Net Worm Uses Google to Spread

troop23 writes "A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'-- part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits." Reader pmf sent in a few more information links: F-Secure weblog and Bugtraq posting. Update: 12/22 03:34 GMT by T : ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.

Quick!

Someone figure out a way to blame this on Microsoft!

Re:Quick!

[ptr2004]

In other news. A tele-marketer used a telephone directory to make calls

Re:Quick!

[ackthpt]

Someone figure out a way to blame this on Microsoft!

Yeah, right. Just get out your old Fido Board.

Re:Quick!

[geekopus]

It might be quite the opposite:

When I copied all these entries out of the log and translated the chr()
calls, they turned out to be the attached perl script, which is capable
of finding .html files to deface, and then going to google and finding
more instances of phpbb to infect.

This is from one of the links above. So, it sounds like if a machine doesn't have Perl installed, the thing can't go to work. By sheer coincidence, most windows boxes will be immune to this particular instance of this worm (by not having Perl installed).

That's not to say that it can't be modified to carry a more portable payload. Thank god the payload wasn't itself written in PHP.

Re:Quick!

[jfengel]

Thing is, the phone companies charge you for an unlisted number. So if you have a phone, you are in that phone book getting phone spam unless you paid them not to.

Re:Quick!

[AmberBlackCat]

Someone figure out a way to blame this on Microsoft!

The PHP guys will probably blame it on Apache 2.

Re:Quick!

[adeydas]

and in other news using your email in unidentified sites may bring you spam...

Re:Quick!

[martin-boundary]

Close, but no cigar.

In other news. A Microsoft tele-marketer used a telephone directory to make calls :-)

Under the Google radar

[Meostro]

I saw this yesterday on a.... uhh... "anatomic reference" site:
This site is defaced!!! NeverEverNoSanity WebWorm generation 10.

I tried to find some kind of reference and Googled for it, but I got no results.

Still nothing on it, wonder how long it'll be before it shows up?

MSN search returns 3 results, that's just a bit short of 39,000, so I guess they must be using the beta engine for the article.

Re:Under the Google radar

[ad0gg]

Google takes a while to get information into the index usually a couple weeks(this doesn't apply to news sites or other sites google deems to be updated constantly), MSN beta search usually lags about a day after a crawl. I won't even talk about how slow yahoo is(After first crawl and index).

Re:Under the Google radar

[rednip]

even better, I did a search on the beta msn site for 'NeverEverNoSanity WebWorm generation', the best that I got as a search result was 20 (well the first couple of pages), but the site read 11 when I went to it, I suppose that the worm is writing over it's own defacement.

Re:Under the Google radar

umm.. that's just the eicar.com AV test file.. not really a virus - just a file that sets off your AV software so you know it's working. why is this informative?

Re:Under the Google radar

[grm_wnr]

No, you won't. Your virus scanner will ring the alarm, but that is a good thing, because it means that it works.

Read: http://www.eicar.org/anti_virus_test_file.htm

Re:Under the Google radar

[Gogo+Dodo]

"Infected" with nothing. That's the EICAR test virus to make sure your antivirus software is working properly.

Re:Under the Google radar

[Asgard]

eicar is a standard virus-detection test string. It isn't actually virus.

Re:Under the Google radar

[northcat]

OMG! How is parent funny?!? Is this some bizzare experiment by slashdot mods?

Re:Under the Google radar

[mavi_yelken]

I found generation 24, but when I clicked the link a normal site appeared. it seems that a quick fix does the trick.

Re:Under the Google radar

[orangesquid]

You can search for specific generations ( http://beta.search.msn.com/results.aspx?q=%22Never EverNoSanity+WebWorm+generation+4%22&FORM=QBRE ) to see the spread:
0, 1, 2, 3 - no hits
4 - 2335 hits
5 - 9297 hits
6 - 7218 hits
7 - 7288 hits
8 - 10746 hits
9 - 12009 hits
10 - 11752 hits
11 - 14866 hits
12 - 13267 hits
13 - 8393 hits
14 - 13317 hits
15 - 3840 hits
16 - 5004 hits
17 - 1950 hits
18 - 3344 hits
19 - 6 hits
20 - 1 hit
21 - 3 hits
22 - 1 hit
23 - 1 hit
24 - 1 hit
25, 26, 27, 28, 29, 30 - no hits

Re:Under the Google radar

[sl4shd0rk]

> Google takes a while to get information into the
> index usually a couple weeks

This is a much ballyhooed fallacy. Go search for todays date.

Re:Under the Google radar

[IdleTime]

I saw this yesterday on a.... uhh... "anatomic reference" site:

That's what you get for not knowing your ... umm.. anatomy!

Re:Under the Google radar

[JoeBuck]

I suspect that Google is blocking access to this search term as well as other that the worm uses, in an effort to stop the worm from spreading.

Re:Under the Google radar

[fuck+nwbvt]

Don't be a shitbag. Did it occur to you to finish reading that very sentence you quoted?

Re:Under the Google radar

[mindriot]

It also seems that, since the vulnerability is still there after defacement and the google index of course isn't yet updated, an already defaced site can be hit again. Searching on MSN for Generation 24 defacements brings up a site which, at the time of this writing, reads "Generation 14".

Thus, the generation distribution does not allow too much interpretation -- there might have been generation-28 sites, but if the list of vulnerable web sites is coming close enough to being saturated with exploits, the generation distribution should somewhat stabilize. Maybe that's something interesting to study in terms of distributed systems behavior, actually...

Re:Under the Google radar

[defrabelizer]

Google found it. At last, and quite a couple generations to: Gen : Hits 1 : 639 2 : 572 3 : 508 4 : 443 5 : 404 6 : 434 7 : 351 8 : 87 9 : 198 10 : 96 11 : 102 12 : 40 13 : 109 14 : 208 15 : 228 16 : 110 17 : 30 18 : 150 19 : 49 20 : 8 21 : 3 22 : 1 23 : 1 24 : 3 25 - 30: none Ok, well, google dint find as many See what happens when we let script kiddies learn perl

Re:Under the Google radar

[Keeper]

I took the liberty of re-running the queries (was curious to see how the numbers would change over time):

0, 1, 2, 3 - no hits
4 - 2274 hits
5 - 14506 hits
6 - 7923 hits
7 - 7288 hits
8 - 9777 hits
9 - 12377 hits
10 - 11752 hits
11 - 14395 hits
12 - 13642 hits
13 - 8393 hits
14 - 13728 hits
15 - 3840 hits
16 - 5490 hits
17 - 2032 hits
18 - 2622 hits
19 - 7 hits
20 - 1 hit
21 - 3 hits
22 - 1 hit
23 - 1 hit
24 - 1 hit
25, 26, 27, 28, 29, 30 - no hits

Re:Under the Google radar

[hesiod]

> Group-think censorship is every bit as evil as any other kind.

Which is why it's so great that slashdot doesn't practice censorship, YOU FUCKING MORON.
There's plenty of shit to complain about in the world, but attaching a value number to a post is COMPLETELY DIFFERENT FROM CENSORSHIP. It's hard to resist the urge to start shouting endless profanities at you, because you have no idea what censorship means.

Here's a hint: censorship would be removing posts altogether. If you browse at -5, you will see everything. If you can see it, it wasn't fucking censored!

> When one person or one group can systematically supress the output of others they disagree with

Except for the editors*, THERE ISN'T ONE PERSON OR GROUP WHO SYSTEMATICALLY HAS MOD POINTS, so your argument is full of shit. Get a goddamned clue, luser.

* It's their site and can do whatever the hell they want, they don't have to answer to you. Don't like it? Get the fuck out. The Internet is NOT a democracy, it's anarchy (except when some Government-whored business loses a dollar over something and wants to send you to jail for it).

Re:Under the Google radar

[Neophytus]

31/12 figures. In case you wanted to compare them now.
1 - 144
2 - 0
3 - 0
4 - 9,278
5 - 21,245
6 - 13,242
7 - 18,959
8 - 25,944
9 - 43,642
10 - 47,297
11 - 81,428
12 - 86,204
13 - 60,537
14 - 77,033
15 - 44,940
16 - 56,574
17 - 92,026
18 - 51,385
19 - 32,246
20 - 30,353
21 - 48,999
22 - 18,534
23 - 13,152
24 - 8,405
25 - 8,657
26 - 4,645
27 - 4
28 - 8
29 - 4
30 - 4
31 - 1
32 - 3
33 - 0
34 - 1
35 to 40 - 0

Head line is way to misleading

[mkop]

There is nothing wrong with google. only with people who have not pathced the php buletin boards

Re:Head line is way to misleading

[taylortbb]

Actually, it doesn't have to do with unpatched phpBB installations. It has to do with unpatched PHP installations.

phpBB has an explanation of what the problem is, it can be found at:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=24 8046

OTHER FORUMS ARE VULNERABLE

(and no, I am not a phpBB zealot, I am pointing out a misconception)

Re:Head line is way to misleading

[gotacap]

no, other boards are vunerable to OTHER cracks. This particular worm effects a vunerability in phpBB. If you upgrade your copy of php, but not phpBB you are still vunerable. If you use phpBB upgrade to 2.0.11, do it... do it now!

