| 1:46 pm on Dec 22, 2004 (gmt 0)|
|Santy.a asks Google to return a list of sites using older versions of the phpBB software. It then connects to those sites and exploits a vulnerability to access the server running the bulletin-board software. The worm then overwrites .htm, .php, .asp, .shtm, .jsp, and .phtm files with text that reads, "This site is defaced! This site is defaced! NeverEverNoSanity WebWorm generation." Keanini notes that hackers have been gathering this sort of intelligence by doing manual searches for some time now. This worm, he says, may be one of the first that automates this process. |
|Earlier Tuesday, searching for "NeverEverNoSanity" returned some 38,000 results--most of them presumably pages defaced by the worm. As of 1 p.m. PST, that text string returned zero results. |
It's back, showing about 1520 results today.
| 2:19 pm on Dec 22, 2004 (gmt 0)|
And it could just have easily been Yahoo, MSN, Ask Jeeves or any minor search engine that was used for automated queries.
Once you can do one you can do them all.
I'm just amazed it has taken them this long to do the automated queries.
| 4:23 pm on Dec 22, 2004 (gmt 0)|
There was a virus earlier this year that used Google queries as part of a DDOS attack against Microsoft (can't remember the name of it).
If you go to F-Secure's weblog, it looks as if it took G 7 hours from when they were first notified of the problem, to when they started blocking the query using the query string and the useragent profile.
When was the last time any other outfit had that kind of response time? Overall, I'm marking how G handled it as a win for them, in terms of security response time.
| 4:27 pm on Dec 22, 2004 (gmt 0)|
Blaming Google for the worm is like blaming the Yellow Pages when a telemarketer calls: it is just a tool used by the worm, which could just have well used MSN or Yahoo.
At least Google are working to mitigate the problem, and undoubtedly will learn from the experience and will be better prepared in the future.
There is no connection between this story and the GDS problems, apart from the desperate grab for headlines.
| 4:43 pm on Dec 22, 2004 (gmt 0)|
> Blamming Google
Agreed, but it is up to Google to act when they know they are the major link in a the conduit for a virus to propogate.
| 7:17 pm on Dec 22, 2004 (gmt 0)|
I believe that our "Contact Us" page has a security-specific address; it could be that the people trying to reach us emailed to the main address. I wouldn't be surprised if our security team proactively reaches out to the anti-virus companies to make sure that they've got a specific email address that they can use next time.
| 7:19 pm on Dec 22, 2004 (gmt 0)|
A security flaw in phpBB made the front page again? Half of this has nothing to do with Google security; the other half should read, "Industry applauds Google for speedy reaction."
Anyone running GDS is automatically protected, and as has already been stated, prank callers looking up numbers in a phone book is nothing new and nothing novel.
| 8:10 pm on Dec 22, 2004 (gmt 0)|
|This case is now over. The Santy worm is not spreading any more, thanks to Google. |
Google started filtering the queries made by the worm around midnight GMT, effectively stopping the spread of the worm. Apparently they are doing this based on a combination of the search terms and the User-Agent header field.
(Above from the F-Secure weblog, removed link due to TOS.)
They also had voiced confusion over the right people to email at Google. Looks like F-Secure is linked up with the Google security folks now which should be an example for other anti-virus companies and other search engines. ;)
<edit>Forgot about no "blog" links.</edit>
| 8:48 pm on Dec 23, 2004 (gmt 0)|
it's actualy a php exploit, PHP should be upgraded to 4.3.10, phpbb and other forum software is just one way in. This realy should have been taken care of by the hosting companies running the servers before the attacks not after, I was attacked and don't even run phpbb on the sites affected.
|Recently a serious exploitable issue was discovered in PHP (the scripting language in which phpBB, IPB, vB, etc. are written) versions prior to 4.3.10. The problematical functions include unserialize and realpath. phpBB (along with a great many other scripts including IPB, vB, etc.) use these two functions as a matter of course. |
| 9:06 pm on Dec 23, 2004 (gmt 0)|
Hey Google Guy is that what it took to get you out of retirement. So now you're here about the sandbox when are you letting my sites out. Go on spill the beans its Chrsitmas I wont tell Larry and Sergey!...
| 9:58 pm on Dec 23, 2004 (gmt 0)|
Google security will take another beating once writers find out that people can knock off their competitor SERPS via 302 or Meta Refresh re-directs..
They can't say they weren't aware of it either. In addtion to $billions, with power and market share comes responsibility and an obligation to try to do the right thing so little people don't get screwed.
| 10:55 pm on Dec 23, 2004 (gmt 0)|
I agree with you and its very hard to understand. Google said that a competitor would never be able to hijack your site but its here and its real and they are not saying anything or offering any comfort to the sites affected that it will be resolved.
| 6:23 am on Dec 24, 2004 (gmt 0)|
Even i was affected with this Virus
This site is defaced!
"NeverEverNoSanity" generation 18....
but that damn virus affected my two sites..
lucky me that i was checking my sites as usual and i found this message on my sites and i was scared coz i haven't seen such things earlier....
wel neways i was having the back up and i uploaded
i hope it will be fine.....and there will be no attack by the same virus....