UPDATED: Santy-A fumes through Internet forums

All Hardware & Software Related Post

Moderators: [MgA]ODEN, Admin

Post Reply
User avatar
[MgA]ODEN
Site Admin
Posts: 1280
Joined: Fri Dec 19, 2003 6:01 pm
Location: Spring , Texas

UPDATED: Santy-A fumes through Internet forums

Post by [MgA]ODEN »

By Bill Brenner, News Writer
21 Dec 2004 | SearchSecurity.com

Santy-A's march should slow to a crawl now that Google has deactivitated queries essential to its ability to spread. But the worm has already infected about 40,000 Web sites, security experts say.

"Google has deactivitated queries essential to Santy's propagation, which should lead to its dying off (or by this point gone-ness)," John Bambenek, a handler for the Bethesda, Md.-based SANS Internet Storm Center, said in a posting on the center's Web site Wednesday morning. But, he warned, "This is only a temporary fix, I would imagine, as I'm sure other queries can be crafted and the same exploit code used to re-launch this worm. Time will tell."

Google took action late Tuesday at the urging of antivirus firms. Earlier in the day, the worm played havoc with certain Web sites by exploiting a security hole in PHPbb, a popular program used to create Internet forums.

Russian-based Kaspersky Lab was among the first to report sightings of Santy-A, labeling it a severe risk. The firm said Santy-A had spread in "epidemic" proportions. "However, this does not directly affect end users," the firm said in a statement. "Although the worm infects Web sites, it does not infect computers used to view these sites."

Kaspersky added, "Santy-A is something of a novelty. It creates a specially formulated Google search request, which results in a list of sites running vulnerable versions of PHPbb. It then sends a request containing a procedure which will trigger the vulnerability to these sites. Once the attacked server processes the request, the worm will penetrate the site, gaining control over the resource. It then repeats this routine."

Once the worm dominates a site, it scans all the directories. All files with the extensions .htm, .php, .asp, .shtm, .jsp and .phtm are overwritten with the text "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation."

Apart from defacing infected sites with this text, Kaspersky said the worm has no payload. It will not infect machines used to view compromised sites. The firm recommends PHPbb users upgrade to version 2.0.11 to keep their sites from being defaced.

Finnish security firm F-Secure Corp. and Lynnfield, Mass.-based Sophos also confirmed sightings of Santy-A.

"It's out there. It's spreading. It seems to be pretty bad," Mikko Hypponen, F-Secure's director of AV research, said in an e-mail. "It's a Perl worm searching [for] vulnerable forum sites via Google. When hit, the site gets defaced and restarts Google scanning."

"I know that security holes have been found in PHPbb's software in the past, so it is important that people keep up to date with their security patches and latest revisions," Graham Cluley, senior technology consultant for antivirus firm Sophos, said in an e-mail.

Reston, Va.-based iDefense reiterated that advice. Ken Dunham, the company's director of malicious code, said the worm may be exploiting a recent SQL injection vulnerability for PHPbb 2.0.10 reported Nov. 29. "If that is the case, this worm was rapidly authored and deployed, just a few weeks following the vulnerability announcement," he said in a statement.
Last edited by [MgA]ODEN on Wed Jun 22, 2005 1:49 pm, edited 1 time in total.
User avatar
[MgA]ODEN
Site Admin
Posts: 1280
Joined: Fri Dec 19, 2003 6:01 pm
Location: Spring , Texas

Post by [MgA]ODEN »

[MgA]ODEN wrote:The firm recommends PHPbb users upgrade to version 2.0.11 to keep their sites from being defaced.
PyRO Forums Powered by phpBB 2.0.4
MgA Forums Powered by phpBB 2.0.6
GXA Forums Powered by phpBB 2.0.10
[MgA]TiMeX
[MgA]Clan Captain
Posts: 1410
Joined: Wed Dec 17, 2003 9:04 pm
Location: Iowa

Post by [MgA]TiMeX »

Maybe we shouldn't announce this in public??!!??

Just a thought.

:smt114
}You can kill me but I'll only come back to haunt you{
User avatar
[MgA]RockCrusher
[MgA]Clan Captain
Posts: 1238
Joined: Wed Dec 17, 2003 7:48 pm
Location: Toronto, ON CANADA

Post by [MgA]RockCrusher »

[MgA]ODEN wrote:
[MgA]ODEN wrote:The firm recommends PHPbb users upgrade to version 2.0.11 to keep their sites from being defaced.
PyRO Forums Powered by phpBB 2.0.4
MgA Forums Powered by phpBB 2.0.6
GXA Forums Powered by phpBB 2.0.10
The only site I can patch is GXA. Killa and *XXX* have to take care of the other sites, as it needs shell and FTP access none of which I have access to.
....missing Q3X LAN Parties...
User avatar
*PyRO*Killathug
Don't you have someplace to be?
Don't you have someplace to be?
Posts: 299
Joined: Mon Dec 22, 2003 6:05 pm

Post by *PyRO*Killathug »

Wonder if it's for real? :shock:
A.K.A

Image

I also am the owner of a CS 1.6 pub-clan server called Beers and Blunts.
User avatar
[MgA]ODEN
Site Admin
Posts: 1280
Joined: Fri Dec 19, 2003 6:01 pm
Location: Spring , Texas

Post by [MgA]ODEN »

*PyRO*Killathug wrote:Wonder if it's for real? :shock:
Would you rather wait and find out?
Post Reply