Re:Head line is way to misleading

[taylortbb]

Although the cracks may not use this exact exploit they all revolve around the same security failing in PHP.

Re:Head line is way to misleading

[a16]

No, what you are saying is false. The phpBB 2.0.10 security issue is not related in any way to the PHP exploits discovered recently. And this worm uses the 2.0.10 exploits, not PHP.

Re:Head line is way to misleading

[sr180]

A board I assist to admin was done and it Runs Invision Power Board on PHP. The worm kept knocking it over, originally it started as version 1.2 but eventually changed to version 1.3.

That indicates to me that someone may have been doing some active development on it...

Re:Head line is way to misleading

[Tony+Hoyle]

This tells you nothing - it's just a standard 'not our fault!' message.

Still trying to find out what the vulnerability actually is so I can test for it.

Re:Head line is way to misleading

[WoodstockJeff]

Actually, it doesn't have to do with unpatched phpBB installations.

It has everything to do with a design decision made by the authors of PHPBB, and copied by others... They trust cookie data. It just so happens that the unserialize() bug affects this, but there are other ways to exploit it.

The data they're storing in a user cookie should be kept on the server. The cookie should only contain a "key" to retrieve the data from the server's storage. If the users can't change the data directly, they can't exploit things like SQL injection, injection of unexpected variables, etc.

Re:Head line is way to misleading

[phyphor]

You say that "it doesn't have to do with unpatched phpBB installations." And you also provide a link to the phpBB forum to "prove" it.

You're still wrong, though.
There have been many problems found with old versions of PHP, but this is a specific problem with phpBB

Here's part of my proof:
http://www.phpbb.com/phpBB/viewtopic.php?t=240513

I'm not particularly pro- or anti-phpBB, I just like people to be informed of the facts.

Re:Head line is way to misleading

[mkop]

I meant that there was no problem with google.

Re:Head line is way to misleading

[DrSkwid]

They serialized stuff and trusted the user to send it back clean !

man those guys are nuts

Sadly quite typical of PHP projects. They give PHP a bad name. Hmm, Personal Home Page as already a bad name but what can you do?

Poor /.

[roman_mir]

I think this virus/worm hit /., when I clicked on the link to this article, all I saw was: "Nothing for you to see here. Please move along."

Latest Version of phpBB Unaffected

[akiy]

It looks like the latest phpBB version 2.0.11 or a simple patch will thwart the worm, though. Time to upgrade if you haven't yet!

Re:Latest Version of phpBB Unaffected

[MightyMartian]

> It looks like the latest phpBB version 2.0.11 or a simple patch will thwart
> the worm, though. Time to upgrade if you haven't yet!

That's alright. All the lazy admins will blame Google and everything will be okay!

This, I suspect, is going to be a new way of infecting web-based apps. Just do a search for the vulnerable software on Google, Yahoo or whatever, pop in, do your damage and be on your way.

Of course, it will get much worse if its some sort of E-commerce software or something like that and these worms happily start stealing credit card transactions.

Re:Latest Version of phpBB Unaffected

[Cutriss]

Yes and no.

It will protect your boards from being targeted by the Google component of the worm. However, if your boards are running on a shared server, and someone else has a vulnerable version of phpBB installed on their space, you could still be vulnerable. The worm is designed to poke around once it manages to lodge itself inside a host.

Ordinarily, you could just blame those infected in this manner for not using proper permissions on their board installs, but with the amount of custom modifications many people have installed on their boards, it'd be no surprise if 90% of the people that think they're safe actually aren't. Make sure your files aren't writeable, folks.

Re:Latest Version of phpBB Unaffected

[topynate]

Given that probably 90% of script kiddies find targets with Google, it could only be a matter of time before someone automated the process.

Maybe it's a theme - the worms of tomorrow will do what the script kiddies of today do.

Re:Latest Version of phpBB Unaffected

[Martin+Blank]

Good job. You do know that by Slashdotting the phpBB.com server, you're preventing people from patching, right? :)

Re:Latest Version of phpBB Unaffected

[Tony+Hoyle]

phpBB is very hard to upgrade.

To install many plugins requires making changes to the source by hand. Some of the websites I host have several of these, and I'm not even sure which ones (I didn't add them).

Plus, if you use a custom theme you have to recreate it after upgrading, which is a right pain in the arse as all the paths are hardcoded... even with sed/grep it takes an hour or two to turn subSilver into CustomSilver.

Re:Latest Version of phpBB Unaffected

[gregmac]

a bit OT, but does anyone know of tools for admins of shared servers to scan for vulnerabilites in customer-installed web applications like these?

I just went through by hand, and 8 of 9 installed copies of phpBB on my server were vulnerable.

Re:Latest Version of phpBB Unaffected

[skinfitz]

If scripts replace kiddies, will we call them Kiddie Scripts?

What will we do when the scripts start generating mutated offspring?

Re:Latest Version of phpBB Unaffected

[MoCycleGeek]

phpBB is not at all hard to upgrade, I inherited a heavily modded phpBB site and have found that the patches supplied by the phpBB team to be easy to run and have yet (through 4+ upgrades) to break any of the mods or addons.

So, I guess it's just a matter of RTFM.

Re:Latest Version of phpBB Unaffected

[SoTuA]

Plus, if you use a custom theme you have to recreate it after upgrading, which is a right pain in the arse as all the paths are hardcoded... even with sed/grep it takes an hour or two to turn subSilver into CustomSilver.

God forbid security get in the way of our pretty themes.

Re:Latest Version of phpBB Unaffected

[hesiod]

"id'iot"

If the virus goes senile...

[StevenHenderson]

it can always use Google Suggest to find victims. :)

And in a complete upset

[Marxist+Hacker+42]

Microsoft search beats Google at indexing pages hacked by this virus! MS Search turns up 39000 pages, google turns up zero on the same nonsense keyword!

Re:And in a complete upset

[Keeper]

If you actually type the text in quotes, you only get 1540 results. If you don't, you get about 420,000 unrelated pages...

Infect Slashdot

[somethinghollow]

When it infects sites running SlashCode, it pretends to be a legitament post (so it can get the defacement tag "NeverEverNoSanity" on the front page, then monitors for posting, and tries to get first post, too.

Re:Infect Slashdot

[sconeu]

How is that different from most non-virus posts?

I got hit HARD! :(

[Broadband]

This worm is unbelieveably evil.

What it does is search all volumes on the server for files with the .asp .php .shtml .html .htm extentions and overwrites them with the 264 byte file that simply states "Web site defaced"

I had a backup drive with everything mirrored that was unshared and secure and it managed to overwrite my ENTIRE backup as well on that machine.

I've been spening the past 24 hours picking up the pieces and trying to get everything back online. 1/2 Done now.

If you want to see what a defaced website looks like go to: http://www.sherwoodoregon.com and check it out before i get that site back online.

-BB

Re:I got hit HARD! :(

[PitaBred]

Unlucky generation 13, eh? I heard it was worse than the others.
Yes, it was a lame joke. I couldn't think of anything better :(

Re:I got hit HARD! :(

[somethinghollow]

According to W3C, It's not even valid HTML 2.0. The least they could do is write valid code. Sheesh.

Re:I got hit HARD! :(

[KhaZ]

I had a backup drive with everything mirrored that was unshared and secure and it managed to overwrite my ENTIRE backup as well on that machine.

You kind of point out in that sentence along that your drive wasn't secure, now was it? :).

Best thing I can recommend, is use some sort of RCS, (http://www.perforce.com/ is great for up to two people, free!), and then make a checkpoint or a targz of it nightly.

Re:I got hit HARD! :(

That's why I don't call it a backup if it's hot. If you just put in a second drive, it doesn't save you from 'rm -rf /' or from a power supply that commits suicide... and decides to take the rest of the hardware with it.

Backups are on cold hardware, on a shelf. At the minimum. Preferably in another building.

Re:I got hit HARD! :(

[the_rev_matt]

If your backup was unshared and secure it wouldn't have been overwritten. Keeping a backup on the same machine is the same as not having a backup. I would argue that keeping a backup on the same subnet is the same as not having a backup.

Re:I got hit HARD! :(

[Broadband]

I'm well aware that it wasn't the best form of backup and the funny thing is I just reinstalled the machine and OS and the 2nd drive was an identical mirror. That was 7 days ago. I thought to myself. I'll back up to physical media this weekend. What's the chances I could lose that data in 7 days. I learned my lesson :P Forutnately i do have backups they just aren't as easy as a copy since their on varios medias. What a great Christmas Gift eh?

