Slashdot Mirror
Net Worm Uses Google to Spread
troop23 writes "A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'-- part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits." Reader pmf sent in a few more information links: F-Secure weblog and Bugtraq posting. Update: 12/22 03:34 GMT by T : ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.
Someone figure out a way to blame this on Microsoft!
I saw this yesterday on a.... uhh... "anatomic reference" site:
This site is defaced!!! NeverEverNoSanity WebWorm generation 10.
I tried to find some kind of reference and Googled for it, but I got no results.
Still nothing on it, wonder how long it'll be before it shows up?
MSN search returns 3 results, that's just a bit short of 39,000, so I guess they must be using the beta engine for the article.
There is nothing wrong with google. only with people who have not pathced the php buletin boards
I think this virus/worm hit /., when I clicked on the link to this article, all I saw was: "Nothing for you to see here. Please move along."
You can't handle the truth.
Google must have turned this off. It's returning 0 hits now.
When you get to hell -- tell 'em Itchy sent ya!
It looks like the latest phpBB version 2.0.11 or a simple patch will thwart the worm, though. Time to upgrade if you haven't yet!
--
http://www.aikiweb.com - AikiWeb Aikido Information
it can always use Google Suggest to find victims. :)
Microsoft search beats Google at indexing pages hacked by this virus! MS Search turns up 39000 pages, google turns up zero on the same nonsense keyword!
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
When it infects sites running SlashCode, it pretends to be a legitament post (so it can get the defacement tag "NeverEverNoSanity" on the front page, then monitors for posting, and tries to get first post, too.
Google API's can be used for good or evil.
Looks like it's actually a php problem, not a phpBB problem--or did I read it wrong?
From phpBB.com
Recently a serious exploitable issue was discovered in PHP (the scripting language in which phpBB, IPB, vB, etc. are written) versions prior to 4.3.10. The problematical functions include unserialize and realpath. phpBB (along with a great many other scripts including IPB, vB, etc.) use these two functions as a matter of course.
It has come to our attention that code has now been released which uses this exploit in PHP to obtain confidential information in phpBB. Such information includes data contained in phpBB's config.php file. We therefore recommend the following:
1) If you maintain your own server be sure to upgrade to the newest available release of PHP (both versions 4 and 5). Be aware that at this time phpBB 2.0.x has problems functioning under PHP5 without modification.
2) If you pay for hosting ensure you hosting provider has upgraded thier installation of PHP (again remember that phpBB 2.0.x and other scripts will not function under PHP5 without modification).
Please do not submit this PHP issue to our security tracker, it is beyond our control. Fixed versions of PHP do exist and as above we encourage you to ensure your system is running such a version. Equally please examine any "hacking" issues you have carefully to ensure they are not caused by this PHP problem (rather than phpBB). Remember, this is not a phpBB exploit or problem, it's a PHP issue and thus can affect any PHP script which uses the noted functions.
"He hated Mexicans, and he was half Mexican. AND he hated irony!"
First of all, the exploit is in PHP (see here), not phpBB, the worm just happens to attack phpBB. I just think that should be cleared up before people start spreading FUD about how phpBB is insecure.
Secondly, this issue has been patched for a month now (see this announcement) and the phpBB group has reminded users several times to upgrade.
This worm hit my site (http://www.koolplace.com) yesterday. It replaced all of the .htm, .html, and .php files with a message that the site had been defaced. Thankfully we were able to restore most of the site from backups.
This worm is unbelieveably evil.
.asp .php .shtml .html .htm extentions and overwrites them with the 264 byte file that simply states "Web site defaced"
What it does is search all volumes on the server for files with the
I had a backup drive with everything mirrored that was unshared and secure and it managed to overwrite my ENTIRE backup as well on that machine.
I've been spening the past 24 hours picking up the pieces and trying to get everything back online. 1/2 Done now.
If you want to see what a defaced website looks like go to: http://www.sherwoodoregon.com and check it out before i get that site back online.
-BB
The ISC posted a couple of snort sigs and other details.
---- join dshield.org Distributed Intrusion Detec
phpBB just happens to be written in a way that the PHP bug can be exploited.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
RTFP dumbass
http://chat.ravenlive.com
As I posted above, that is a seperate problem that allows people to do even more bad things such as reading your config.php to get your sql password. A workaround is available from http://www.phpbbstyles.com/viewtopic.php?t=1903 if you can't install 4.3.10
I had forgotten the MSN beta search engine, so I just googled it...
There is another kind of evil which we must fear most, and that is the indifference of good men. -- Boondock Saints
So I get my present, in the mail, a little early.
A new HDTV card...
I go to download the linux only drivers and...
NeverEverNoSanity!!!
Argh! &$@*#! Humbug.
Ad under the article says :
Own a website ? Google.
Why not Website pwn3d ? Google.
Ho Ho Ho, remember kids, Santy Worm knows if you've been bad or good...
This is the main issue with harddisks as backup. They don't provide security against these kind of attacks as they are just as vulnerable as any other disk attached to the system.
A tape drive for backups may seem like a 'thing from the past', but it's *very* effective in these instances...
To Terminate, or not to Terminate, that's the question - SCSIROB
indeed it has.
My poor linux box - I felt so secure and then this little worm gets out. Thank god I had some recent backups, otherwise this would have really sucked. I guess it's alright though - you have to get rooted one time before you really understand how vulnerable the internet makes all of us.
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
The reason is simple. Microsoft, being the Good Guys, stopped responding to that query to stop the spread of the worm. The worm was dependent on Google to return vunerable servers via a search query. So Google has temporarily stopping responding to that search. MSN wasn't targeted by the worm because real hackers all know Google is the best :-). However, in this case would MSN have reacted as fast as Google did? Should the coder have picked MSN to get a longer lasting worm?
I looked at a defaced page and there were two things I noticed. The first was that the worm does not seem to create a robots.txt file to hide defaced pages from search engines. Second, the majority of the text is contained in an ADDRESS, HTML tag. It is a valid tag, but does anyone actually use it? I have not seen it before as far as I can recall.
It was just a couple days ago.
Is the flaw one of these?
Does anybody know what distributions are affected by this vulnerability?
The last PHP update (which is where the vulnerability lies) for Debian Woody is from July 20th.
The Moo went "Cow!"
Search for' NeverEverNoSanity' on Lycos and you get a JScript error:
/common/static/error.inc, line 49
Microsoft JScript runtime error '800a1391'
'cTabTypeMulti' is undefined
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
Robots aren't bad, they help people find things, and get them to your site. However, if you would rather keep them away from you, consider using your robots.txt http://www.robotstxt.org/ along with meta tags on pages. You can also set certain content to be filtered out by looking at the connecting agent. Things you should consider filtering out would be admin links/pages, version numbers (often in the footer of pages), and files that aren't related to content. There's no reason for Google to know what your login pages look like, for instance.
.htaccess, proper chmod/chown... these are the things that can prevent a new bug from being a really bad new bug.
If I've said it once, I've said it 1000 times. When you secure the old tech first, you find fewer problems with the new tech. robots.txt,
Cleaning the net one sed at a time! s/sex/sermons/; s/hot/holy/; s/goats/thebible/; www.holysermonswiththebible.com
Mountain View...I think we have a problem....
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
As per the parent of this post, the post modded '+5 Informative' is false and includes the wrong announcement.
:)
This is not caused by the php bugs, it uses an issue in phpBB 2.0.10 and below. 2.0.11 fixes this, and has been available for ages (over a month).
So in summary, if you use phpBB - upgrade to 2.0.11 now - not upgrading is not an option.
I feel the above needs to be clarified, as there are already numerous people posting false information. Upgrading your PHP version won't protect against this (but you need to do it anyway to protect against other issues) - upgrading to phpBB 2.0.11 will. Simple
It fixes many exploit paths, and fixes handling of the $PHP_SELF variable. $PHP_SELF is potentially vulnerable to cross site scripting on versions 4.3.9 and earlier. This is part of the problem, as I understand it, with some phpBB exploits.
You are also good to go if you get 5.0.3, or so I have heard.
