LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-21-2004, 01:50 PM   #1
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
WARN: Possible PHP Worm


A number of Linux websites running PHP have been defaced in the last 24 hours. ISC is reporting a worm dubbed "Santy.A" is in the wild that exploits the "highlight" vulnerability in phpBB versions 2.0.10 and earlier. Sites exploited by this worm have reported all write-able .htm,shtml,.asp, and .php pages are overwritten with:

This site is defaced!!!
This site is defaced!!!
NeverEverNoSanity WebWorm generation N

(where N is some integer)

All users of vulnerable phpBB versions are advised to upgrade to version 2.0.11. See the following advisories for more info:

http://isc.sans.org/diary.php
http://www.securityfocus.com/archive...8/2004-12-24/0
http://www.viruslist.com/en/viruses/...?virusid=68388
http://www.f-secure.com/v-descs/santy_a.shtml
http://secunia.com/advisories/13239/

Last edited by Capt_Caveman; 12-21-2004 at 01:54 PM.
 
Old 12-21-2004, 06:01 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57
UPDATE: There is indeed a phpBB worm in the wild. It appears to harvest a list of potentially vulnerable sites using a google search for vulnerable phpBB versions.

SANS ISC has made snort sigs available and provided an update analysis of the worms infection routines.

Thanks to mikedeatworld for posting what was likely one of the very initial infections yesterday.
 
Old 12-22-2004, 04:23 AM   #3
jamaso
Member
 
Registered: Oct 2001
Location: brasil
Distribution: mdrk 8.0,redht7.1,debianpotato
Posts: 615

Rep: Reputation: 30
I just saw something about it and was curious if it just affects open-source or not, how accurate is this news ?

http://www.pcworld.com/news/article/0,aid,119024,00.asp
 
Old 12-22-2004, 09:22 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57
Since the vulnerability isn't in any particular operating system, but rather in the phpBB application, it looks like it would infect any UNIX or UNIX-like operating system (linux/BSD) that is running a version of phpBB earlier than 2.0.11. The system would also need perl installed for it to be able to infect other hosts. I doubt whether an OS is open or closed-source matters, I think they were just refering to the phpBB software as being "open-source" in the article.
 
Old 01-02-2005, 10:42 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57
In related news, there is an Anti-Santy worm (aka Net-Worm.Perl.Asan.a) in the wild which reportedly fixes the "Highlight" vulnerability that Santy used for infection. The Anti-Santy worm also apparently defaces web pages with the follwing text:

"viewtopic.php secured by Anti-Santy-Worm V4. Your site is a bit safer, but upgrade to >= 2.0.11."

Several Santy variants have also been detected along with reports of worms exploiting actual PHP vulnerabilities (not the phpBB highlight bug). Those utilizing any form of PHP or phpBB are strongly urged to upgrade to current versions.
 
Old 01-03-2005, 04:58 PM   #6
tamoneya
Member
 
Registered: Jan 2005
Location: MA
Distribution: Ubuntu 7.10
Posts: 558

Rep: Reputation: 30
santy variants

Google version(santy.a) has been blocked by google. However ther are variants in Yahoo and MSN.
 
Old 01-22-2005, 02:33 AM   #7
hardcorelinux
Member
 
Registered: Jan 2005
Location: India
Distribution: RHEL,CentOS,SUSE,Solaris10
Posts: 183

Rep: Reputation: 31
IS there any security fix for phpbb2.0.10(i mean some sort of scripts or something ),because i want to avoid upgradation .
 
Old 01-22-2005, 10:00 AM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 57
You can apply a patch that fixes the vulnerabilities, but you'd still need to appy the patch, recompile and reinstall. So unless you've got some custom mods, you may just want to install the new version. If you do decide to patch, there are some brief instructions here:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636

You can also use mod_rewrite to block Santy requests, like this:
http://ravenphpscripts.com/postt4113.html

Note that it would be trivial to change the Santy's User Agent that would get around the rewrite rule, so that shouldn't be used as a substitute for patching.
 
Old 03-19-2005, 07:06 AM   #9
vharishankar
Senior Member
 
Registered: Dec 2003
Posts: 3,142
Blog Entries: 4

Rep: Reputation: 121Reputation: 121
I would like to mention to anybody reading this topic to know that the latest version is now 2.0.13 of phpBB.

A potentially serious issue was found in phpBB 2.0.11 which has been fixed by 2.0.12 and then immediately by 2.0.13 which fixed a couple of minor issues.

For more information: www.phpbb.com
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
WARN PHP Vulnerability Capt_Caveman Linux - Security 0 07-04-2005 04:38 PM
WARN: rsync Joey.Dale Linux - Security 1 10-12-2004 11:10 PM
Warn: Xfree86 Joey.Dale Linux - Security 2 02-14-2004 02:34 AM
Warn: mutt Joey.Dale Linux - Security 0 02-12-2004 08:46 PM
Warn: Gaim Joey.Dale Linux - Security 1 01-26-2004 10:40 PM


All times are GMT -5. The time now is 04:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration