Forgot your password?
typodupeerror
Worms Security Businesses Google The Internet PHP Programming

Net Worm Uses Google to Spread 309

Posted by michael
from the web-service-takes-on-new-meaning dept.
troop23 writes "A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'-- part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits." Reader pmf sent in a few more information links: F-Secure weblog and Bugtraq posting. Update: 12/22 03:34 GMT by T : ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.
This discussion has been archived. No new comments can be posted.

Net Worm Uses Google to Spread

Comments Filter:
  • Quick! (Score:5, Funny)

    by Anonymous Coward on Tuesday December 21, 2004 @06:16PM (#11153152)
    Someone figure out a way to blame this on Microsoft!
    • Re:Quick! (Score:4, Funny)

      by ptr2004 (695756) on Tuesday December 21, 2004 @06:36PM (#11153383)
      In other news. A tele-marketer used a telephone directory to make calls
      • Thing is, the phone companies charge you for an unlisted number. So if you have a phone, you are in that phone book getting phone spam unless you paid them not to.
    • Re:Quick! (Score:2, Interesting)

      by geekopus (130194)
      It might be quite the opposite:

      When I copied all these entries out of the log and translated the chr()
      calls, they turned out to be the attached perl script, which is capable
      of finding .html files to deface, and then going to google and finding
      more instances of phpbb to infect.

      This is from one of the links above. So, it sounds like if a machine doesn't have Perl installed, the thing can't go to work. By sheer coincidence, most windows boxes will be immune to this particular instance of this worm (by no

    • Re:Quick! (Score:5, Funny)

      by AmberBlackCat (829689) on Tuesday December 21, 2004 @09:18PM (#11154761)
      Someone figure out a way to blame this on Microsoft!

      The PHP guys will probably blame it on Apache 2.

  • by Meostro (788797) * on Tuesday December 21, 2004 @06:16PM (#11153153) Homepage Journal
    I saw this yesterday on a.... uhh... "anatomic reference" site:
    This site is defaced!!! NeverEverNoSanity WebWorm generation 10.

    I tried to find some kind of reference and Googled [google.com] for it, but I got no results.

    Still nothing on it, wonder how long it'll be before it shows up?

    MSN search [msn.com] returns 3 results, that's just a bit short of 39,000, so I guess they must be using the beta [msn.com] engine for the article.
  • by mkop (714476) * on Tuesday December 21, 2004 @06:16PM (#11153155) Journal
    There is nothing wrong with google. only with people who have not pathced the php buletin boards
  • Poor /. (Score:5, Funny)

    by roman_mir (125474) on Tuesday December 21, 2004 @06:17PM (#11153157) Homepage Journal
    I think this virus/worm hit /., when I clicked on the link to this article, all I saw was: "Nothing for you to see here. Please move along."

  • by akiy (56302) on Tuesday December 21, 2004 @06:17PM (#11153168) Homepage
    It looks like the latest phpBB version 2.0.11 [phpbb.com]or a simple patch [phpbb.com] will thwart the worm, though. Time to upgrade if you haven't yet!
    • > It looks like the latest phpBB version 2.0.11 or a simple patch will thwart
      > the worm, though. Time to upgrade if you haven't yet!

      That's alright. All the lazy admins will blame Google and everything will be okay!

      This, I suspect, is going to be a new way of infecting web-based apps. Just do a search for the vulnerable software on Google, Yahoo or whatever, pop in, do your damage and be on your way.

      Of course, it will get much worse if its some sort of E-commerce software or something like that a
      • by topynate (694371) on Tuesday December 21, 2004 @06:29PM (#11153308)
        Given that probably 90% of script kiddies find targets with Google, it could only be a matter of time before someone automated the process.

        Maybe it's a theme - the worms of tomorrow will do what the script kiddies of today do.

      • phpBB is very hard to upgrade.

        To install many plugins requires making changes to the source by hand. Some of the websites I host have several of these, and I'm not even sure which ones (I didn't add them).

        Plus, if you use a custom theme you have to recreate it after upgrading, which is a right pain in the arse as all the paths are hardcoded... even with sed/grep it takes an hour or two to turn subSilver into CustomSilver.

    • by Cutriss (262920) on Tuesday December 21, 2004 @06:26PM (#11153278) Homepage
      Yes and no.

      It will protect your boards from being targeted by the Google component of the worm. However, if your boards are running on a shared server, and someone else has a vulnerable version of phpBB installed on their space, you could still be vulnerable. The worm is designed to poke around once it manages to lodge itself inside a host.

