A number of Linux websites running PHP have been defaced in the last 24 hours. ISC is reporting a worm dubbed "Santy.A" is in the wild that exploits the "highlight" vulnerability in phpBB versions 2.0.10 and earlier. Sites exploited by this worm have reported all write-able .htm,shtml,.asp, and .php pages are overwritten with:

This site is defaced!!!
This site is defaced!!!
NeverEverNoSanity WebWorm generation N

(where N is some integer)

All users of vulnerable phpBB versions are advised to upgrade to version 2.0.11. See the following advisories for more info:

http://isc.sans.org/diary.php
http://www.securityfocus.com/archive...8/2004-12-24/0
http://www.viruslist.com/en/viruses/...?virusid=68388
http://www.f-secure.com/v-descs/santy_a.shtml
http://secunia.com/advisories/13239/

UPDATE: There is indeed a phpBB worm in the wild. It appears to harvest a list of potentially vulnerable sites using a google search for vulnerable phpBB versions.

SANS ISC has made snort sigs available and provided an update analysis of the worms infection routines.

Thanks to mikedeatworld for posting what was likely one of the very initial infections yesterday.

I just saw something about it and was curious if it just affects open-source or not, how accurate is this news ?

http://www.pcworld.com/news/article/0,aid,119024,00.asp

Since the vulnerability isn't in any particular operating system, but rather in the phpBB application, it looks like it would infect any UNIX or UNIX-like operating system (linux/BSD) that is running a version of phpBB earlier than 2.0.11. The system would also need perl installed for it to be able to infect other hosts. I doubt whether an OS is open or closed-source matters, I think they were just refering to the phpBB software as being "open-source" in the article.

In related news, there is an Anti-Santy worm (aka Net-Worm.Perl.Asan.a) in the wild which reportedly fixes the "Highlight" vulnerability that Santy used for infection. The Anti-Santy worm also apparently defaces web pages with the follwing text:

"viewtopic.php secured by Anti-Santy-Worm V4. Your site is a bit safer, but upgrade to >= 2.0.11."

Several Santy variants have also been detected along with reports of worms exploiting actual PHP vulnerabilities (not the phpBB highlight bug). Those utilizing any form of PHP or phpBB are strongly urged to upgrade to current versions.

Google version(santy.a) has been blocked by google. However ther are variants in Yahoo and MSN.

IS there any security fix for phpbb2.0.10(i mean some sort of scripts or something ),because i want to avoid upgradation .

You can apply a patch that fixes the vulnerabilities, but you'd still need to appy the patch, recompile and reinstall. So unless you've got some custom mods, you may just want to install the new version. If you do decide to patch, there are some brief instructions here:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636

You can also use mod_rewrite to block Santy requests, like this:
http://ravenphpscripts.com/postt4113.html

Note that it would be trivial to change the Santy's User Agent that would get around the rewrite rule, so that shouldn't be used as a substitute for patching.

I would like to mention to anybody reading this topic to know that the latest version is now 2.0.13 of phpBB.

A potentially serious issue was found in phpBB 2.0.11 which has been fixed by 2.0.12 and then immediately by 2.0.13 which fixed a couple of minor issues.

For more information: www.phpbb.com