Welcome to WebmasterWorld Guest from 22.214.171.124
Forum Moderators: open
In an alert posted on the Gartner Web site, analysts Whit Andrews and Ray Wagner said that even though Google quickly fixed the bug by rolling out an auto update, "Gartner still advises caution in enterprise deployment of this tool."
The Santy.a worm used the search engine to select potential victims. Armed with the list, the worm sent code designed to compromise the potentially vulnerable sites. Because its search engine was a linchpin for the attack, if Google had been ready for the eventuality, the company could have stopped the worm cold, said Hypponen, the research director for antivirus company F-Secure.
Santy.a asks Google to return a list of sites using older versions of the phpBB software. It then connects to those sites and exploits a vulnerability to access the server running the bulletin-board software. The worm then overwrites .htm, .php, .asp, .shtm, .jsp, and .phtm files with text that reads, "This site is defaced! This site is defaced! NeverEverNoSanity WebWorm generation." Keanini notes that hackers have been gathering this sort of intelligence by doing manual searches for some time now. This worm, he says, may be one of the first that automates this process.
Earlier Tuesday, searching for "NeverEverNoSanity" returned some 38,000 results--most of them presumably pages defaced by the worm. As of 1 p.m. PST, that text string returned zero results.
It's back, showing about 1520 results today.
If you go to F-Secure's weblog, it looks as if it took G 7 hours from when they were first notified of the problem, to when they started blocking the query using the query string and the useragent profile.
When was the last time any other outfit had that kind of response time? Overall, I'm marking how G handled it as a win for them, in terms of security response time.
At least Google are working to mitigate the problem, and undoubtedly will learn from the experience and will be better prepared in the future.
There is no connection between this story and the GDS problems, apart from the desperate grab for headlines.
Anyone running GDS is automatically protected, and as has already been stated, prank callers looking up numbers in a phone book is nothing new and nothing novel.
This case is now over. The Santy worm is not spreading any more, thanks to Google.
Google started filtering the queries made by the worm around midnight GMT, effectively stopping the spread of the worm. Apparently they are doing this based on a combination of the search terms and the User-Agent header field.
They also had voiced confusion over the right people to email at Google. Looks like F-Secure is linked up with the Google security folks now which should be an example for other anti-virus companies and other search engines. ;)
<edit>Forgot about no "blog" links.</edit>
Recently a serious exploitable issue was discovered in PHP (the scripting language in which phpBB, IPB, vB, etc. are written) versions prior to 4.3.10. The problematical functions include unserialize and realpath. phpBB (along with a great many other scripts including IPB, vB, etc.) use these two functions as a matter of course.
They can't say they weren't aware of it either. In addtion to $billions, with power and market share comes responsibility and an obligation to try to do the right thing so little people don't get screwed.
Even i was affected with this Virus
This site is defaced!
"NeverEverNoSanity" generation 18....
but that damn virus affected my two sites..
lucky me that i was checking my sites as usual and i found this message on my sites and i was scared coz i haven't seen such things earlier....
wel neways i was having the back up and i uploaded
i hope it will be fine.....and there will be no attack by the same virus....