      Ordinarily, you could just blame those infected in this manner for not using proper permissions on their board installs, but with the amount of custom modifications many people have installed on their boards, it'd be no surprise if 90% of the people that think they're safe actually aren't. Make sure your files aren't writeable, folks.
      • a bit OT, but does anyone know of tools for admins of shared servers to scan for vulnerabilites in customer-installed web applications like these?

        I just went through by hand, and 8 of 9 installed copies of phpBB on my server were vulnerable.

    • Good job. You do know that by Slashdotting the phpBB.com server, you're preventing people from patching, right? :)
  • by StevenHenderson (806391) <stevehenderson.gmail@com> on Tuesday December 21, 2004 @06:18PM (#11153172)
    it can always use Google Suggest to find victims. :)
  • by Marxist Hacker 42 (638312) * <seebert42@gmail.com> on Tuesday December 21, 2004 @06:18PM (#11153178) Homepage Journal
    Microsoft search beats Google at indexing pages hacked by this virus! MS Search turns up 39000 pages, google turns up zero on the same nonsense keyword!
  • by somethinghollow (530478) on Tuesday December 21, 2004 @06:18PM (#11153179) Homepage Journal
    When it infects sites running SlashCode, it pretends to be a legitament post (so it can get the defacement tag "NeverEverNoSanity" on the front page, then monitors for posting, and tries to get first post, too.
  • I got hit HARD! :( (Score:5, Interesting)

    by Broadband (602443) on Tuesday December 21, 2004 @06:22PM (#11153238)
    This worm is unbelieveably evil.

    What it does is search all volumes on the server for files with the .asp .php .shtml .html .htm extentions and overwrites them with the 264 byte file that simply states "Web site defaced"

    I had a backup drive with everything mirrored that was unshared and secure and it managed to overwrite my ENTIRE backup as well on that machine.

    I've been spening the past 24 hours picking up the pieces and trying to get everything back online. 1/2 Done now.

    If you want to see what a defaced website looks like go to: http://www.sherwoodoregon.com and check it out before i get that site back online.

    -BB
    • Unlucky generation 13, eh? I heard it was worse than the others.
      Yes, it was a lame joke. I couldn't think of anything better :(
    • According to W3C, It's not even valid [w3.org] HTML 2.0. The least they could do is write valid code. Sheesh.
    • by Anonymous Coward
      That's why I don't call it a backup if it's hot. If you just put in a second drive, it doesn't save you from 'rm -rf /' or from a power supply that commits suicide... and decides to take the rest of the hardware with it.

      Backups are on cold hardware, on a shelf. At the minimum. Preferably in another building.
      • Actually, proper backups are a restorable copy in a location that minimizes chance of loss. They don't need to be a cold copy.

        Our backups rsync and offload to an offsite server with RAID'ed drives. Yes, that server could theoretically be hosed at the same time the master goes down in flames but the chances of that are low. In fact, not much greater than if you have a tape, etc. If somebody hacks the backup server, well they could have wiped the tape too.

        The main advantage of tapes, etc are staggered bac
      • Preferably in another building

        In another city.
        • Preferably in another building

          In another city.


          Inside a locked box, in a safe, in a bunker, which is inside another, bigger bunker, deep inside my secret volcano lair guarded by sharks with frickin' laser beams on their heads.

    • If your backup was unshared and secure it wouldn't have been overwritten. Keeping a backup on the same machine is the same as not having a backup. I would argue that keeping a backup on the same subnet is the same as not having a backup.
    • This is the main issue with harddisks as backup. They don't provide security against these kind of attacks as they are just as vulnerable as any other disk attached to the system.

      A tape drive for backups may seem like a 'thing from the past', but it's *very* effective in these instances...
      • by Zen Punk (785385) <cdavidbonner&gmail,com> on Tuesday December 21, 2004 @06:57PM (#11153604) Journal
        Nonsense. A hard drive on the shelf, in the safe, whatever, is no more vulnerable than a tape on the shelf. If you left your backup tape mounted all the time, it would be just as insecure as adding a second drive and calling it a "backup."
        • Hard drives aren't necessarily as reliable though for the cost of the drives, keeping two sets of backup drives might be better for some poeple.

          With tape, you can put it into any compatible drive, or have multiple tapes. At any rate, both do have to be removed.
    • I'm well aware that it wasn't the best form of backup and the funny thing is I just reinstalled the machine and OS and the 2nd drive was an identical mirror. That was 7 days ago. I thought to myself. I'll back up to physical media this weekend. What's the chances I could lose that data in 7 days. I learned my lesson :P Forutnately i do have backups they just aren't as easy as a copy since their on varios medias. What a great Christmas Gift eh?
    • I had a backup drive with everything mirrored that was unshared and secure and it managed to overwrite my ENTIRE backup as well on that machine.