Re:I got hit HARD! :(

[sfjoe]

Preferably in another building

In another city.

Re:I got hit HARD! :(

[Tony+Hoyle]

I had a backup drive with everything mirrored that was unshared and secure and it managed to overwrite my ENTIRE backup as well on that machine.

Umm... why was your webserver writable? (If you'd had a secure webserver the virus would never have been able to install in the first place).

Why was your *backup* writable? (It was clearly *not* 'secure').

Re:I got hit HARD! :(

[alex_ware]

Yeah all the worm guy needed was a doctype html 4.01 trans http://validator.w3.org/check?uri=http%3A%2F%2Fwww .sherwoodoregon.com%2F&charset=%28detect+automatic ally%29&doctype=HTML+4.01+Transitional

Re:I got hit HARD! :(

[jrockway]

Umm, it's not valid HTML 2.0 because the "bgcolor" and "text" attributes didn't exist back then! It IS valid HTML 3.2 and HTML 4.01 Transitional, however.

Re:I got hit HARD! :(

[hawkbug]

Yeah, but get this - that would mean you're running Apache as root, or all your web files are owned by the Apache user or user group. This worm can only modify files owned by Apache, or atleast the user running apache. So, that would mean your backups were mounted or apache has the ability to mount the drive. Scary either way, and this might be a good time to check that sort of thing. I got hit by the stupid worm as well, but only my php files in one directory got borked because I had the files owned by apache.

Re:I got hit HARD! :(

[hesiod]

Something doesn't seem right with that thing. It throws up multiple errors for each line that references FRAMES. Unless frames are no longer part of any W3C HTML standard, the validator is broken.

Re:I got hit HARD! :(

[haplo21112]

Yep I got hammer too! My wife was ill so I was unable to monitor what was going on until it was too late...I did manage to catch the perl script that was doing the evil and kill it bu not before it was too late...infact I didn't even know what the script was till the next morning...

snort signatures

[UnderAttack]

The ISC posted a couple of snort sigs and other details.

Re:snort signatures

[jrockway]

What is the point of that. The snort logs will say that you were compromised. If you didn't already know that by looking at your homepage that says "This page was compromised" then you aren't much of a sysadmin :)

Snort, I think, is better for detecting attacks from malicious crackers than detecting a virus. You need information to get the perpetrators into jail in that case, but when a virus is infecting you you don't have much legal recourse.

Unless you propose that we make running insecure software a crime. Which is an idea I like.

(Not really... I hate laws. But you know what I mean.)

The bug is in PHP not phpBB

[Mustang+Matt]

phpBB just happens to be written in a way that the PHP bug can be exploited.

Re:NeverEverNoSanity

That is only part of it. All the sites in MSN search are IIS sites. IIS actually sends info to MSN search (Wehter you want it to or not). While IIS has a small % of the web, it is still some 20%.

Re:Hmmmm

[Sikmaz]

Different Exploit, that is a seperate problem that allows people to do even more bad things such as reading your config.php to get your sql password. A workaround is available from http://www.phpbbstyles.com/viewtopic.php?t=1903 if you can't install 4.3.10

Dshield disagrees

[JustinXB]

See here

Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case.

Who are you going to believe: Some news site or a security community?

Different Exploit

[Sikmaz]

As I posted above, that is a seperate problem that allows people to do even more bad things such as reading your config.php to get your sql password. A workaround is available from http://www.phpbbstyles.com/viewtopic.php?t=1903 if you can't install 4.3.10

Re:Different Exploit

[Sikmaz]

Err crap, I shouldn't have copied and pasted my post isn't entirely clear in this context ;) This worm exploits a problem in PHPBB 2.0.10 that is fixed in 2.0.11. The other issue is a PHP problem that can be solved via the work around I posted above or using PHP 4.3.10.

This is kind of sad...

[The+Hobo]

I had forgotten the MSN beta search engine, so I just googled it...

My Christmas gift! Noooooo!

[286]

So I get my present, in the mail, a little early.
A new HDTV card...
I go to download the linux only drivers and...

NeverEverNoSanity!!!

Argh! &$@*#! Humbug.

Re:My Christmas gift! Noooooo!

[picklepuss]

I just noticed that same thing... except I was thinking about ordering one.

Now I'm not sure I'm going to. People complaining because the drivers are out of date or don't work correctly, and I realize that they seldom check their own forums (user PCHDTVTech has just 2 posts ever)... an unpatched phpBB and they're just adding more straw to a broken camel

Re:My Christmas gift! Noooooo!

[mk500]

Don't give up on the pcHDTV folks just because they didn't do a very good job patching their web site. It's true, they don't post much. But the hardware is good, and other folks are very helpful on those boards, as well as the MythTV and KnoppMyth communities.

It was really cool of them to try to build a business around a HDTV card designed for Linux users, and it sure gives you a lot more flexibility than "Microsoft TV".

I have two of the pcHDTV 2000 cards and record a lot of TV each week in gorgeous HDTV quality on my KnoppMyth boxes. It's a geeky experience getting it all working, but well worth it.

Re:My Christmas gift! Noooooo!

[mk500]

If you have a dedicated box for your pcHDTV setup (recommended!), the best thing to get going quickly is to just download KnoppMyth from a mirror, their main site is http://mysettopbox.tv

It makes setting up a HDTV PVR using the pcHDTV card MUCH easier.

I spent a couple weeks at the pcHDTV site trying to get it working, and after many compiles I downloaded KnoppMyth. I was watching and recording an hour later.

Re:NeverEverNoSanity

[Loether]

The virus is searching google for sites not yet infected. Googling for "Powered by phpBB" does return results. Some of which are now defaced.

If google wants to stop the virus then they could disable "Powered by phpBB" as a search term. The reason "NeverEverNoSanity" doesn't come up on google is becuase googlebot is extreamly slow to index new content on most sites.

Re:A few things..

[psyon1]

No, as someone else already responded to other posts, it is a phpBB problem. phpBB calls the urldecode() function on form variables, after PHP already does so. It allows ' to bypass the magic quotes that php so lovingly puts on all our form data. The latest bug reports were reported after the release of the exploit for phpBB 2.0.10 and earlier. IIRC the report said that some scripts MAY be vulnerable, but didnt state for certain. As far as I know, no one has yet to release an exploit for the bugs, its just a possibility.

Ehhh.. Tape drive perhaps??

[scsirob]

This is the main issue with harddisks as backup. They don't provide security against these kind of attacks as they are just as vulnerable as any other disk attached to the system.

A tape drive for backups may seem like a 'thing from the past', but it's *very* effective in these instances...

Re:Ehhh.. Tape drive perhaps??

[pembo13]

What about an IDE HDD in a external drive case (USB)? That's what I use, but I don't have much to spend.

Re:Ehhh.. Tape drive perhaps??

[biz0r]

Forgive me if I am wrong (although pretty damn sure I am right)...but the primary difference between a tape drive and a hard drive is the method and times in which they are accessed. A hard drive (usually) is just a locally mounted file storage device which is accessed via a certain directory through the normal methods. A tape drive, has many options as to how it is used, but the primary reason it would be unaffected versus a hard drive, is that the tape drive is unmounted/disconnected from main/general access (atleast most of the time).

Solution? Unmount any backup drives when you are not doing any backups...I don't care that it's mounted in such a way that only root can access it, it's still dangerous (for backup purposes).

Re:Ehhh.. Tape drive perhaps??

[Zen+Punk]

Nonsense. A hard drive on the shelf, in the safe, whatever, is no more vulnerable than a tape on the shelf. If you left your backup tape mounted all the time, it would be just as insecure as adding a second drive and calling it a "backup."

Re:Ehhh.. Tape drive perhaps??

[Just+Some+Guy]

No! It's still an attached harddrive and subject to being compromised by an attacker, unless you're planning to physically disconnect it after the backups are run.

Re:Ehhh.. Tape drive perhaps??

[Just+Some+Guy]

Solution? Unmount any backup drives when you are not doing any backups...I don't care that it's mounted in such a way that only root can access it, it's still dangerous (for backup purposes).

That's fine, IFF by "unmount" you mean "physically disconnect". Pretty much anything short of actual removal still leaves you vulnerable.

Re:Ehhh.. Tape drive perhaps??

[biz0r]

True, the only REALLY fail safe is to physically disconnect whatever you're using as a storage device, otherwise you can always infultrate the backups once you gain access to the server as a whole.

HOWEVER, in this example unmounting a/the drive would have saved the gp's backup data. So it's better than just leaving the drive mounted.

Re:Ehhh.. Tape drive perhaps??

[Just+Some+Guy]

This one time, yeah. Had the worm been a human attacker, though, he might've been curious about that "/dev/gvinum/hugefreakinraid /mnt/backup" entry in /etc/fstab.

