 dualsmp
join:2001-08-25
Charlotte, NC | WebWorm generation 14? Anyone familiar with this worm? I've seen two forums with this defacement today. Is there a worm floating around which targets forums?
»theoildrop.server101.com/cgi/ultimatebb.cgi
This site is defaced!!!
--------------------------------------------------------------------------------
NeverEverNoSanity WebWorm generation 14. |
|
dualsmp
join:2001-08-25
Charlotte, NC | Here is a low quality screenshot before the forum gets fixed. |
|
 kabhalPremium
join:2002-02-05
Oklahoma City, OK
3 edits | Hmm... looks like it's all over the place. »www.google.com/search?hl=en&q=%2···ation%22
EDIT: »www.freerepublic.com/focus/f-new···14/posts |
|
cjgross
join:2001-08-07
Saint Paul, MN | check this out:
»news.zdnet.com/2100-1009_22-5499···=nl.e589
It appears to hit servers running PHP and phpBB. Update your PHP to version 5.0.3 and above. It uses google to find other phpBB sites to infect. It deletes all .PHP, .HTM, .ASP pages and replaces them with the infected files. Nasty little worm.
Chris |
|
| reply to dualsmp
How to fix problem? |
|
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
| reply to dualsmp
Santy Worm, you had to know this was coming as its based on the PHP Forums exploit. Its almost like the return of Poison Box from May of 2001, a simple defacement worm with a couple of goodies. It is however rather selective as it uses Google to find potential victims so we have not seen any significant increase in attack traffic here.
»www.msnbc.msn.com/id/6742668
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
 BRT2
@customer.gent.belnet | Well, I had the problem to. My forum and couter wouldn't work and I also got that screen. I uploaded the files again and now it all works, but is the webworm deleted or not? |
|
|
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH
2 edits | You're probably ok BRT2 but you should upgrade PHP and phpBB to the latest versions that aren't vulnerable.
Also, running a virus scan on your server would be a good idea, if possible, to root out any remaining infected files. For example, a copy of the worm is placed in a file named m1ho2of.
PHP 4.3.10 or 5.0.3
Zend Optimizer 2.5 (needed for PHP 4.3.10, if your server uses Zend Optimizer)
phpBB 2.0.11
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
 John2gQui Tacet ConsentitPremium
join:2001-08-10
England | reply to dualsmp
»www.theregister.co.uk/2004/12/21/santy_worm/ |
|
| reply to dualsmp
Cert link to the problem »www.us-cert.gov/cas/techalerts/T···56A.html
quote:
phpBB is an open-source bulletin board application. It fails to properly perform an urldecode() on the "highlight" parameter supplied to viewtopic.php. This may allow a remote attacker to execute arbitrary commands on a vulnerable server.
According to reports, this vulnerability is being actively exploited by the Santy.A worm. The worm appears to propogate by searching for the keyword "viewtopic.php" in order to find vulnerable sites.
--
My family site |
|
| Santy Worm, I'm getting this on virtual servers where I'm not running PHP or phpbb can it infect other accounts? |
|
SchouwPremium
join:2003-05-29
Netherlands | reply to dualsmp
Re: WebWorm generation 14? »www.viruslist.com/en/weblog?webl···56679222
See the last paragraph.
Quite a lot of people have been victimized because other site using the same host was using phpBB 'pre 2.0.11'.
--
Not speaking for Kaspersky Lab |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 Reviews:
·Shaw
| said by Schouw:Quite a lot of people have been victimized because other site using the same host was using phpBB 'pre 2.0.11'. Time to start slapping your provider around as once again an old vulnerability is used to exploit systems which are run by people who are unable to understand the concept of staying any where near current in terms of applying patches. Wonder what other known vulnerabilities they have left open and are just waiting to be exploited?
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
| reply to dualsmp
Yep it seems everywhere  I was looking at
a heavy metal radio sight on the web and it got
defaced too........
»www.hotmetalradio.com/audio/remote.htm |
|