      Umm... why was your webserver writable? (If you'd had a secure webserver the virus would never have been able to install in the first place).

      Why was your *backup* writable? (It was clearly *not* 'secure').
  • snort signatures (Score:4, Informative)

    by UnderAttack (311872) * on Tuesday December 21, 2004 @06:26PM (#11153276) Homepage
    The ISC posted a couple of snort sigs [sans.org] and other details.
  • by The Hobo (783784) on Tuesday December 21, 2004 @06:34PM (#11153364)
    I had forgotten the MSN beta search engine, so I just googled it...
  • So I get my present, in the mail, a little early.
    A new HDTV card...
    I go to download [pchdtv.com] the linux only drivers and...

    NeverEverNoSanity!!!

    Argh! &$@*#! Humbug.
  • by VeneficusAcerbus (724294) on Tuesday December 21, 2004 @06:43PM (#11153456)
    From ISC:
    Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case. The worm exploits the 'highlight' bug in phpBB 2.0.10 and earlier. The current version of phpBB (2.0.11, released Nov. 18th) fixes this problem. Nevertheless, its still a good idea to update php.
  • I got hit (Score:3, Insightful)

    by Ghoser777 (113623) <fahrenba AT mac DOT com> on Tuesday December 21, 2004 @06:43PM (#11153459) Homepage
    My poor linux box - I felt so secure and then this little worm gets out. Thank god I had some recent backups, otherwise this would have really sucked. I guess it's alright though - you have to get rooted one time before you really understand how vulnerable the internet makes all of us.
    • you have to get rooted
      Not if you know what your doing you don't. You should have kept up with your patches.
      • Re:I got hit (Score:3, Informative)

        by tchuladdiass (174342)
        Not only keep up on patches, but also seperation of services. Your web server should run under a chrooted environment at minimum, as a non-privlidged user. Any files that doesn't need to be written to by the web applications (including html and cgi files) should be owned by a different user id (and not world-writable).

        The most secure setup I've come up with is setting up Usermode Linux (or Linux Vservers) so that I have a bunch of virtual OS's running, each with only the bare minimum libraries that are n
  • I looked at a defaced page and there were two things I noticed. The first was that the worm does not seem to create a robots.txt file to hide defaced pages from search engines. Second, the majority of the text is contained in an ADDRESS, HTML tag. It is a valid tag, but does anyone actually use it? I have not seen it before as far as I can recall.

    • The ADDRESS element may be used by authors to supply contact information for a document or a major part of a document such as a form. This element often appears at the beginning or end of a document.

      http://www.w3.org/TR/html401/struct/global.html#ed ef-ADDRESS [w3.org]

      I've used it for years. By the way, how often do you review the html source of webpages you visit?

      • By the way, how often do you review the html source of webpages you visit?

        Occasionally. I have also edited quite a few different ones for one reason or another. I was not meaning to imply that it was not valid. I was just wondering if it was obscure and unused, or just something I have not run across. It still seems an odd inclusion in a page created by a worm.

        Relating to this, I wonder, is there any way to get google to search based upon html tags? For example, could I find all pages with address t

  • Robots aren't bad, they help people find things, and get them to your site. However, if you would rather keep them away from you, consider using your robots.txt http://www.robotstxt.org/ [robotstxt.org] along with meta tags on pages. You can also set certain content to be filtered out by looking at the connecting agent. Things you should consider filtering out would be admin links/pages, version numbers (often in the footer of pages), and files that aren't related to content. There's no reason for Google to know what y
  • google found nothing, MSN search found this

    Results 1-3 of about 3 containing ""WebWorm Generation""

    1. This site is defaced!!!
    This site is defaced!!! NeverEverNoSanity WebWorm generation 5.
    www.videocardforum.com

    2. This site is defaced!!!
    This site is defaced!!! NeverEverNoSanity WebWorm generation 8.
    www.dslwebserver.com/main/sbs-zonealarm-configure. html
    3. This site is defaced!!!
    This site is defaced!!! NeverEverNoSanity WebWorm generation 11.

  • by falzbro (468756) on Tuesday December 21, 2004 @06:58PM (#11153607) Homepage
    I got this on a few servers yesterday- first thought it was related to the < PHP 4.3.10 bugs- it's not.

    This exploit is actually quite clever. It inputs values into the URL field that use the chr() function in PHP to pass text. It then writes its own perl script and executes it on the server.