Cleaning the net one sed at a time! s/sex/sermons/; s/hot/holy/; s/goats/thebible/; www.holysermonswiththebible.com
New worm, Santy.A, using Google to spread
He sees you when you're posting, he knows when you write spam, he hates it when you flame users, so be good for goodness' sake!
You can't talk about Wikipedia's flaws on Wikipedia
This exploit is actually quite clever. It inputs values into the URL field that use the chr() function in PHP to pass text. It then writes its own perl script and executes it on the server.
Here's the first line from the logfile:
If you decode the ascii characters, you get:
I didn't have enough freetime to decode the whole thing due to.. actual work having to be done, but it's quite clever.
--falz
"Once Santa infects a Web site, he searches Google for other sites running phpBB and then attempts to infect those sites as well."
It seems one of the webcomics I read, UnderPower, got affected as well... It also happens to be linked here on Slashdot...
Black background, red lettering:
This site is defaced!!!
NeverEverNoSanity WebWorm generation 14.
Business \Busi"ness\, n.;
A scam in which all people involved perceive as beneficial...
MSN's first page estimates are always grossly inflated. Try this link instead:
http://beta.search.msn.com/results.aspx?q=Never
Note that I the "first" param is 200 (which is the equivalent of going to page 20). It hits the end of the results and revises its estimate.
from msn.com
They must have blocked the searches for those terms or something because Google finds nothing, however, the much more up to date MSN beta finds.
The Search Query on MSN Beta
41-50 of 37,519 containing "WebWorm generation" (0.12 seconds)
All I can say is HOLY CRAP that hit a lot of sites.
infected site www.videocardforum.com_ thread/thread/5938375e8bba10d2/b041af862423c586?q= neverevernosanity&_done=%2Fgroups%3Fq%3Dneverevern osanity%26hl%3Den%26btnG%3DGoogle+Search%26&_doneT itle=Back+to+Search&&d#b041af862423c586
exploit code: http://groups-beta.google.com/group/n3td3v/browse
How stupid are you that you allow all of your html and PHP files to be writable by your web server process?
My god man, have you never heard of security?
The only thing a web server needs write access to is a temp partition (yes *partition*, not folder) and logfiles.
I had to explain this to a colleague earlier in layman's terms, so I'm repeating it here:
_ center/ white_papers/application_worms.html?show=appworm
For those of you who think this is solely a PHP or PHPBB bug, it's actually quite a bit more involved than that. A series of exploits for PHP were released, and subsequently, a lot of forum software, not just phpBB, is exploitable.
This worm uses a legitimate function which the phpBB developers have for functionality of their forum software. This legitimate function is exploitable in certain versions of PHP. Due to the speed in which the exploit was released, it could be that the worm developer had the engine ready and was simply looking for a PHP exploit to come out for a function that was used with a widely available web application package. They hit jackpot with phpBB and PHP together.
The developer didn't thinking to make it so that it added a random element to it's Google searches or didn't use different search engines. In fact, it almost looks like this was simply a trial run for a future worm that will be much more complex and may possibly span a multitude of web applications.
A concept was written up earlier this year here:
http://www.imperva.com/application_defense
It now appears that niddhog (the concept worm) has been made evident. Fortunately, it did not include such things as Code Red and Nimda did with using IE exploits to infect the clients that would view these websites.
It is a bleak future with the idea of Web Application Worms coupled with IE exploits. Not only do you have the method and distribution combined, but such a thing would be highly anonymous for the malware author and could spread to the highest point of infection in a matter of hours as IE users visited their favorite community websites running exploitable forum software.
I know that worms are ridiculous and all, but at least this thing won't be hammering millions of unaffected ip adresses and I don't have to see this crap hitting my snort/log files!
How's that sh*t for efficiency?
while true ; do echo this is my sig; done
Hey, how could this worm do so much damage if in a sane system it only gets run with the permissions of apache daemon?
Is Google filtering out results for this search, or is it simply that both Microsoft's search services update their indexes much faster than Google does?
Weird.
They do NOT have any mailing lists for people to subscribe to, so that they can be informed when a new version of phpBB2 has been released.
