homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Google / Google News Archive
Forum Library, Charter, Moderator: open

Google News Archive Forum

Google Security Under Fire
Google Fixes Desktop Hole Fixed, but worm continues to spread using Google

10+ Year Member

Msg#: 27209 posted 12:32 pm on Dec 22, 2004 (gmt 0)


In an alert posted on the Gartner Web site, analysts Whit Andrews and Ray Wagner said that even though Google quickly fixed the bug by rolling out an auto update, "Gartner still advises caution in enterprise deployment of this tool."


The Santy.a worm used the search engine to select potential victims. Armed with the list, the worm sent code designed to compromise the potentially vulnerable sites. Because its search engine was a linchpin for the attack, if Google had been ready for the eventuality, the company could have stopped the worm cold, said Hypponen, the research director for antivirus company F-Secure.



WebmasterWorld Senior Member 10+ Year Member

Msg#: 27209 posted 1:46 pm on Dec 22, 2004 (gmt 0)

Santy.a asks Google to return a list of sites using older versions of the phpBB software. It then connects to those sites and exploits a vulnerability to access the server running the bulletin-board software. The worm then overwrites .htm, .php, .asp, .shtm, .jsp, and .phtm files with text that reads, "This site is defaced! This site is defaced! NeverEverNoSanity WebWorm generation." Keanini notes that hackers have been gathering this sort of intelligence by doing manual searches for some time now. This worm, he says, may be one of the first that automates this process.

Earlier Tuesday, searching for "NeverEverNoSanity" returned some 38,000 results--most of them presumably pages defaced by the worm. As of 1 p.m. PST, that text string returned zero results.


It's back, showing about 1520 results today.


WebmasterWorld Administrator ianturner us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 27209 posted 2:19 pm on Dec 22, 2004 (gmt 0)

And it could just have easily been Yahoo, MSN, Ask Jeeves or any minor search engine that was used for automated queries.

Once you can do one you can do them all.

I'm just amazed it has taken them this long to do the automated queries.


WebmasterWorld Senior Member 10+ Year Member

Msg#: 27209 posted 4:23 pm on Dec 22, 2004 (gmt 0)

There was a virus earlier this year that used Google queries as part of a DDOS attack against Microsoft (can't remember the name of it).

If you go to F-Secure's weblog, it looks as if it took G 7 hours from when they were first notified of the problem, to when they started blocking the query using the query string and the useragent profile.

7 hours.

When was the last time any other outfit had that kind of response time? Overall, I'm marking how G handled it as a win for them, in terms of security response time.


WebmasterWorld Senior Member encyclo us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 27209 posted 4:27 pm on Dec 22, 2004 (gmt 0)

Blaming Google for the worm is like blaming the Yellow Pages when a telemarketer calls: it is just a tool used by the worm, which could just have well used MSN or Yahoo.

At least Google are working to mitigate the problem, and undoubtedly will learn from the experience and will be better prepared in the future.

There is no connection between this story and the GDS problems, apart from the desperate grab for headlines.


WebmasterWorld Administrator brett_tabke us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

Msg#: 27209 posted 4:43 pm on Dec 22, 2004 (gmt 0)

> Blamming Google

Agreed, but it is up to Google to act when they know they are the major link in a the conduit for a virus to propogate.


WebmasterWorld Senior Member googleguy us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 27209 posted 7:17 pm on Dec 22, 2004 (gmt 0)

I believe that our "Contact Us" page has a security-specific address; it could be that the people trying to reach us emailed to the main address. I wouldn't be surprised if our security team proactively reaches out to the anti-virus companies to make sure that they've got a specific email address that they can use next time.


10+ Year Member

Msg#: 27209 posted 7:19 pm on Dec 22, 2004 (gmt 0)

A security flaw in phpBB made the front page again? Half of this has nothing to do with Google security; the other half should read, "Industry applauds Google for speedy reaction."

Anyone running GDS is automatically protected, and as has already been stated, prank callers looking up numbers in a phone book is nothing new and nothing novel.


WebmasterWorld Senior Member whoisgregg us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 27209 posted 8:10 pm on Dec 22, 2004 (gmt 0)

This case is now over. The Santy worm is not spreading any more, thanks to Google.

Google started filtering the queries made by the worm around midnight GMT, effectively stopping the spread of the worm. Apparently they are doing this based on a combination of the search terms and the User-Agent header field.

(Above from the F-Secure weblog, removed link due to TOS.)

They also had voiced confusion over the right people to email at Google. Looks like F-Secure is linked up with the Google security folks now which should be an example for other anti-virus companies and other search engines. ;)

<edit>Forgot about no "blog" links.</edit>


10+ Year Member

Msg#: 27209 posted 8:48 pm on Dec 23, 2004 (gmt 0)

it's actualy a php exploit, PHP should be upgraded to 4.3.10, phpbb and other forum software is just one way in. This realy should have been taken care of by the hosting companies running the servers before the attacks not after, I was attacked and don't even run phpbb on the sites affected.

Recently a serious exploitable issue was discovered in PHP (the scripting language in which phpBB, IPB, vB, etc. are written) versions prior to 4.3.10. The problematical functions include unserialize and realpath. phpBB (along with a great many other scripts including IPB, vB, etc.) use these two functions as a matter of course.

[phpbb.com ]


10+ Year Member

Msg#: 27209 posted 9:06 pm on Dec 23, 2004 (gmt 0)

Hey Google Guy is that what it took to get you out of retirement. So now you're here about the sandbox when are you letting my sites out. Go on spill the beans its Chrsitmas I wont tell Larry and Sergey!...


Msg#: 27209 posted 9:58 pm on Dec 23, 2004 (gmt 0)

Google security will take another beating once writers find out that people can knock off their competitor SERPS via 302 or Meta Refresh re-directs..

They can't say they weren't aware of it either. In addtion to $billions, with power and market share comes responsibility and an obligation to try to do the right thing so little people don't get screwed.


10+ Year Member

Msg#: 27209 posted 10:55 pm on Dec 23, 2004 (gmt 0)

I agree with you and its very hard to understand. Google said that a competitor would never be able to hijack your site but its here and its real and they are not saying anything or offering any comfort to the sites affected that it will be resolved.

kamran mohammed

10+ Year Member

Msg#: 27209 posted 6:23 am on Dec 24, 2004 (gmt 0)

Hey Guys..

Even i was affected with this Virus

This site is defaced!
"NeverEverNoSanity" generation 18....

but that damn virus affected my two sites..
lucky me that i was checking my sites as usual and i found this message on my sites and i was scared coz i haven't seen such things earlier....

wel neways i was having the back up and i uploaded

i hope it will be fine.....and there will be no attack by the same virus....


Global Options:
 top home search open messages active posts  

Home / Forums Index / Google / Google News Archive
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved