Welcome to WebmasterWorld Guest from 18.208.211.150

Forum Moderators: phranque

Message Too Old, No Replies

NeverEverNoSanity - new worm destroying forums?

     
10:17 am on Dec 21, 2004 (gmt 0)

New User

10+ Year Member

joined:Mar 5, 2004
posts:24
votes: 0


Anyone heard of this new worm?

NeverEverNoSanity

do a search on msn beta, to see the sites effected!

12:54 pm on Dec 21, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:June 18, 2004
posts:51
votes: 0


It's hit me twice in 24 hours. Anyone know how this is getting in and changing files. Seems to only effect .html and .php files.
12:54 pm on Dec 21, 2004 (gmt 0)

New User

10+ Year Member

joined:June 20, 2004
posts:17
votes: 0


My site is affected as well.

the rurmours are it's either a lhole in phpbb or a hole in php.

But it seems to comprimise whole servers.

At my site it was at generation 18..

12:57 pm on Dec 21, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:June 18, 2004
posts:51
votes: 0


I got versions 10 and 20.

So how to we keep this from happening again?

1:19 pm on Dec 21, 2004 (gmt 0)

New User

10+ Year Member

joined:June 20, 2004
posts:17
votes: 0


It seems to be a problem with PHP.

Apparently everyone with PHP<4.3.10 is vulnerable.

PHP.net:
PHP 4.3.10 & 5.0.3 released!
[15-Dec-2004] The PHP Development Team would like to announce the immediate release of PHP 4.3.10 and PHP 5.0.3. These are maintenance releases that in addition to non-critical bug fixes address several very serious security issues. All Users of PHP are strongly encouraged to upgrade to one of these releases as soon as possible.

2:15 pm on Dec 21, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:June 18, 2004
posts:51
votes: 0


I upgraded to 4.3.10 (PHP Version 4.3.10) and just got wacked again with version 21 of this thing. Not sure the php upgrade is stopping it.
2:35 pm on Dec 21, 2004 (gmt 0)

New User

10+ Year Member

joined:June 20, 2004
posts:17
votes: 0


PHPBB.com posted a workaround:
[phpbb.com...]
---------------------------------------------------------

Following my original post it has been brought to our attention that the highlighting exploit can be taken advantage of, and it a serious way. We are hastily preparing a new release. However that release contains a number of other fixes and additions and thus we carrying out some internal testing to limit the chances of other issues arising.

In the mean time we strongly, and I mean strongly! urge all our users to make the following change to viewtopic.php as a matter of urgency.

Open viewtopic.php in any text editor. Find the following section of code:
Code:

//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));

for($i = 0; $i < sizeof($words); $i++)
{

and replace with:
Code:

//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));

for($i = 0; $i < sizeof($words); $i++)
{

Please inform as many people as possible about this issue. If you're a hosting provider please inform your customers if possible. Else we advise you implement some level of additional security if you run ensim or have PHP running cgi under suexec, etc.

2:36 pm on Dec 21, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:May 28, 2004
posts:128
votes: 0


This worm affects webservers using the vulnerable versions of PHP and phpBB. Even if your site DOES NOT run phpBB, but if someone eles's site does (shared host), your site is vulnerable.

What's going on:

- It's looking for URLs containing "viewtopic.php" via Google
- via the highlight exploit they use system() and fwrite() calls to place the worm code somewhere on the file system
- php, htm files (and others) are overwritten in all directories accessible from the web root.

Contact your host if you have questions concerning the security measures that they have put in place.

2:41 pm on Dec 21, 2004 (gmt 0)

New User

10+ Year Member

joined:June 20, 2004
posts:17
votes: 0


According to someone working @ Kaspersky:

"Detection added as Net-Worm.Perl.Santy.a.

RED alert for this worm..."

So now you know it's name :P

3:42 pm on Dec 21, 2004 (gmt 0)

New User

10+ Year Member

joined:Oct 12, 2004
posts:9
votes: 0


Same thing happened to my site: defaced by generation 17 of this worm.

Funny -- when I search for "NeverEverNoSanity" on Google or Yahoo, I get no results. Searching on MSN Search Beta gives me about 38,000 pages -- all of which seem to be message board focussed.

At what point do I restore my site? I don't want to do it if there are malicious scripts on my server that could affect my visitors. How do I know for sure?

3:47 pm on Dec 21, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:May 28, 2004
posts:128
votes: 0


Is it your server or is it hosted? If it is yours, hose it and start from a "clean" backup - you did back up didnt you...

If it is hosted, tell them to hose it and why, then restore from a "clean" backup of your site, including your database. Your database server should just need the tables dropped and re-populated from the backup.

3:59 pm on Dec 21, 2004 (gmt 0)

New User

10+ Year Member

joined:Oct 12, 2004
posts:9
votes: 0


Thanks I will ask the hosting provider to clean up my server space - Yes I did backup.

But I just turned off adwords/overture ads to my site this morning -- it's maddening to think I was paying to get visitors to the defaced site from 2 AM this morning. I hope whoever did this fries in hell $%!#%%.

4:01 pm on Dec 21, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:May 28, 2004
posts:128
votes: 0


Amen to that!
11:36 pm on Dec 21, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 12, 2004
posts:45
votes: 0


Interesting entry at F-Secure blog [f-secure.com]:

Google could stop the Santy worm right now
Posted by Mikko @ 19:12 GMT

We've been trying to reach the right persons at Google for the past hours...they could stop this Santy outbreak right now simply by stopping responding to the queries the viruses uses. This wouldn't hurt any end users and would in fact take load off from Google servers.

Doesn't any of our readers know any hardcore techies working at the right places in Google? Ask them to get in touch with us by mailing to weblog at our domain - thanks!

11:45 pm on Dec 21, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Mar 7, 2004
posts:285
votes: 0


Article on ZDNet about this [news.zdnet.com]

The Sante worm uses a flaw in the widely used community forum software known as the PHP Bulletin Board (phpBB) to spread, according to updated analyses. The worm searches Google for sites using a vulnerable version of the software, antivirus firm Kaspersky said in a statement.
11:55 pm on Dec 21, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Jan 10, 2003
posts:318
votes: 0


maxM: thanks for that. that's a pretty good idea, imho. i wonder if it will happen, though...

-kpaul

12:10 am on Dec 22, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Jan 10, 2003
posts:318
votes: 0


ya know, reading that ZDNet article about it MSN search looks really good (you can 'see' the defaced sites there, ie the results are current. however, the mention of google is negative - i.e. the script is using google to spread...

-kpaul