Re:Ehhh.. Tape drive perhaps??

[Jeff+DeMaagd]

Hard drives aren't necessarily as reliable though for the cost of the drives, keeping two sets of backup drives might be better for some poeple.

With tape, you can put it into any compatible drive, or have multiple tapes. At any rate, both do have to be removed.

Re:Ehhh.. Tape drive perhaps??

[MetalSkin]

If your depending on just a copy then I can see how it would still infect, but if you compressed the files (which would be the norm I would have thought) then I doubt it would have caused you an issue.

This doesn't mean that hard disk backups are more dangerous, just that they are r/w and part of the file system (when not physicaly removed), unlike tapes.

Good backups are kept offsite anyway. Nothing like keeping your backup at the same location as your sever in case of a disaster, let alone within the same physical box as the server. Ahh disaster recovery, the rarely planned action.

Re:Ehhh.. Tape drive perhaps??

[tchuladdiass]

I'm pretty sure that was the purpose of having the hard drive attached via usb, otherwise the poster could have mounted the drive internally. Also, keep in mind that a backup via tape drive is also vulnerable if you leave the tape in the drive after the backup :-).

Re:Ehhh.. Tape drive perhaps??

[tchuladdiass]

A similar problem can arise if you are using a tape library to hold all your tapes -- an atacker on the system can still delete your data. The best solution would be to have a seperate secured server handling your backups, and that server can either have a tape library attached to it or a bunch of disk storage (tapes having the advantage of being easier to take offsite).

Re:Ehhh.. Tape drive perhaps??

[Woody77]

In order to have any kind of automated backup solution, a human attacker will be able to get to it.

I see a couple easy blocks to these, though:

1) write a shell script for mounting the backup drive, both onto the SCSI chain and into the filesystem, performing the backup, and then unmount it.

2) round-robin the drives on a regular basis, so an IT monkey can physically swap out sets when needed to provide off-site storage (basically use hot-swap bays like very large, fast tape jukeboxes).

3) encrypt the pertinent scripts, and use yet another script with a bening name to perform the decryption of the shell script, the chmod to executable of it, and then exec'ing it.

****

Yes, it's still hackable, but it ups the bar considerably, and if you're swaping the drives out nightly/weekly, you've got good backups that are offline, and not too old.

Re:Ehhh.. Tape drive perhaps??

[bluGill]

A tape cartrage is more portable, it holds more data in a given amount of space. Generally they are cheaper too, though due to scale this isn't so true anymore. Tapes often are of better quality, or should I say known quality. When they say use a tape 1000 times, you can be reasonably sure of 1000 uses, while who knows when that harddrive will break. When a tape breaks it is easier for a professional to repair if you need it. (generally tape failures do not involve heads scraping the media)

When you are talking terabytes of data, nothing beats tape. When you want a good way to backup files, tape is part of any good solution.

Re:Ehhh.. Tape drive perhaps??

[Pharmboy]

Um, I have raid 5 on my servers, but it has nothing to do with backup. raid 5 is NOT backing up, it is simply providing a layer of tolorance in case of hardware failure. If someone defaces your website, the fact that you have raid 5 only means that the new defaced data is striped over multiple drives for faster access and redundent failsafe. So yes, once your website is defaced, if a hard drive fails, you are protected, and your defaced website will still be visable.

Farming it to another hard drive or array is useless, since the virus looks for all *html pages. adding the code to have it use TAR would be trivial, so compressing your backups is no protection either. What you are stating is NOT backing up a system. Its a handy way to make copies in case you need to restore, but it is far from a backup solution, at least if you give a fuck about your data, like most SERVERS would.

Personally, I write my own scripts to backup offsite. And onsite. And on the same machine. All three. And I don't use phpBB, considering I have a few years experience with it and security has always been a problem with the program.

Re:Ehhh.. Tape drive perhaps??

[Nogami_Saeko]

How about just a DVD-R left in a burner with a cron script that just keeps adding sessions as it does backups during (whatever) timeframe?

Once it's burned, it's not going anywhere...

N.

Re:Ehhh.. Tape drive perhaps??

[StarHeart]

My solution is to use hdup with gpg encryption combined with additional measures. hdup does an incremental backup via itself+tar+gz+ssh+gpg. The server logs in to the backup server and dumps it's files in a home directory just for the server backing up. A cron job runs after the backup which runs chattr +i against all the files. Still not perfect, but I like it.

Re:Ehhh.. Tape drive perhaps??

[bogado]

That's exactly what I do, I have a ide USB converter that allows me to connect and disconnect ide/ATA hds to a usb (2.0) port. The bad thing is that my USB is 1.0 so it works rather slow on those.

Anyway I turn it on, backup, unmount and turn it off. pretty safe I guess. (if anyone can think of better way, I sure want to hear it, I'm awaye open to new way of being safe with my data)

Re:Ehhh.. Tape drive perhaps??

[mabinogi]

well, not exactly...

not unless a worm was smart enough to run tar on every tape drive - or to dd some random junk at every /dev/rmt? device....

a mounted tape is not the same as a mounted hard drive or floppy...

Re:Ehhh.. Tape drive perhaps??

[SoTuA]

Perhaps, but they're also slow and fail half the time anyway (in my experience). RAID 5 is the best backup solution IMHO!

Please explain how RAID5 will save you from anything but a hard drive malfunction.

Re:Ehhh.. Tape drive perhaps??

[Knetzar]

Exactly, WORM devices are the best back-up devices

Re:Ehhh.. Tape drive perhaps??

I guess you never had a hard drive stop working then. Lucky you. I've seen mechanical failures, electronic failures, interface failures, bent pins, people putting their fingers on sensitive electronic parts, static electricity zaping electronics, etc.

Yes tapes can break, otherwise I've not seen nearly the same sorts of problems as with hard drives.

Ok, not a tape lover then how about backup to cd-rw or DVD. But for goodness sake get the backup onto a medium that you take out of the computer and that you can put a copy offsite.

Re:Ehhh.. Tape drive perhaps??

[biz0r]

Who says there has to be an entry in /etc/fstab in order to mount it? But even still, yes, of course, as I said prior...NOTHING is foolproof except for physical disconnection from the system (and of course, any networks).

For all of you saying it's a PHP exploit

[VeneficusAcerbus]

From ISC:

Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case. The worm exploits the 'highlight' bug in phpBB 2.0.10 and earlier. The current version of phpBB (2.0.11, released Nov. 18th) fixes this problem. Nevertheless, its still a good idea to update php.

Re:For all of you saying it's a PHP exploit

[eadz]

The highlight bug was kind of a bug in php as well as phpBB. addslashes(urldecode($somevar)) allowed ' to get through due to the way php handles unicode.

I got hit

[Ghoser777]

My poor linux box - I felt so secure and then this little worm gets out. Thank god I had some recent backups, otherwise this would have really sucked. I guess it's alright though - you have to get rooted one time before you really understand how vulnerable the internet makes all of us.

Re:I got hit

[0racle]

you have to get rooted
Not if you know what your doing you don't. You should have kept up with your patches.

Re:I got hit

[tchuladdiass]

Not only keep up on patches, but also seperation of services. Your web server should run under a chrooted environment at minimum, as a non-privlidged user. Any files that doesn't need to be written to by the web applications (including html and cgi files) should be owned by a different user id (and not world-writable).

The most secure setup I've come up with is setting up Usermode Linux (or Linux Vservers) so that I have a bunch of virtual OS's running, each with only the bare minimum libraries that are needed to support each one's dedicated services (got one set up for bind, sendmail, apache). Each virtual OS session has multiple network interfaces (one is set up as an "internal" network only, another is set up to accept packets redirected from the outside vi iptables rules). Any config/data files that I need to update periodicaly (such as the html files for the web server process) live in a partition on the parent server, NFS exported read-only to the appropriate session's internal virtual ip address. Any files that they need to write to are symlinked to a locally-owned filesystem. Log files are set up append only (still working on this, I was thinking of using one of the user-space filesystems to impliment this feature, or checking if selinux can handle that).

Why MSN works and Google Doesn't

[infiniteedge]

The reason is simple. Microsoft, being the Good Guys, stopped responding to that query to stop the spread of the worm. The worm was dependent on Google to return vunerable servers via a search query. So Google has temporarily stopping responding to that search. MSN wasn't targeted by the worm because real hackers all know Google is the best :-). However, in this case would MSN have reacted as fast as Google did? Should the coder have picked MSN to get a longer lasting worm?

Re:Why MSN works and Google Doesn't

[w98]

> Should the coder have picked MSN to get a longer lasting worm?

Heh, bet they will next time...

Re:Why MSN works and Google Doesn't

[LinuxHam]

Should the coder have picked MSN to get a longer lasting worm?

Is that a firmer, longer lasting worm?

