(FIX INCLUDED) Santy Worm Defaces Web Forums
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Y! MyWeb
Share:
Sponsors:
Anti-virus vendors have raised the threat level on a new Internet worm squirming through Web servers that are running unpatched versions of the popular phpBB Web forum software.
The worm, known as Net-Worm.Perl.Santy.A or Santy, uses Google search to randomly find sites running phpBB and overwrites several different files to deface the forums.
By targeting the freely distributed phpBB, the defacement worm has become a major nightmare for some businesses that use the forum software to handle customer-service queries and other support issues.
In an advisory, security research outfit Kaspersky Lab said the Santy worm is "extra tricky" because it replaces several files on the server with its own code, meaning that other sites using the same host get infected.
Kaspersky Lab's advisory carries a "Red Alert" rating.
On the phpBB support forum, administrators urged users to upgrade to the newest available release of the software.
In a forum notice, the volunteers at phpBB said the issue was traced back to a serious exploitable flaw in PHP, the scripting language on which phpBB is based.
"It has come to our attention that code has now been released which uses this exploit in PHP to obtain confidential information in phpBB. Such information includes data contained in phpBB's config.php file," the notice read.
Forum administrators who maintain their own server are urged to upgrade to the newest available release of PHP (both versions 4 and 5).
"Fixed versions of PHP do exist and as above we encourage you to ensure your system is running such a version. Equally, please examine any 'hacking' issues you have carefully to ensure they are not caused by this PHP problem (rather than phpBB)," the group said.
"Remember, this is not a phpBB exploit or problem, it's a PHP issue and thus can affect any PHP script which uses the noted functions."
F-Secure, an anti-virus vendor tracking the defacements, said Santy was only defacing servers and not infecting end-users.
An alert from F-Secure confirmed Kaspersky's findings and warned that the worm overwrites files with the following extensions: .htm, .php, .asp, .shtm, .jsp and .phtm.
Because the worm specifically uses Google queries to find vulnerable servers, F-Secure said the search engine giant could stop the outbreak by simply not responding to the queries the virus uses.
"This wouldn't hurt any end-users and would in fact take load off from Google servers," the company said in an updated notice posted late Tuesday.
If you have the latest phpBB upgrades done you should be just fine. You can read about a proposed fix for non updated sites here https://www.codezwiz.com/ftopicp-36293.html#36293
Article submitted by: Redhot_2oo3
Last Update: 12-21-2004
Category: Security
The worm, known as Net-Worm.Perl.Santy.A or Santy, uses Google search to randomly find sites running phpBB and overwrites several different files to deface the forums.
By targeting the freely distributed phpBB, the defacement worm has become a major nightmare for some businesses that use the forum software to handle customer-service queries and other support issues.
In an advisory, security research outfit Kaspersky Lab said the Santy worm is "extra tricky" because it replaces several files on the server with its own code, meaning that other sites using the same host get infected.
Kaspersky Lab's advisory carries a "Red Alert" rating.
On the phpBB support forum, administrators urged users to upgrade to the newest available release of the software.
In a forum notice, the volunteers at phpBB said the issue was traced back to a serious exploitable flaw in PHP, the scripting language on which phpBB is based.
"It has come to our attention that code has now been released which uses this exploit in PHP to obtain confidential information in phpBB. Such information includes data contained in phpBB's config.php file," the notice read.
Forum administrators who maintain their own server are urged to upgrade to the newest available release of PHP (both versions 4 and 5).
"Fixed versions of PHP do exist and as above we encourage you to ensure your system is running such a version. Equally, please examine any 'hacking' issues you have carefully to ensure they are not caused by this PHP problem (rather than phpBB)," the group said.
"Remember, this is not a phpBB exploit or problem, it's a PHP issue and thus can affect any PHP script which uses the noted functions."
F-Secure, an anti-virus vendor tracking the defacements, said Santy was only defacing servers and not infecting end-users.
An alert from F-Secure confirmed Kaspersky's findings and warned that the worm overwrites files with the following extensions: .htm, .php, .asp, .shtm, .jsp and .phtm.
Because the worm specifically uses Google queries to find vulnerable servers, F-Secure said the search engine giant could stop the outbreak by simply not responding to the queries the virus uses.
"This wouldn't hurt any end-users and would in fact take load off from Google servers," the company said in an updated notice posted late Tuesday.
If you have the latest phpBB upgrades done you should be just fine. You can read about a proposed fix for non updated sites here https://www.codezwiz.com/ftopicp-36293.html#36293
Article submitted by: Redhot_2oo3
Last Update: 12-21-2004
Category: Security
Current rating: 5.22 by 72 users
| Would you recommend this article to a friend? |
| Not a Chance | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Absolutely |
Related News Stories
(9,413 reads) 07-05-2008
· Fusion Security(15,104 reads) 06-02-2007
· NukeSentinel(tm)2.5.10 Critical Update(13,860 reads) 05-07-2007
· NukeSentinel(tm) 2.5.08 Maintainance Release(15,334 reads) 03-15-2007
· NukeSentinel(tm) 2.5.07 Reissued: Critical Update(13,830 reads) 03-02-2007
· NukeSentinel(tm) 2.5.06: Critical Update(14,592 reads) 01-23-2007
· NukeSentinel(tm) 2.5.05 released(14,616 reads) 12-24-2006
· NukeSentinel 2.5.04 released(14,342 reads) 11-03-2006
· NukeSentinel(tm) 2.5.03 Released(18,181 reads) 10-19-2006
· Php Nuke 8.0 Patched(14,568 reads) 10-01-2006
· ipBan Modification
Please register or sign-in to post comments.