Every thread on the subject, that I found on their site, had been locked. It appears that the moderators do not like their users complaining about a lack of a security announcement mailing list.
Looking at all the automatic PHP error responses, it seems that as long as the web server's task does not have write access to the web sites folder you're safe.
Unfortunately not everyone does this. My work was hit this morning with gen 17 (at least we had oodles of backups and no data was lost, just unavailable for an hour, but at 4:30 am it's hard enough). The problem was that many of the sites need to be able to be written to by the apache daemon. image uploading, etc etc. Hopefully our development staff take my warning and fix this before round 2. Not bloodly likely. I'm still waiting for requests from 6 months ago...ah well.
Actually this is an advertisement for MSN beta.. It's their way of telling how they do a better job at indexing than google!
The worm didn't touch a single file not owned by user 'www' - just the few thousand files that were.
Dewey, what part of this looks like authorities should be involved?
Actually, proper backups are a restorable copy in a location that minimizes chance of loss. They don't need to be a cold copy.
Our backups rsync and offload to an offsite server with RAID'ed drives. Yes, that server could theoretically be hosed at the same time the master goes down in flames but the chances of that are low. In fact, not much greater than if you have a tape, etc. If somebody hacks the backup server, well they could have wiped the tape too.
The main advantage of tapes, etc are staggered backups, but then you run into the issues with tapes media not being rotated properly, or unknowingly succumbing to "rot."
I think by far the criterium that the backup be within a reasonable distance *away* from the original is the most important...
Looks like you didn't read the Bugtraq posting completely... There's an zip attachment with the fully decoded perl script.
Download link
No kidding, when I need to install garbage like phpBB, I make sure all the files and directories are owned by root, and not writable by apache, and I use PHP's open_basedir restriction to keep PHP from writing anywhere, and I set a mod_rewrite rule to redirect all hits containing 'system', 'wget', 'perl', 'curl', 'rm', etc., to an alert script that logs the request. Now I added 'chr' to that list.
And I consider this "light" security!
Google will now take over the duties of deciding what search terms are good and what searches are ungood.
Now please resume your scheduled tasks.
The worm is related to an issue in phpBB 2.0.10 as per the parent, nothing to do with any PHP issues.
I do wish mods would be careful when modding posts that they obviously no nothing about as 'informative' - to be 'informative' you have to give correct information, not just information that looks technical enough to be correct.
.. and i'm the guy who pulls the servers when they send outbound attacks (noc). We've seen the direct result of this worm, or the script being used to exploit phpBB, because the amount of attacks we've had, have gone up exponentially. Afterwards, when they're investigated, we alwasy find this script to be the culprit.
Sadly, our customers never update their forums regardless, the servers get put back online, and the same thing happens again.
Pagewidener (seems accidental, FWIW), maybe? I'm using 7.6P4c, so I simply set it to "Fit to width" (AKA Medium Screen Rendering), and it's perfectly readable.
heh
McAfee is still using version 4.3.10 on their boards
I wonder how long it will take someone to get them too.
it would be ironic if a security company like them got hacked with something this easy
Yes the exploit exists, poor coding.
Using urldecode() to parse variables and urls or should I say decode is poor design, thus poor coding. Lumping all PHP code into one bin, is just knee jerk.
I was hit with the security exploit when the vulnerability was first announced in mid November (The Hilight bug at least). Since then I've upgraded php and phpbb on all my hosted sites (it ended up being resold sites that got me), and done some other things reguarding file rights and access.
The main thing though that I've done that I hope to help me stay a little in front of these types of exploits is implement mod_security and add some rules which block the more 'common' exploits and sql injections.
Does this seem like a reasonable thing to keep doing? I hate to prohibit hosted sites from having any prebuilt scripts like phpbb or phpdig or anything else, but I don't want to be a big target for exploits either.
Is mod_security the 'easy' answer?
--onyx--
Searching for "neverevernosanity webworm generation X" on MSN Beta Search yields the following number of results for each value of X:
Hmm, if these numbers are to be trusted, the infections are 10.5 generations old, on average.