"Any worms lasting longer than four hours require immediate medical attention."

Re:Why MSN works and Google Doesn't

[jerw134]

You've got your facts completely wrong. The worm doesn't search for "NeverEverNoSanity" to try and find vulnerable hosts. Until it was released, no websites contained that term, so it would have been useless. The worm searched for "powered by phpBB", which indicates a site running phpBB that could be vulnerable. Google still returns results for that search, which shows that they are not doing anything to try and stop the worm.

But, as you said, the reason MSN works and Google doesn't is simple: MSN updates faster than Google does. Period.

Re:Why MSN works and Google Doesn't

[emseabrown]

msn, being pre 1.0, is out there actively crawling. they have a lot of serching to catch up on.

so, finding 39,000 recently hacked sites proves nothing other than msn's ability to spider sites with two lines of text accurtely.

bravo?

Re:Why MSN works and Google Doesn't

[Krehbiel]

Microsoft would have crowed happily about how MS' own server-side scripting language (ASP) wasn't vulnerable to the worm, and left it to propogate.

address tag and no robots

[99BottlesOfBeerInMyF]

I looked at a defaced page and there were two things I noticed. The first was that the worm does not seem to create a robots.txt file to hide defaced pages from search engines. Second, the majority of the text is contained in an ADDRESS, HTML tag. It is a valid tag, but does anyone actually use it? I have not seen it before as far as I can recall.

Re:address tag and no robots

[daten]

The ADDRESS element may be used by authors to supply contact information for a document or a major part of a document such as a form. This element often appears at the beginning or end of a document.

http://www.w3.org/TR/html401/struct/global.html#ed ef-ADDRESS

I've used it for years. By the way, how often do you review the html source of webpages you visit?

Re:address tag and no robots

[99BottlesOfBeerInMyF]

By the way, how often do you review the html source of webpages you visit?

Occasionally. I have also edited quite a few different ones for one reason or another. I was not meaning to imply that it was not valid. I was just wondering if it was obscure and unused, or just something I have not run across. It still seems an odd inclusion in a page created by a worm.

Relating to this, I wonder, is there any way to get google to search based upon html tags? For example, could I find all pages with address tags.

Re:address tag and no robots

[tiptone]

if you'll also notice (at least on Generation 13 that i saw) the Document Type Declaration at the top, it's declared as HTML 2.0. who's still coding for that?

Re:It works both ways.

[gl4ss]

googleapi is just a convinient helper in all this.

besides, i doubt it wouldn't use it.. as to use it you need to have a code and they could just turn that key off(and there's some 1000 limit on one key, or at least should have).

so.. what i'm saying is that you don't really need the googleapi for doing regular google searches you could do via http.......

Re:A few things..

[infiniteedge]

please mod down the parent, that is incorrect. the problem is NOT in PHP, it is in an old version of phpBB.

http://www.f-secure.com/v-descs/santy_a.shtml

Re:Distribution security updates to PHP?

[lightdarkness]

If I recall correctly, the bug that is being exploited is just phpBB specific, and not pertaining to PHP itself.

There have, in recent days, been exploits found in PHP that phpBB uses, but I don't believe those have been exploited on a mass scale.

Lycos generates an error

[John3]

Search for' NeverEverNoSanity' on Lycos and you get a JScript error:

Microsoft JScript runtime error '800a1391'
'cTabTypeMulti' is undefined /common/static/error.inc, line 49

The Robot Threat

[D_Lehman(at)ISPAN.or]

Robots aren't bad, they help people find things, and get them to your site. However, if you would rather keep them away from you, consider using your robots.txt http://www.robotstxt.org/ along with meta tags on pages. You can also set certain content to be filtered out by looking at the connecting agent. Things you should consider filtering out would be admin links/pages, version numbers (often in the footer of pages), and files that aren't related to content. There's no reason for Google to know what your login pages look like, for instance.

If I've said it once, I've said it 1000 times. When you secure the old tech first, you find fewer problems with the new tech. robots.txt, .htaccess, proper chmod/chown... these are the things that can prevent a new bug from being a really bad new bug.

Re:The Robot Threat

[hunterx11]

Not nearly as interesting as what the government hides.

ouch, thats a nasty one!

[museumpeace]

google found nothing, MSN search found this

Results 1-3 of about 3 containing ""WebWorm Generation""






1. This site is defaced!!!
This site is defaced!!! NeverEverNoSanity WebWorm generation 5.
www.videocardforum.com

2. This site is defaced!!!
This site is defaced!!! NeverEverNoSanity WebWorm generation 8.
www.dslwebserver.com/main/sbs-zonealarm-configure. html
3. This site is defaced!!!
This site is defaced!!! NeverEverNoSanity WebWorm generation 11.
sprites.planet-megaman.com/credits.shtml

when asked to find "Webworm Generation". But why only 3 if thousands were reported in the art.? Maybe the sysadmins all cleaned things up in the last 1/2 hour?
Mountain View...I think we have a problem....

Re:ouch, thats a nasty one!

[daten]

Try reading this previous post: http://it.slashdot.org/comments.pl?sid=133543&cid= 11153153

You need to use the beta MSN search

Not PHP Bugs - phpBB exploit is used

[a16]

As per the parent of this post, the post modded '+5 Informative' is false and includes the wrong announcement.

This is not caused by the php bugs, it uses an issue in phpBB 2.0.10 and below. 2.0.11 fixes this, and has been available for ages (over a month).

So in summary, if you use phpBB - upgrade to 2.0.11 now - not upgrading is not an option.

I feel the above needs to be clarified, as there are already numerous people posting false information. Upgrading your PHP version won't protect against this (but you need to do it anyway to protect against other issues) - upgrading to phpBB 2.0.11 will. Simple :)

Re:Not PHP Bugs - phpBB exploit is used

[sadcox]

Thanks for the correction and correct info. I'd mod my own parent down were it possible.

I'll now begin a self-imposed two week /. suspension.

Re:Not PHP Bugs - phpBB exploit is used

[Sikmaz]

No worries, we'll just blame the Slashdot editors ;)

Re:Not PHP Bugs - phpBB exploit is used

[Tony+Hoyle]

If only phpBB had a proper plugin/theme mechanism that could survive the upgrade.... :(

I'm still on 2.0.4. I just mentioned pulling down her sites to attempt an upgrade (I reckon 2 days because the themes she uses are *very* customised) the look I got basically said that if I tried that I'd be sleeping alone for the next week.

Re:Not PHP Bugs - phpBB exploit is used

[psoTFX]

You don't have to upgrade ... though frankly it's very wise too, many other bugs and several exploits have been fixed post 2.0.4. Style related changes are minimal though I do agree various Mods will need to be taken account of (though it's highly likely some of those may need updating due to their own bugs/exploits).

If you cannot upgrade then as per my announcement ( http://www.phpbb.com/phpBB/viewtopic.php?t=240513 ) a month or so ago ... you should alter your viewtopic appropriately.

Re:Not PHP Bugs - phpBB exploit is used

[jericho4.0]

You do web administration in exchange for sex!?

Re:Not PHP Bugs - phpBB exploit is used

[hesiod]

Tell her "sure, as long as you realize I won't help you a bit when the whole thing disappears because you didn't want to be inconvenienced with security."

Then delete it.

Re:Not PHP Bugs - phpBB exploit is used

[SenshiNeko]

If this is a phpBB exploit, how did my site get hit when I am not using it? (The only PHP software I have within my webspace is Coppermine Photo Gallery.) Either the exploit is able to attack through (similar) PHP as well or it's squirming its way through all the sites on a shared (hosting) server? :/

Get 4.3.10+

[D_Lehman(at)ISPAN.or]

It fixes many exploit paths, and fixes handling of the $PHP_SELF variable. $PHP_SELF is potentially vulnerable to cross site scripting on versions 4.3.9 and earlier. This is part of the problem, as I understand it, with some phpBB exploits.

You are also good to go if you get 5.0.3, or so I have heard.

Re:A few things..

[Flaming_cows]

Odd, that's not what topics on phpBB.com say, but I guess you may be right. Regardless, the issue was patched a month ago and people have been reminded to upgrade many times.

Re:It works both ways.

[Tarcastil]

Hey, just like the patent system we all know and love :)

Santy.A Claus is Coming!

[Stanistani]

Headline from Computerworld:

New worm, Santy.A, using Google to spread

He sees you when you're posting, he knows when you write spam, he hates it when you flame users, so be good for goodness' sake!

This one's fun to debug - perl via url

[falzbro]

I got this on a few servers yesterday- first thought it was related to the < PHP 4.3.10 bugs- it's not.

This exploit is actually quite clever. It inputs values into the URL field that use the chr() function in PHP to pass text. It then writes its own perl script and executes it on the server.

