)
Click to expand...

If you look at the infection vector of the worm, you will see that neither "unserialize" nor "realpath" is used, but the "urldecode"-function...
If you look at the description of the PHP exploit you cite, arbitrary code execution (which the Santy worm does) is not mentioned at all.

I say it one last time, and then let this thread rest... The worm does not use any exploits in PHP. It's merely a coincidence that there was an updated version of PHP released last week.

The update to phpBB to fix this vulnerability was released a month ago BTW...

EDIT:
Some information:
http://www.lostcoders.net/index-single-470.htm

Again note that the urldecode function does exactly what it's supposed to do.
 
Well I was hit pretty hard by this, was forced to restore a backup of my entire web folder from 1st of december but since most data was database, i didn't really lose anything. The problem is that I am still running a crappy old RH9 server, as I am the king of procrastination with changing to a decent server distro. With the inherent broken dependencies in RH9 with regards to php and mysql, unfortunately I cannot simply upgrade my php.

i got to work tonight, logged into my server and found a DCC bot script running. Killed it, deleted all files, tracked sources, blocked all on firewall etc but i've been forced to shutdown apache until I get this fixed. For me this means building a new server, so the worm has done one good thing and make me get off my ass and build a proper server.
 
You must log in or register to reply here.

Similar threads

Unknown Soldier
New worms target both MySpace and Facebook users
Replies
2
Views
1K
musictime
M
Babel-17
New worm targets vulnerable messageboards
Replies
2
Views
1K
Dave Baumann
Dave Baumann
W
"Cyber villains clash for world domination"
Replies
14
Views
2K
Wunderchu
W
Unknown Soldier
Windows Security Updates Summary for February 2005
Replies
1
Views
3K
Unknown Soldier
Unknown Soldier
W
Cagiest retraction I've ever seen...(I think)...;)
2 3
Replies
48
Views
7K
Ollo
O
Back
Top