Slashdot Mirror

← Back to Stories (view on slashdot.org)

Net Worm Uses Google to Spread

Posted by michael on from the web-service-takes-on-new-meaning dept.

troop23 writes "A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'-- part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits." Reader pmf sent in a few more information links: F-Secure weblog and Bugtraq posting. Update: 12/22 03:34 GMT by T : ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.

8 of 309 comments (clear)

  1. Head line is way to misleading by mkop · · Score: 5, Informative

    There is nothing wrong with google. only with people who have not pathced the php buletin boards

    1. Re:Head line is way to misleading by taylortbb · · Score: 5, Informative

      Actually, it doesn't have to do with unpatched phpBB installations. It has to do with unpatched PHP installations.

      phpBB has an explanation of what the problem is, it can be found at:
      http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=24 8046

      OTHER FORUMS ARE VULNERABLE

      (and no, I am not a phpBB zealot, I am pointing out a misconception)

  2. Latest Version of phpBB Unaffected by akiy · · Score: 5, Informative

    It looks like the latest phpBB version 2.0.11 or a simple patch will thwart the worm, though. Time to upgrade if you haven't yet!

    --

    --
    http://www.aikiweb.com - AikiWeb Aikido Information

    1. Re:Latest Version of phpBB Unaffected by Cutriss · · Score: 5, Informative

      Yes and no.

      It will protect your boards from being targeted by the Google component of the worm. However, if your boards are running on a shared server, and someone else has a vulnerable version of phpBB installed on their space, you could still be vulnerable. The worm is designed to poke around once it manages to lodge itself inside a host.

      Ordinarily, you could just blame those infected in this manner for not using proper permissions on their board installs, but with the amount of custom modifications many people have installed on their boards, it'd be no surprise if 90% of the people that think they're safe actually aren't. Make sure your files aren't writeable, folks.

      --
      "Mod, mod, mod...and another troll bites the dust."
  3. For all of you saying it's a PHP exploit by VeneficusAcerbus · · Score: 5, Informative
    From ISC:
    Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case. The worm exploits the 'highlight' bug in phpBB 2.0.10 and earlier. The current version of phpBB (2.0.11, released Nov. 18th) fixes this problem. Nevertheless, its still a good idea to update php.
  4. Not PHP Bugs - phpBB exploit is used by a16 · · Score: 5, Informative

    As per the parent of this post, the post modded '+5 Informative' is false and includes the wrong announcement.

    This is not caused by the php bugs, it uses an issue in phpBB 2.0.10 and below. 2.0.11 fixes this, and has been available for ages (over a month).

    So in summary, if you use phpBB - upgrade to 2.0.11 now - not upgrading is not an option.

    I feel the above needs to be clarified, as there are already numerous people posting false information. Upgrading your PHP version won't protect against this (but you need to do it anyway to protect against other issues) - upgrading to phpBB 2.0.11 will. Simple :)

  5. Re:Under the Google radar by orangesquid · · Score: 5, Informative

    You can search for specific generations ( http://beta.search.msn.com/results.aspx?q=%22Never EverNoSanity+WebWorm+generation+4%22&FORM=QBRE ) to see the spread:
    0, 1, 2, 3 - no hits
    4 - 2335 hits
    5 - 9297 hits
    6 - 7218 hits
    7 - 7288 hits
    8 - 10746 hits
    9 - 12009 hits
    10 - 11752 hits
    11 - 14866 hits
    12 - 13267 hits
    13 - 8393 hits
    14 - 13317 hits
    15 - 3840 hits
    16 - 5004 hits
    17 - 1950 hits
    18 - 3344 hits
    19 - 6 hits
    20 - 1 hit
    21 - 3 hits
    22 - 1 hit
    23 - 1 hit
    24 - 1 hit
    25, 26, 27, 28, 29, 30 - no hits

    --
    --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
  6. Re:Clarification by ScottMacVicar · · Score: 5, Informative

    I've been looking at the PHP related security hole and this does not have anything to do with the exploit the worm uses.

    The PHP exploit was to do with the length part of a serialized string, it wasn't correctly enforced and a suitably large enough value would crash a crash and print out contents of the stack which could include any variable within the script. s:1000:"test"; the 1000 part is not correctly checked.

    The phpBB exploit is regarding a remote code execution vulnerability, in this case it uses this vulnerability to fetch a perl script from a remote server and write it to the forum before executing it using the system command in PHP.

    So this worm only affects phpBB 2.0.10 and below.