Here's the first line from the logfile:

[20/Dec/2004:11:05:48 -0600] "GET /forum/viewtopic.php?p=738&sid=2db342b717c89bf9eca 3ef07e4910bf6&highlight=%2527%252Esystem(chr(112)% 252echr(101)%252echr(114)%252echr(108)%252echr(32) %252echr(45)%252echr(101)%252echr(32)%252echr(34)% 252echr(111)%252echr(112)%252echr(101)%252echr(110 )%252echr(32)%252echr(79)%252echr(85)%252echr(84)% 252echr(44)%252echr(113)%252echr(40)%252echr(62)%2 52echr(109)%252echr(49)%252echr(104)%252echr(111)% 252echr(50)%252echr(111)%252echr(102)%252echr(41)% 252echr(32)%252echr(97)%252echr(110)%252echr(100)% 252echr(32)%252echr(112)%252echr(114)%252echr(105) %252echr(110)%252echr(116)%252echr(32)%252echr(113 )%252echr(40)%252echr(72)%252echr(89)%252echr(118) %252echr(57)%252echr(112)%252echr(111)%252echr(52) %252echr(122)%252echr(51)%252echr(106)%252echr(106 )%252echr(72)%252echr(87)%252echr(97)%252echr(110) %252echr(78)%252echr(41)%252echr(34))%252e%2527 HTTP/1.0" 200 22613 "http://example.com/forum/viewtopic.php?p=738&sid= 2db342b717c89bf9eca3ef07e4910bf6&highlight=%2527%2 52Esystem(chr(112)%252echr(101)%252echr(114)%252ec hr(108)%252echr(32)%252echr(45)%252echr(101)%252ec hr(32)%252echr(34)%252echr(111)%252echr(112)%252ec hr(101)%252echr(110)%252echr(32)%252echr(79)%252ec hr(85)%252echr(84)%252echr(44)%252echr(113)%252ech r(40)%252echr(62)%252echr(109)%252echr(49)%252echr (104)%252echr(111)%252echr(50)%252echr(111)%252ech r(102)%252echr(41)%252echr(32)%252echr(97)%252echr (110)%252echr(100)%252echr(32)%252echr(112)%252ech r(114)%252echr(105)%252echr(110)%252echr(116)%252e chr(32)%252echr(113)%252echr(40)%252echr(72)%252ec hr(89)%252echr(118)%252echr(57)%252echr(112)%252ec hr(111)%252echr(52)%252echr(122)%252echr(51)%252ec hr(106)%252echr(106)%252echr(72)%252echr(87)%252ec hr(97)%252echr(110)%252echr(78)%252echr(41)%252ech r(34))%252e%2527" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

If you decode the ascii characters, you get:

perl -e "open OUT,q(>m1ho2of) and print q(HYv9po4z3jjHWanN)"

I didn't have enough freetime to decode the whole thing due to.. actual work having to be done, but it's quite clever.

--falz

Re:This one's fun to debug - perl via url

Dunno about you guys but I've been getting hits like that since NOVEMBER when the highlight bug first surfaced.

You might want to amuse yourself with the following PHP code, add to viewtopic.php right after it checks "isset($HTTP_GET_VARS['highlight']))"...

if (preg_match('/chr\(/', $HTTP_GET_VARS['highlight'])) {
$h = preg_replace('/(?:%2e)?chr\((\d+)\)/ei', 'chr(\1)',
$HTTP_GET_VARS['highlight']);
$h = preg_replace('/%2e/i', '', $h);
$h = preg_replace('/%27/', "'", $h);
error_log("viewtopic hack attempt: $h", 0);
}

Then it will show you the hack attempts in the error log.

Be sure to upgrade your PHP and phpBB FIRST! ;-)

Re:This one's fun to debug - perl via url

[kmb]

It's easier to find a CLI interpreter for perl (/usr/bin/perl) than for php, even if php is installed for the web server.

Re:This one's fun to debug - perl via url

[bhtooefr]

ARGH! Your comment is working as a pagewidener in Opera 7.6P4!

FWIW, I tested with IE (the only other browser on this computer), and it's fine...

Re:This one's fun to debug - perl via url

[spydir31]

it does, but you can use Opera's new Fit to width feature to bypass this (View->Fit to width), as I am doing

Re:This one's fun to debug - perl via url

[bhtooefr]

Same here. I forgot to say that I was using that ;-)

Can't wait for 7.60 Final!

NeverEverNoSanta

"Once Santa infects a Web site, he searches Google for other sites running phpBB and then attempts to infect those sites as well."

And so it comes full circle...

[MoeMoe]

It seems one of the webcomics I read, UnderPower, got affected as well... It also happens to be linked here on Slashdot...

Black background, red lettering:

This site is defaced!!!
NeverEverNoSanity WebWorm generation 14.

MSN actually returns 207 results

[bharatman]

MSN's first page estimates are always grossly inflated. Try this link instead:

http://beta.search.msn.com/results.aspx?q=NeverE ve rNoSanity&first=200&count=10&FORM=PERE4

Note that I the "first" param is 200 (which is the equivalent of going to page 20). It hits the end of the results and revises its estimate.

Re:A few things..

[Just+Some+Guy]

First of all, the exploit is in PHP (see here), not phpBB, the worm just happens to attack phpBB. I just think that should be cleared up before people start spreading FUD about how phpBB is insecure.

Considering that PHP is doing its best to surpass Sendmail in the "pwn my server!" category, I'd say that any application written in PHP should be considered suspect.

This is different from C, where bad programmers can use perfectly reasonable functions in an unsafe way (excluding gets(); that's just an abomination). In PHP, you can use the built-in functions in a completely "safe" way and still get rooted because the functions themselves are problematic.

They've done good things such as finally disabling register_globals - I'll certainly give them credit for that - but it always seems like it's something new to contend with. I've spent the last few hours moving all the PHP sites on my FreeBSD server into their own new little jail so that if they get compromised, at least the rest of my system is reasonably safe.

So, I'd have to disagree with your statement that phpBB isn't insecure. I haven't read its source, but even if it's bugfree, its underlying platform needs to be taken out and shot.

Here's to hoping that PHP5 is a little less of a security nightmare for server admins.

Clarification

[Sheepdot]

I had to explain this to a colleague earlier in layman's terms, so I'm repeating it here:

For those of you who think this is solely a PHP or PHPBB bug, it's actually quite a bit more involved than that. A series of exploits for PHP were released, and subsequently, a lot of forum software, not just phpBB, is exploitable.

This worm uses a legitimate function which the phpBB developers have for functionality of their forum software. This legitimate function is exploitable in certain versions of PHP. Due to the speed in which the exploit was released, it could be that the worm developer had the engine ready and was simply looking for a PHP exploit to come out for a function that was used with a widely available web application package. They hit jackpot with phpBB and PHP together.

The developer didn't thinking to make it so that it added a random element to it's Google searches or didn't use different search engines. In fact, it almost looks like this was simply a trial run for a future worm that will be much more complex and may possibly span a multitude of web applications.

A concept was written up earlier this year here:
http://www.imperva.com/application_defense_ center/ white_papers/application_worms.html?show=appworm

It now appears that niddhog (the concept worm) has been made evident. Fortunately, it did not include such things as Code Red and Nimda did with using IE exploits to infect the clients that would view these websites.

It is a bleak future with the idea of Web Application Worms coupled with IE exploits. Not only do you have the method and distribution combined, but such a thing would be highly anonymous for the malware author and could spread to the highest point of infection in a matter of hours as IE users visited their favorite community websites running exploitable forum software.

Re:Clarification

[ScottMacVicar]

I've been looking at the PHP related security hole and this does not have anything to do with the exploit the worm uses.

The PHP exploit was to do with the length part of a serialized string, it wasn't correctly enforced and a suitably large enough value would crash a crash and print out contents of the stack which could include any variable within the script. s:1000:"test"; the 1000 part is not correctly checked.

The phpBB exploit is regarding a remote code execution vulnerability, in this case it uses this vulnerability to fetch a perl script from a remote server and write it to the forum before executing it using the system command in PHP.

So this worm only affects phpBB 2.0.10 and below.

Efficiency

[consolidatedbord]

I know that worms are ridiculous and all, but at least this thing won't be hammering millions of unaffected ip adresses and I don't have to see this crap hitting my snort/log files!

How's that sh*t for efficiency?

Everyone sets 'chmod 666' on their files nowadays?

[Bobas]

Hey, how could this worm do so much damage if in a sane system it only gets run with the permissions of apache daemon?

No results in Google? 39.000 and 3 in MS services?

[Azul]

Interestingly, Microsoft's Beta Search does indeed index nearly 39.000 results for the NeverEverNoSanity search. Google shows none (though it does show an advertisement). Microsoft's regular search shows three results.

Is Google filtering out results for this search, or is it simply that both Microsoft's search services update their indexes much faster than Google does?