Interestingly, these numbers add to 124k, much more than the reported 39k number of pages reported by merely searching for "NeverEverNoSanity". This would imply that many of the defaced pages contain messages for different generations. Weird.
It would be interesting if the defaced pages included the URL of the parent, the one that the worm used to infect the server from which it infected the current one.
Very interesting, but I'm curious if there has been word yet on whether the worm is digitally signed?
Frankly I'm surprised it took this long. Here is an article I wrote about web application worms that was published 2 years ago. http://www.cgisecurity.com/articles/worms.shtml
Oh no! They got tmbw.net! No one messes with They Might be Giants and get's away with it. No one.
What if the entire Universe were a chrooted environment with everything symlinked from the host?
If I rember correctly every page on a phpBB site contains this phrase. I would guess that these numbers are grosely inflated.
-Mike
My site got attacked by this worm. But the thing is, the site was running MediaWiki, had no phpBB forums on it at all!
And the sister site, which is running a 2 yr old version of the phpBB forums, wasnt attacked at all!
Now, that's just to show that its not always phpBB at fault!
It doesn't matter what os or application software you use...
:-)
Available patch + admin who doesn't patch = compromised system
I'm glad my group runs IIS6!!! We haven't had to apply any security updates to IIS6 because there are none
glimy. google search on "is art beneficial" is now the top 1 reason not to use i'm feeling lucky button:
is not a good idea.
Hasn't this been known in security circles for decades? (I first read this in Out of the Inner Circle).
If you broadcast who you are, what you're running, and especially the version (and patch-level) you're running, you are actively saying, "Hello, you can use exploits X, Y, and Z to p0wn me!!"
Or do you really think that there are 30,000 pages MSN can find that Google can't?
ICDSOFT the hosting company doesnt give a crap read below A: Dec 22 00:50 Support 28: Hello, We already dealt with this worm - the outbreak was yesterday and urgent actions were taken, to patch the faulty phpBB boards, to stop the worm attacks against the servers. The worm exploits a bug in a PHPBB forum. Once it finds such a vulnerable version of this forum, it will inject a malicious script which will search for worldwritable files on the server and replace them with the "Defaced" message. It will also search on google for other exploitable PHPBB forums and try to infect them too. The overwritten files were all with 666 or 777 permissions (worldwritable) and thus were overwritten. Note that this is not our fault. You need not use 777 or 666 permissions on our server anymore. We have started using SuExec on the server, which greatly improves the security and stability. This environment also executes scripts with the user credentials, instead of the Apache ones, so your scripts can access all your files and folders. We can restore your site from our backups, dated 10 and 17 Dec. Please advise which backup we shall use. Best Regards, Support A: Dec 22 00:58 Support 28: Hello, The reason is not with the PHP, rather it is with a security flaw in the phpbb forums. We have patched all the customers' phpbb forums, which is indeed not our duty, but we did it to stop the attacks against our servers. Leaving a worldwritable file on your account is really against any security standards and anyone on the server could overwrite it any moment, one does not need a worm to do that. You cannot blame us for holes in your site's security that you left. Your understanding on the issue will be appreciated. We can restore your site from our backups, dated 10 and 17 Dec. Please advise which backup we shall use. Best Regards, Support
Preferably in another building
In another city.
Inside a locked box, in a safe, in a bunker, which is inside another, bigger bunker, deep inside my secret volcano lair guarded by sharks with frickin' laser beams on their heads.
Dealing with lawyers would be a lot less tedious if they all looked like Casey Novak.
Is there any way we can turn this into a I told you Perl was better than PHP debate :-D
Well, google hasn't indexed my tiny site at all this month. It normally only indexes me about once a month.. whereas Microsoft's MSNBot and Inktomi Slurp hit me daily.
Heck, now that I'm looking at my logs I'd bet that MSNBot is accounting for about half my bandwidth this month.. hmm..
http://www.hackgeneral.net/phpbb_exploit.php
When I first saw that page a few days ago, it had several boxes for inputs, the site URL, code, and execute button. The page is now gone, and if someone speaks Spanish, please let us all know what the site is about.
