Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
A number of Linux websites running PHP have been defaced in the last 24 hours. ISC is reporting a worm dubbed "Santy.A" is in the wild that exploits the "highlight" vulnerability in phpBB versions 2.0.10 and earlier. Sites exploited by this worm have reported all write-able .htm,shtml,.asp, and .php pages are overwritten with:
This site is defaced!!!
This site is defaced!!!
NeverEverNoSanity WebWorm generation N
(where N is some integer)
All users of vulnerable phpBB versions are advised to upgrade to version 2.0.11. See the following advisories for more info:
UPDATE: There is indeed a phpBB worm in the wild. It appears to harvest a list of potentially vulnerable sites using a google search for vulnerable phpBB versions.
SANS ISC has made snort sigs available and provided an update analysis of the worms infection routines.
Thanks to mikedeatworld for posting what was likely one of the very initial infections yesterday.
Since the vulnerability isn't in any particular operating system, but rather in the phpBB application, it looks like it would infect any UNIX or UNIX-like operating system (linux/BSD) that is running a version of phpBB earlier than 2.0.11. The system would also need perl installed for it to be able to infect other hosts. I doubt whether an OS is open or closed-source matters, I think they were just refering to the phpBB software as being "open-source" in the article.
In related news, there is an Anti-Santy worm (aka Net-Worm.Perl.Asan.a) in the wild which reportedly fixes the "Highlight" vulnerability that Santy used for infection. The Anti-Santy worm also apparently defaces web pages with the follwing text:
"viewtopic.php secured by Anti-Santy-Worm V4. Your site is a bit safer, but upgrade to >= 2.0.11."
Several Santy variants have also been detected along with reports of worms exploiting actual PHP vulnerabilities (not the phpBB highlight bug). Those utilizing any form of PHP or phpBB are strongly urged to upgrade to current versions.
You can apply a patch that fixes the vulnerabilities, but you'd still need to appy the patch, recompile and reinstall. So unless you've got some custom mods, you may just want to install the new version. If you do decide to patch, there are some brief instructions here: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636
Note that it would be trivial to change the Santy's User Agent that would get around the rewrite rule, so that shouldn't be used as a substitute for patching.
I would like to mention to anybody reading this topic to know that the latest version is now 2.0.13 of phpBB.
A potentially serious issue was found in phpBB 2.0.11 which has been fixed by 2.0.12 and then immediately by 2.0.13 which fixed a couple of minor issues.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.