Weird.

phpBB2 need a security mailing list

[HappyCamp]

One problem with http://www.phpbb.com/ is that they expect all the users of their software to come to their website on a regular basis and check for security updates.

They do NOT have any mailing lists for people to subscribe to, so that they can be informed when a new version of phpBB2 has been released.

Every thread on the subject, that I found on their site, had been locked. It appears that the moderators do not like their users complaining about a lack of a security announcement mailing list.

Re:phpBB2 need a security mailing list

[lightdarkness]

There is indeed a way to get updates. On source forge, you can subscribe to get updates when new packages are released.

Re:phpBB2 need a security mailing list

[a16]

Don't spread FUD.
Sourceforge offers release trackers which the phpBB team openly point people to if they want mail updates:
http://sourceforge.net/project/filemodule_monitor. php?filemodule_id=28882
Or of course, there is the RSS feed :
http://www.phpbb.com/rss.php
And, after 'popular demand' they are currently working on a special security mailing list that people can subscribe to.

Re:phpBB2 need a security mailing list

[HappyCamp]

There is indeed a way to get updates. On source forge, you can subscribe to get updates when new packages are released.

True. But that is NOT the same thing as having a security mailing list. Plus it is not something that you can find mentioned prominently on their site. You have to search through the forums to find mention of it.

A less than optimal solution to me. Let's be honest, how hard is it to setup a copy of Mailman and create a mailing list? Not very hard.

I admire the phpBB2 software but to me this is a failing of their project. And the way they lock all the threads about it on their forums does not make me think highly of them.

Re:phpBB2 need a security mailing list

[HappyCamp]

Don't spread FUD.

Not FUD in my mind :)

Sourceforge offers release trackers which the phpBB team openly point people to if they want mail updates: http://sourceforge.net/project/filemodule_monitor. php?filemodule_id=28882

Show me where this is mentioned at: http://www.phpbb.com/support/ It requires people to get an account with SourceForge. Not necessarily a terrible thing but what is the problem with creating a real security mailing list.

Plus it is not something that you can find mentioned prominently on their site. You have to search through the forums to find mention of it.

Or of course, there is the RSS feed : http://www.phpbb.com/rss.php

This is pull. Best method is a push method for getting information out to people.

And, after 'popular demand' they are currently working on a special security mailing list that people can subscribe to.

I am very glad to hear that! If this happens I think it will be a very good step.

It is hard to tell from the forums that they were going to do this since they have closed all the threads related to a mailing list. They did not say that they were creating one from my reading of the threads. But I could have missed it somewhere :)

Re:phpBB2 need a security mailing list

[psoTFX]

You most certainly missed it ;) I stated it myself and we're in the process of doing it. I've also stated in an update to my "Critical Update" announcement for 2.0.11 that I'm rethinking the potential for inclusion of update info within the ACP (which I've long steered away from for what I believe are good reasons). Equally each and every time someone raises the "why don't you have a mailing list?" (which incidently I've wanted for a long time but that's another issue) one of support team, moderators or indeed myself typically say "You can monitor our packages through Sourceforge". Indeed I believe I say this in one or more announcements. We can do better here, and we will.

My webserver just got hit by this

[AC-x]

Looking at all the automatic PHP error responses, it seems that as long as the web server's task does not have write access to the web sites folder you're safe.

Re:My webserver just got hit by this

[mabu]

Any decent administrator should have things set up like that. And running PHP in safe mode with the switches to limit php's ability to write to files would also catch this problem.

This is a good example of how important security planning can be. A cautious administrator who set up Apache and PHP properly would probably not be affected by this bug in any substantive way.

Re:Everyone sets 'chmod 666' on their files nowada

[mwhahaha]

Unfortunately not everyone does this. My work was hit this morning with gen 17 (at least we had oodles of backups and no data was lost, just unavailable for an hour, but at 4:30 am it's hard enough). The problem was that many of the sites need to be able to be written to by the apache daemon. image uploading, etc etc. Hopefully our development staff take my warning and fix this before round 2. Not bloodly likely. I'm still waiting for requests from 6 months ago...ah well.

Re:Everyone sets 'chmod 666' on their files nowada

[Just+Some+Guy]

The worm didn't touch a single file not owned by user 'www' - just the few thousand files that were.

Cold hardware?

[phorm]

Actually, proper backups are a restorable copy in a location that minimizes chance of loss. They don't need to be a cold copy.

Our backups rsync and offload to an offsite server with RAID'ed drives. Yes, that server could theoretically be hosed at the same time the master goes down in flames but the chances of that are low. In fact, not much greater than if you have a tape, etc. If somebody hacks the backup server, well they could have wiped the tape too.

The main advantage of tapes, etc are staggered backups, but then you run into the issues with tapes media not being rotated properly, or unknowingly succumbing to "rot."

I think by far the criterium that the backup be within a reasonable distance *away* from the original is the most important...

Re:Cold hardware?

[llefler]

In regards to your web site, why don't you just put it in a CVS? Messages might be lost (in my experience, with most phpBBs that's not a big loss), but to restore the board you'd just fetch the latest good version. Having multiple versions would help with viruses that wait to destroy. This particular attack would take a couple minutes to repair, and a few more to patch.

Of course you still need to do your backup of the CVS.

Download the full source code

[EqualSlash]

Looks like you didn't read the Bugtraq posting completely... There's an zip attachment with the fully decoded perl script.
Download link

Re:Hmmmm

[j.someone]

Here are details on the actual problem with a fix.

MOD PARENT UP

[a16]

The worm is related to an issue in phpBB 2.0.10 as per the parent, nothing to do with any PHP issues.

I do wish mods would be careful when modding posts that they obviously no nothing about as 'informative' - to be 'informative' you have to give correct information, not just information that looks technical enough to be correct.

Re:this is not happening...

[bhtooefr]

Pagewidener (seems accidental, FWIW), maybe? I'm using 7.6P4c, so I simply set it to "Fit to width" (AKA Medium Screen Rendering), and it's perfectly readable.

Re:v10

[dingfelder]

heh

McAfee is still using version 4.3.10 on their boards

I wonder how long it will take someone to get them too.

it would be ironic if a security company like them got hacked with something this easy

Poor coding is no excuse...

[oz_canetoad]

Yes the exploit exists, poor coding.

Using urldecode() to parse variables and urls or should I say decode is poor design, thus poor coding. Lumping all PHP code into one bin, is just knee jerk.

mod_security to the rescue?

[OnyxRaven]

I was hit with the security exploit when the vulnerability was first announced in mid November (The Hilight bug at least). Since then I've upgraded php and phpbb on all my hosted sites (it ended up being resold sites that got me), and done some other things reguarding file rights and access.

The main thing though that I've done that I hope to help me stay a little in front of these types of exploits is implement mod_security and add some rules which block the more 'common' exploits and sql injections.

Does this seem like a reasonable thing to keep doing? I hate to prohibit hosted sites from having any prebuilt scripts like phpbb or phpdig or anything else, but I don't want to be a big target for exploits either.

Is mod_security the 'easy' answer?

Worm's genealogy?

[Azul]

Searching for "neverevernosanity webworm generation X" on MSN Beta Search yields the following number of results for each value of X:

1: 0
2: 0
3: 0
4: 2335
5: 9297
6: 7218
7: 7288
8: 10746
9: 12009
10: 11752
11: 14866
12: 13267
13: 8393
14: 13317
15: 3840
16: 5004
17: 2032
18: 3344
19: 7
20: 1
21: 3
22: 1
23: 1
24: 1
25: 0

Hmm, if these numbers are to be trusted, the infections are 10.5 generations old, on average.

Interestingly, these numbers add to 124k, much more than the reported 39k number of pages reported by merely searching for "NeverEverNoSanity". This would imply that many of the defaced pages contain messages for different generations. Weird.

It would be interesting if the defaced pages included the URL of the parent, the one that the worm used to infect the server from which it infected the current one.

No!

[goofyheadedpunk]

Oh no! They got tmbw.net! No one messes with They Might be Giants and get's away with it. No one.

Re:NeverEverNoSanity

[jerw134]

That's an outright lie. I can't believe a mod was dumb enough to mod that BS up.

Are these numbers accurate

[Mik3D]

From the article:

Around 6 million sites appear to be running the phpBB software, according to a search of Google for the phrase "Powered by phpBB"--an acknowledgment appended to the bottom of any site that uses the software.

If I rember correctly every page on a phpBB site contains this phrase. I would guess that these numbers are grosely inflated.

-Mike

MediaWiki

[Vylen]

My site got attacked by this worm. But the thing is, the site was running MediaWiki, had no phpBB forums on it at all!
And the sister site, which is running a 2 yr old version of the phpBB forums, wasnt attacked at all!


Now, that's just to show that its not always phpBB at fault!