Pete Carr Owner Chatmag.com
Mad Penguin was one of the sites nailed by it. They use phpBB for their forums. Sad state of affairs. They were down for a while, but were one of the first to announce the phpBB2 exploit and fix it. This kinda thing is totally uncalled for....
If the robot is a worm, neither robots.txt nor the ROBOTS NOARCHIVE, NOINDEX, and NOFOLLOW header META tags aren't going to protect you.
Great for keeping your on-line resume out of the commonly used legitimate indexes. Wise in terms of reducing visibility. Statistically speaking, might give you a little more breathing room.
But no protection, of course.
(Every day, I check my logs to see if Microsoft's engine obeys those directives. So far, it does, about seven times a week, too.)
There are other, less publicized exploits going around. I got hit by one that sent out thousands of phish spams before I discovered what was going on and stopped it.
/tmp, so if my kernel hadn't been patched, I probably would've been rooted.
/tmp with noexec?
I found some sploit binaries in
BTW, does anyone know of some pitfalls of mounting
Someone used this exploit on Dec. 14th to upload:c
/tmp with dummy files killing all my freespace
4553-invader.c
cron
infect
sendslak8.
sxp
He filled my
http://shit.slashdot.org/article.pl?sid=04/12/21/2 135235
So, exploiting a vulnerability in phpBB on a "secure" Linux box combined with a vulnerability in a rather unsecure IE could combine to give us a worm and a trojan (or other virus)? Scary stuff...
This sig donated to Pater. Long live
Google is now squashing requests generated by the worm.
Google is turning the requests into vegetables?
The term is Quash, people...
This vulnerability has been known since November, and a fix was available 6 days ago.. Do any Debian users know why there has not been a security advisory from Debian for this problem?
i got informed of this as a 0-day and it was called Sanity.A due to the message at the bottom.. when did it begin to get called Santy.A?
Do a w3c validator check on any of the infected pages, it's not valid! Hackers fail at web standards.
For those who're interesed in the source code of this Sanity.A worm: click.
Google for: "Powered by phpBB 2.0.1...10" Finds all the sites that still havent updated to phpBB 2.0.11
Who cares about updating phpBB? Just uninstall perl!
Who needs it anyway? Why aren't we blaming perl for this?
After all, the exploit only works with perl installed, so logically it must be perl's fualt!
Following up some of the links, I came across this post (scroll to the 7th post on that page, by 'madadmin'.)
The administrator of that forum is claiming that, based on their server logs, they have reason to believe that the person responsible for the attacks may be the same person who's recently posted a message to comp.lang.php that's titled 'eScrew OWNS YO!!!'. (See the posting for more details.)
From further posts, it looks as if the association has been made by looking at where the worms are coneverging. Can anyone who's currently dealing with this elaborate?
...cringing at the fact that his "backup" was on the same machine? And it was writable by apache?
It's been known about and fixed since sometime in November - part of the howdark exploit I think.
:(
As has been mentioned before though, you'd have to *go to* phpBB to know that - it would be nice if they have a mailing list
Playaholics: Free online flash games: Driving Mad
Suttree, a weblog about casual games development
wouldn't it be more fun is google returned 127.0.0.1 as possible victim?
Privacy is terrorism.
wish mods will stay away from issues they know nothing about
> Update: 12/22 03:34 GMT by T: ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.
Is anybody actually shocked by this? I thought "wait, Google can simply filter that out" before reading the "update" part. A potential problem arises when a "worm" requires Google to filter out legitimate queries - it will become a form of censorship in the name of being a do-gooder. And you know how that ends up (if you've been involved in the firght against SPAM, for example).
Must-not-watch TV!
I've had plenty of fun doing searches for 'wf_ftp.log', I just never got around to automating an exploit for it. :-)
I've been running a Wiki running on MediaWiki (the engine driving the WikiPedia) for a couple of months now and it appears to affect that.
You can see it getting affected here:
http://www.chelsea2005.com/wiki2
Can't really understand if this is a fault of MediaWiki or the version of PHP that my hosts are running?
sjokki explains that the bug is related to using the "e" eval modifier of preg_replace.
This is a phpBB bug.
I'm still trying to figure out what people mean by 'social skills' here.