Forums: Perl.santy / Santy / Net-worm.perl.santy.a - Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Perl.santy / Santy / Net-worm.perl.santy.a phpBB Exploiting Worm

#1 User is offline   myth 

  • Master Sergeant
  • Icon
  • Group: Members
  • Posts: 408
  • Joined: 09-January 04

Posted 21 December 2004 - 04:02 PM

http://www.k-otik.co...nityworm.pl.php <- Worm

Quote

A Web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday.
http://news.zdnet.co...22-5499725.html

Quote

When Perl.Santy is executed it does the following:

  1. Searches for "viewtopic.php" using the Google search to generate a list of possible infection targets.

  2. Attempts to exploit the PHPBB Remote URLDecode Input Validation Vulnerability (BID 11672) to obtain access to the remote web server.

  3. If successful, it copies itself as the file m1h020f.

  4. Overwrites files with the following extensions:
          * .asp
          * .htm
          * .jsp
          * .php
          * .phtm
          * .shtm

            with the following text:

            This site is defaced!!!
            NeverEverNoSanity WebWorm generation X

            Note: X is a variable number which increments with each infection


Santy uses the phpBB Remote URLDecode Input Validation Exploit which hits phpBB 2.0.10...

About the exploit:
http://www.securityfocus.com/bid/11672
0

#2 User is offline   myth 

  • Master Sergeant
  • Icon
  • Group: Members
  • Posts: 408
  • Joined: 09-January 04

Posted 21 December 2004 - 04:23 PM

I know most people already have this, and most of this information. But i like everything to be a one space.

r57phpbb2010.pl www.xxx.com /phpBB/ 239819 "ls -la"

but its that exploit.

Thus, the exploit was discovered 12th November 2004, then on the 21st December 2004, the worm or in a sence, the MAJOR autoh4x0r, was released. Took 39 days until it was public enough to be a threat

Quote

http://beta.search.m...verEverNoSanity


"1-10 of 37,111 containing "This site is defaced!!!" NeverEverNoSanity"

http://www.google.co...url%3Aviewtopic

"Results 1 - 10 of about 1,130,000 for inurl:phpbb inurl:viewtopic"

0

#3 User is offline   Digital_Spirit 

  • Master Sergeant
  • Icon
  • Group: Specialist
  • Posts: 424
  • Joined: 18-March 04

Posted 21 December 2004 - 07:32 PM

It is a rare opportunity in which you can see the actual statistics of an exploit first hand.
This also shows how powerful as well as useful Google really is.
http://securitybrigade.com
0

#4 User is offline   Spookie 

  • Staff Sergeant
  • Icon
  • Group: Specialist
  • Posts: 293
  • Joined: 21-December 03

Posted 22 December 2004 - 05:44 AM

Quote

Summary

Santy is a worm was found at December 21st, 2004. It uses a vulnerability in popular phpBB discussion forum software to spread and it uses Google search engine to find vulnerable servers. It does not infect end user computers.

Google has started filtering requests made by the worm at December 22nd, 2004, in order to stop the worm.

Detailed Description

The worm is written in Perl scripting language. When executed, the worm uses the Google search engine to look for hosts that have phpBB software in use. It does this by searching URLs that contain string "viewtopic.php". In order to get different results with different searches, the worm uses a random string in the search as well.

After the search has been performed, the worm parses the resulting page and attempts to exploit a vulnerability in phpBB software. This vulnerability, known as Highlight Vulnerability, can be used to execute arbitary code on the server running vulnerable version of phpBB. Further information about the vulnarbility is available from phpBB web site at:

http://www.phpbb.com...ic.php?t=240513

If the worm is able to exploit the vulnerablity, it will attempt to transfer itself to the victim host in 20-byte chunks. If any of the chunks is lost during the transfer, it will cause the worm to get corrupted, which can render the worm disfunctional on the victim.

The worm is written to a file "m1ho2of" on the victim. After the transfer is complete, the worm will use the exploit once again to execute the code using the system default Perl interpreter.

Santy contains also a generation counter that is increased every time the worm is executed, i.e. once per infected host. If the number of generations is higher than three (3), it will execute its payload. The payload attempts to replace all files with the following extensions ".htm", ".php", ".asp", ".shtm", ".jsp" and ".phtm". The result is the these files are replaced with a HTML page that contains the following text:

This site is defaced!!!
NeverEverNoSanity WebWorm generation X

...where X keeps growing from one infection to another.


F-Secure (Santy Worm)

Quote

This case is now over. The Santy worm is not spreading any more, thanks to Google.

Google started filtering the queries made by the worm around midnight GMT, effectively stopping the spread of the worm. Apparently they are doing this based on a combination of the search terms and the User-Agent header field.

This is from an email we got from the Google Security Team:

  While a seven hour response for something like this is not outrageous,
  we think we can and should do better. We will be reviewing our
  procedures to improve our response time in the future to similar problems.

Google has also started showing the defaced websites in it's index. MSN Search already had them visible over 12 hours ago, so apparently the indexing process takes longer at Google.

Like we reported earlier, MSN Search reports huge numbers of websites to be affected. However, if you keep viewing the search index pages, you get different results. MSN Search reports 29,000 hits, but runs out of the hits already on search index page 15 - with 153 actual hits shown. Google finds 202 defaced sites right now. It's hard to estimate how many actual sites got hit.


F-Secure Weblog
Beauty is only a light switch away
0

#5 User is offline   hevnsnt 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 60
  • Joined: 01-November 04

Posted 22 December 2004 - 02:15 PM

FYI -- Google is taking measures to stop the propegation of this worm

By now most of you have probably seen the reports on the santy.a worm that used a vulnerability in PHP (or PHPBB, some argument there).
This was a particularly destructive worm to those sites that were affected.
----------------->

Quote

This particular worm made use of Google search to identify potential targets.  The number of queries generated by this worm was small enough to be down in the noise relative to the normal activity.  We were finally notified early Tuesday and by late afternoon we had begun blocking the worm's search queries.  The worm should have started dying off almost immediately.

Stephen
--
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
Name Removed  -  Information Security Officer  -  Removed@google.com
  Google, Inc.  1600 Amphitheatre Parkway, Mountain View, CA 94043
  Phone: +1.650.XXX.XXXX  Fax: +1.650.XXX.XXXX

  The church is near, but the road is icy.
  The bar is far away, but I will walk carefully.  -- Russian Proverb


-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+

0
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

  • Share



Our Sponsors:


SwiftLayer Affiliate Web Hosting