Re:MediaWiki

[DancingMilo]

You manage to find away to patch this? My MediaWiki has been hit hard too. Reinstalling the source does nothing either.

Re:MediaWiki

[ready29003]

My 3 mediawiki installations were hacked with this. Here are my notes posted to the mediawiki meta wiki.

WikiMedia

Broadcasting what you're running and the version

[Woody77]

is not a good idea.

Hasn't this been known in security circles for decades? (I first read this in Out of the Inner Circle).

If you broadcast who you are, what you're running, and especially the version (and patch-level) you're running, you are actively saying, "Hello, you can use exploits X, Y, and Z to p0wn me!!"

Of course Google is filtering

[JoeBuck]

Or do you really think that there are 30,000 pages MSN can find that Google can't?

Re:NeverEverNoSanity

[JoeBuck]

Google is already filtering, clearly, which is why it returns zero matches for NeverEverNoSanity. They appear to be using patterns other than "powered by phpBB" to do the filtering; probably they've gotten hold of the worm itself and are blocking specifically the terms that worm's search queries use.

ICDSOFT

[phant0m_z3r0]

ICDSOFT the hosting company doesnt give a crap read below A: Dec 22 00:50 Support 28: Hello, We already dealt with this worm - the outbreak was yesterday and urgent actions were taken, to patch the faulty phpBB boards, to stop the worm attacks against the servers. The worm exploits a bug in a PHPBB forum. Once it finds such a vulnerable version of this forum, it will inject a malicious script which will search for worldwritable files on the server and replace them with the "Defaced" message. It will also search on google for other exploitable PHPBB forums and try to infect them too. The overwritten files were all with 666 or 777 permissions (worldwritable) and thus were overwritten. Note that this is not our fault. You need not use 777 or 666 permissions on our server anymore. We have started using SuExec on the server, which greatly improves the security and stability. This environment also executes scripts with the user credentials, instead of the Apache ones, so your scripts can access all your files and folders. We can restore your site from our backups, dated 10 and 17 Dec. Please advise which backup we shall use. Best Regards, Support A: Dec 22 00:58 Support 28: Hello, The reason is not with the PHP, rather it is with a security flaw in the phpbb forums. We have patched all the customers' phpbb forums, which is indeed not our duty, but we did it to stop the attacks against our servers. Leaving a worldwritable file on your account is really against any security standards and anyone on the server could overwrite it any moment, one does not need a worm to do that. You cannot blame us for holes in your site's security that you left. Your understanding on the issue will be appreciated. We can restore your site from our backups, dated 10 and 17 Dec. Please advise which backup we shall use. Best Regards, Support

Inevitable conclusion...

[One+Childish+N00b]

Preferably in another building

In another city.

Inside a locked box, in a safe, in a bunker, which is inside another, bigger bunker, deep inside my secret volcano lair guarded by sharks with frickin' laser beams on their heads.

Re:Inevitable conclusion...

[WoodstockJeff]

Preferably in another building
In another city.
Inside a locked box, in a safe, in a bunker, which is inside another, bigger bunker, deep inside my secret volcano lair guarded by sharks with frickin' laser beams on their heads.

And UNDER the plans on display for the new hyperspace bypass route...

Re:Inevitable conclusion...

[Pope]

Beside the locked filing cabinet with a sign that reads "Beware Of The Leoapard."

Re:Inevitable conclusion...

[/dev/trash]

I'd think the sharks are overkill.

Perl Rocks!

[ukdiveboy]

Is there any way we can turn this into a I told you Perl was better than PHP debate :-D

Re:Perl Rocks!

[Leto2]

That sounds like a possibly tainted discussion...

Found this in my server logs

[Chatmag]

http://www.hackgeneral.net/phpbb_exploit.php

When I first saw that page a few days ago, it had several boxes for inputs, the site URL, code, and execute button. The page is now gone, and if someone speaks Spanish, please let us all know what the site is about.

Re:Found this in my server logs

[Chatmag]

The wayback shows a different page, check the keywords at the bottom (site in spanish for the most part) Internet Wayback machine

I suspect this is the gang that is doing some of the exploits, they had tried to hit us and we've already upgraded, before this attack.

Re:The Robot Threat is a worm

[Joseph_Daniel_Zukige]

If the robot is a worm, neither robots.txt nor the ROBOTS NOARCHIVE, NOINDEX, and NOFOLLOW header META tags aren't going to protect you.

Great for keeping your on-line resume out of the commonly used legitimate indexes. Wise in terms of reducing visibility. Statistically speaking, might give you a little more breathing room.

But no protection, of course.

(Every day, I check my logs to see if Microsoft's engine obeys those directives. So far, it does, about seven times a week, too.)

Re:NeverEverNoSanity

[KarmaMB84]

Why would the worm be searching for sites that are already infected?

Interesting (and scary thought)

[dantheman82]

So, exploiting a vulnerability in phpBB on a "secure" Linux box combined with a vulnerability in a rather unsecure IE could combine to give us a worm and a trojan (or other virus)? Scary stuff...

debian security advisories?

[lcampagn]

This vulnerability has been known since November, and a fix was available 6 days ago.. Do any Debian users know why there has not been a security advisory from Debian for this problem?

Re:debian security advisories?

[rolfc]

Maybe because phpBB is not a part of Debian stable. It is part of testing and unstable, but if you are using them, you have take care of your own security. However since it is Debian, you can be pretty sure that the problem is quickly fixed, but it is your responsibility to confirm it.

Re:debian security advisories?

[rekt]

Actually, it looks like this was patched in debian sid/unstable on on 18 November 2004 with urgency=high.

And from my logs, it looks like it propagated into sarge/testing some time before 23 Nov 2004. if you can't bring yourself to track the debian packages themselves, i recommend installing something like cron-apt and have it mail you when new packages are ready to be installed.

If you maintain any sort of servers that are on the 'net, please keep them patched. It's common courtesy for the rest of us who use this incredible shared resource.

Invalid HTML 2.0

[Zuhiat]

Do a w3c validator check on any of the infected pages, it's not valid! Hackers fail at web standards.

Source code...

[TheSurfer]

For those who're interesed in the source code of this Sanity.A worm: click.

If I was the worm...

[n0dalus]

Google for: "Powered by phpBB 2.0.1...10" Finds all the sites that still havent updated to phpBB 2.0.11

Is the attack related to 'eScrew OWNS YOU!!!' ?

[jesterzog]

Following up some of the links, I came across this post (scroll to the 7th post on that page, by 'madadmin'.)

The administrator of that forum is claiming that, based on their server logs, they have reason to believe that the person responsible for the attacks may be the same person who's recently posted a message to comp.lang.php that's titled 'eScrew OWNS YO!!!'. (See the posting for more details.)

From further posts, it looks as if the association has been made by looking at where the worms are coneverging. Can anyone who's currently dealing with this elaborate?

Re:A few things..

[phyphor]

"that's not what topics on phpBB.com"
Except http://www.phpbb.com/phpBB/viewtopic.php?t=244451, right?

Re:Google is what?

[mabinogi]

If you say so

Re:SanIty.A or Santy.A?

[mabinogi]

My guess is that someone in the right place at the right time typoed, or didn't read it properly.

Anybody else...

[SoTuA]

...cringing at the fact that his "backup" was on the same machine? And it was writable by apache?

viewtopic.php

[duncangough]

It's been known about and fixed since sometime in November - part of the howdark exploit I think.

As has been mentioned before though, you'd have to *go to* phpBB to know that - it would be nice if they have a mailing list :(

Playaholics: Free online flash games: Driving Mad

localhost

[Fuzzums]

wouldn't it be more fun is google returned 127.0.0.1 as possible victim?

Big surprise

[MasTRE]

> Update: 12/22 03:34 GMT by T: ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.

Is anybody actually shocked by this? I thought "wait, Google can simply filter that out" before reading the "update" part. A potential problem arises when a "worm" requires Google to filter out legitimate queries - it will become a form of censorship in the name of being a do-gooder. And you know how that ends up (if you've been involved in the firght against SPAM, for example).

Re:Hmmmm

[DrSkwid]

It is a phpBB design error called "trusting user supplied data"

throwing serialized objects to the client and trusting that they are unserializable upon return is, well, stupid.

It appears to affect MediaWiki too....

[DancingMilo]

I've been running a Wiki running on MediaWiki (the engine driving the WikiPedia) for a couple of months now and it appears to affect that.

You can see it getting affected here:
http://www.chelsea2005.com/wiki2

Can't really understand if this is a fault of MediaWiki or the version of PHP that my hosts are running?

Actually mostly disinformation in thread

[RedLaggedTeut]

Only phyphor got it right, it is not a PHP problem, and he's modded "1", in contrast to the misinformed:
sjokki explains that the bug is related to using the "e" eval modifier of preg_replace.

This is a phpBB bug.