Slashdot Mirror

← Back to Stories (view on slashdot.org)

Net Worm Uses Google to Spread

Posted by michael on from the web-service-takes-on-new-meaning dept.

troop23 writes "A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'-- part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits." Reader pmf sent in a few more information links: F-Secure weblog and Bugtraq posting. Update: 12/22 03:34 GMT by T : ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.

16 of 309 comments (clear)

  1. Head line is way to misleading by mkop · · Score: 5, Informative

    There is nothing wrong with google. only with people who have not pathced the php buletin boards

    1. Re:Head line is way to misleading by taylortbb · · Score: 5, Informative

      Actually, it doesn't have to do with unpatched phpBB installations. It has to do with unpatched PHP installations.

      phpBB has an explanation of what the problem is, it can be found at:
      http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=24 8046

      OTHER FORUMS ARE VULNERABLE

      (and no, I am not a phpBB zealot, I am pointing out a misconception)

    2. Re:Head line is way to misleading by sr180 · · Score: 3, Informative
      A board I assist to admin was done and it Runs Invision Power Board on PHP. The worm kept knocking it over, originally it started as version 1.2 but eventually changed to version 1.3.

      That indicates to me that someone may have been doing some active development on it...

      --
      In Soviet Russia the insensitive clod is YOU!
  2. Latest Version of phpBB Unaffected by akiy · · Score: 5, Informative

    It looks like the latest phpBB version 2.0.11 or a simple patch will thwart the worm, though. Time to upgrade if you haven't yet!

    --

    --
    http://www.aikiweb.com - AikiWeb Aikido Information

    1. Re:Latest Version of phpBB Unaffected by Cutriss · · Score: 5, Informative

      Yes and no.

      It will protect your boards from being targeted by the Google component of the worm. However, if your boards are running on a shared server, and someone else has a vulnerable version of phpBB installed on their space, you could still be vulnerable. The worm is designed to poke around once it manages to lodge itself inside a host.

      Ordinarily, you could just blame those infected in this manner for not using proper permissions on their board installs, but with the amount of custom modifications many people have installed on their boards, it'd be no surprise if 90% of the people that think they're safe actually aren't. Make sure your files aren't writeable, folks.

      --
      "Mod, mod, mod...and another troll bites the dust."
  3. snort signatures by UnderAttack · · Score: 3, Informative

    The ISC posted a couple of snort sigs and other details.

    --
    ---- join dshield.org Distributed Intrusion Detec
  4. Re:Hmmmm by Sikmaz · · Score: 3, Informative

    Different Exploit, that is a seperate problem that allows people to do even more bad things such as reading your config.php to get your sql password. A workaround is available from http://www.phpbbstyles.com/viewtopic.php?t=1903 if you can't install 4.3.10

  5. Re:NeverEverNoSanity by Loether · · Score: 3, Informative
    The virus is searching google for sites not yet infected. Googling for "Powered by phpBB" does return results. Some of which are now defaced.

    If google wants to stop the virus then they could disable "Powered by phpBB" as a search term. The reason "NeverEverNoSanity" doesn't come up on google is becuase googlebot is extreamly slow to index new content on most sites.

    --
    TODO create witty sig.
  6. For all of you saying it's a PHP exploit by VeneficusAcerbus · · Score: 5, Informative
    From ISC:
    Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case. The worm exploits the 'highlight' bug in phpBB 2.0.10 and earlier. The current version of phpBB (2.0.11, released Nov. 18th) fixes this problem. Nevertheless, its still a good idea to update php.
  7. Not PHP Bugs - phpBB exploit is used by a16 · · Score: 5, Informative

    As per the parent of this post, the post modded '+5 Informative' is false and includes the wrong announcement.

    This is not caused by the php bugs, it uses an issue in phpBB 2.0.10 and below. 2.0.11 fixes this, and has been available for ages (over a month).

    So in summary, if you use phpBB - upgrade to 2.0.11 now - not upgrading is not an option.

    I feel the above needs to be clarified, as there are already numerous people posting false information. Upgrading your PHP version won't protect against this (but you need to do it anyway to protect against other issues) - upgrading to phpBB 2.0.11 will. Simple :)

  8. Re:Ehhh.. Tape drive perhaps?? by Zen+Punk · · Score: 4, Informative

    Nonsense. A hard drive on the shelf, in the safe, whatever, is no more vulnerable than a tape on the shelf. If you left your backup tape mounted all the time, it would be just as insecure as adding a second drive and calling it a "backup."

    --
    Sleep is futile.
  9. Re:Under the Google radar by orangesquid · · Score: 5, Informative

    You can search for specific generations ( http://beta.search.msn.com/results.aspx?q=%22Never EverNoSanity+WebWorm+generation+4%22&FORM=QBRE ) to see the spread:
    0, 1, 2, 3 - no hits
    4 - 2335 hits
    5 - 9297 hits
    6 - 7218 hits
    7 - 7288 hits
    8 - 10746 hits
    9 - 12009 hits
    10 - 11752 hits
    11 - 14866 hits
    12 - 13267 hits
    13 - 8393 hits
    14 - 13317 hits
    15 - 3840 hits
    16 - 5004 hits
    17 - 1950 hits
    18 - 3344 hits
    19 - 6 hits
    20 - 1 hit
    21 - 3 hits
    22 - 1 hit
    23 - 1 hit
    24 - 1 hit
    25, 26, 27, 28, 29, 30 - no hits

    --
    --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
  10. MSN actually returns 207 results by bharatman · · Score: 3, Informative


    MSN's first page estimates are always grossly inflated. Try this link instead:

    http://beta.search.msn.com/results.aspx?q=NeverE ve rNoSanity&first=200&count=10&FORM=PERE4

    Note that I the "first" param is 200 (which is the equivalent of going to page 20). It hits the end of the results and revises its estimate.

  11. Re:This one's fun to debug - perl via url by Anonymous Coward · · Score: 3, Informative

    Dunno about you guys but I've been getting hits like that since NOVEMBER when the highlight bug first surfaced.

    You might want to amuse yourself with the following PHP code, add to viewtopic.php right after it checks "isset($HTTP_GET_VARS['highlight']))"...

    if (preg_match('/chr\(/', $HTTP_GET_VARS['highlight'])) {
    $h = preg_replace('/(?:%2e)?chr\((\d+)\)/ei', 'chr(\1)',
    $HTTP_GET_VARS['highlight']);
    $h = preg_replace('/%2e/i', '', $h);
    $h = preg_replace('/%27/', "'", $h);
    error_log("viewtopic hack attempt: $h", 0);
    }

    Then it will show you the hack attempts in the error log.

    Be sure to upgrade your PHP and phpBB FIRST! ;-)

  12. Download the full source code by EqualSlash · · Score: 3, Informative


    Looks like you didn't read the Bugtraq posting completely... There's an zip attachment with the fully decoded perl script.
    Download link

  13. Re:Clarification by ScottMacVicar · · Score: 5, Informative

    I've been looking at the PHP related security hole and this does not have anything to do with the exploit the worm uses.

    The PHP exploit was to do with the length part of a serialized string, it wasn't correctly enforced and a suitably large enough value would crash a crash and print out contents of the stack which could include any variable within the script. s:1000:"test"; the 1000 part is not correctly checked.

    The phpBB exploit is regarding a remote code execution vulnerability, in this case it uses this vulnerability to fetch a perl script from a remote server and write it to the forum before executing it using the system command in PHP.

    So this worm only affects phpBB 2.0.10 and below.