Not sure it was posted before..

The Santy worm uses a flaw in the widely used community forum software known as the PHP Bulletin Board (phpBB) to spread... The worm searches Google for sites using a vulnerable version of the software, antivirus firm Kaspersky said in a statement.

Almost 40,000 sites may have already been infected.After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced! This site is defaced! NeverEverNoSanity WebWorm generation X," according to Kaspersky.

[news.zdnet.com...]

Around 6 million sites appear to be running the phpBB software, according to a search of Google for the phrase "Powered by phpBB"--an acknowledgment appended to the bottom of any site that uses the software.

6 million sites! That seems kinda high...

I just changed the footer on my forum to something like this:

Powered by phpBB

Will that prevent my site from showing up in searches of "powered by phpbb"?

One of my co-workers has it on his site, is there a quick fix for this? ... currently searching like mad as the entire site is down ....

Is a complete re-upload the only way to go? or will cleaning the worm off the server suffice?

I've always advocated removing "software footprints" when possible. While I was more concerned about SE algo issues and human hackers, a SE-driven worm certainly shows the value of disguising your software. Now that the technique has been demonstrated, we'll probably see more mass attacks of this nature.

Will that prevent my site from showing up in searches of "powered by phpbb"?

Not sure, but consult the comment in the

overall_footer.tpl

file for specific guidance. The reqest is to keep the link to the phpbb.com site in the "Powered by" line.

However, I think that you would be entirely respecting the license in spirit as well as by the letter if you were to alter the phrase to something similar but differently-worded. Try "Built with phpBB", "Made with phpBB technology", "Forum software developed by the phpBB community". At worst, you could write it out with Javascript.

Bear in mind that the GPL license does not actually force you into keeping the phpBB link, but it is respectful to the community that built the product and it may affect your chances of getting technical support from them if you don't keep it.

In a similar vein, I've mentioned before about one of the advantages of using one of the SEO mods for phpBB which changes the filenames with mod_rewrite: a simple search for "viewtopic.php" gives you a long list of phpBB forums too, so if yours doesn't use that pattern, it helps stay under the radar.

The same goes for vBulletin and other such packages too: and many of them require specific copyright declarations which are much less flexible than for phpBB.

>>The same goes for vBulletin

Quite true. Fortunately, the truly paranoid can pay a fee to allow removing the footer notices. I did this for one site earlier this year; it wasn't too costly compared to the other expenses of running a major forum.

I started a new thread in Web Gen on Removing Software Footprints [webmasterworld.com].

I am concerned about this as i am using phpbb on one of mywebsite,i updated it to latest 2.0.11 last week

what extra precautions are needed so that i may alret my host

Fortunately, the truly paranoid can pay a fee to allow removing the footer notices.

HEY!

Oh wait, you're right, I am paranoid! :)

Just because i'm paranoid does not mean they aren't out to get me!

plenty of sites (at least 300) have already been defaced.

[google.com...]

Once they clean up they'll find that they have dupe penalties from Google too.

A search for "NeverEverNoSanity WebWorm Generation" shows 1480 hits on Google.

Todays diary at [isc.sans.org...] has this info:
According to [news.zdnet.com...] Google has deactivitated queries essential to Santy's propogation, which should lead to it's dying off.

The same search on beta.search.msn.com shows 131.635 hits.

Regards,
R.

If you're running 2.0.11 you were safe against this attack, and Google is blocking the request sting the worm was using to find new boards, so the attack is basically over.

An interesting side note to the whole thing:

The msn beta SERPS were consistently "ahead of the curve" as compared to google in terms of listing the number of boards hit.

MSN is crawling harder, right now, methinks.

So nobody knows how to fix this then?

I presume cleaning it off the server, upgrading phpBB, and uploading the entire site again is the only way?!?!

I think I saw something earlier today, but it fell under the "doesn't affect me" radar, so I kinda read past it...

See if I can find it again.

Yeah, i agree with buksida, has anyone figured out a simple way around this? Is there a way to restore the forum, or is it lost?

I believe, from what I've read, that if you simply upload the latest version of phpBB overtop (version 2.0.11 ) then it should work. It just overwrites the old forum software, and the parts that were affected by the virus, but leaves the message database intact.

Now, I haven't actually done it, because I managed to avoid having anything I'm involved with affected, but that seems to be the prevailing method of dealing with it, and I know of other people who've done this and had it fix the problem.