    Here's the first line from the logfile:
    [20/Dec/2004:11:05:48 -0600] "GET /forum/viewtopic.php?p=738&sid=2db342b717c89bf9eca 3ef07e4910bf6&highlight=%2527%252Esystem(chr(112)% 252echr(101)%252echr(114)%252echr(108)%252echr(32) %252echr(45)%252echr(101)%252echr(32)%252echr(34)% 252echr(111)%252echr(112)%252echr(101)%252echr(110 )%252echr(32)%252echr(79)%252echr(85)%252echr(84)% 252echr(44)%252echr(113)%252echr(40)%252echr(62)%2 52echr(109)%252echr(49)%252echr(104)%252echr(111)% 252echr(50)%252echr(111)%252echr(102)%252echr(41)% 252echr(32)%252echr(97)%252echr(110)%252echr(100)% 252echr(32)%252echr(112)%252echr(114)%252echr(105) %252echr(110)%252echr(116)%252echr(32)%252echr(113 )%252echr(40)%252echr(72)%252echr(89)%252echr(118) %252echr(57)%252echr(112)%252echr(111)%252echr(52) %252echr(122)%252echr(51)%252echr(106)%252echr(106 )%252echr(72)%252echr(87)%252echr(97)%252echr(110) %252echr(78)%252echr(41)%252echr(34))%252e%2527 HTTP/1.0" 200 22613 "http://example.com/forum/viewtopic.php?p=738&sid= 2db342b717c89bf9eca3ef07e4910bf6&highlight=%2527%2 52Esystem(chr(112)%252echr(101)%252echr(114)%252ec hr(108)%252echr(32)%252echr(45)%252echr(101)%252ec hr(32)%252echr(34)%252echr(111)%252echr(112)%252ec hr(101)%252echr(110)%252echr(32)%252echr(79)%252ec hr(85)%252echr(84)%252echr(44)%252echr(113)%252ech r(40)%252echr(62)%252echr(109)%252echr(49)%252echr (104)%252echr(111)%252echr(50)%252echr(111)%252ech r(102)%252echr(41)%252echr(32)%252echr(97)%252echr (110)%252echr(100)%252echr(32)%252echr(112)%252ech r(114)%252echr(105)%252echr(110)%252echr(116)%252e chr(32)%252echr(113)%252echr(40)%252echr(72)%252ec hr(89)%252echr(118)%252echr(57)%252echr(112)%252ec hr(111)%252echr(52)%252echr(122)%252echr(51)%252ec hr(106)%252echr(106)%252echr(72)%252echr(87)%252ec hr(97)%252echr(110)%252echr(78)%252echr(41)%252ech r(34))%252e%2527" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

    If you decode the ascii characters [asciitable.com], you get:

    perl -e "open OUT,q(>m1ho2of) and print q(HYv9po4z3jjHWanN)"

    I didn't have enough freetime to decode the whole thing due to.. actual work having to be done, but it's quite clever.

    --falz
    • by Anonymous Coward
      Dunno about you guys but I've been getting hits like that since NOVEMBER when the highlight bug first surfaced.

      You might want to amuse yourself with the following PHP code, add to viewtopic.php right after it checks "isset($HTTP_GET_VARS['highlight']))"...

      if (preg_match('/chr\(/', $HTTP_GET_VARS['highlight'])) {
      $h = preg_replace('/(?:%2e)?chr\((\d+)\)/ei', 'chr(\1)',
      $HTTP_GET_VARS['highlight']);
      $h = preg_replace('/%2e/i', '', $h);
      $h = preg_replace('/%27/', "'", $h);
      error_log("viewtopic ha

    • Looks like you didn't read the Bugtraq posting completely... There's an zip attachment with the fully decoded perl script.
      Download link [theaimsgroup.com]
    • ARGH! Your comment is working as a pagewidener [img147.exs.cx] in Opera 7.6P4!

      FWIW, I tested with IE (the only other browser on this computer), and it's fine...
  • It seems one of the webcomics I read, UnderPower, got affected as well... It also happens to be linked here on Slashdot...

    Black background, red lettering:

    This site is defaced!!!
    NeverEverNoSanity WebWorm generation 14.
  • by bharatman (253051) on Tuesday December 21, 2004 @07:03PM (#11153652)

    MSN's first page estimates are always grossly inflated. Try this link instead:

    http://beta.search.msn.com/results.aspx?q=NeverE ve rNoSanity&first=200&count=10&FORM=PERE4

    Note that I the "first" param is 200 (which is the equivalent of going to page 20). It hits the end of the results and revises its estimate.
  • Clarification (Score:2, Informative)

    by Sheepdot (211478)
    I had to explain this to a colleague earlier in layman's terms, so I'm repeating it here:

    For those of you who think this is solely a PHP or PHPBB bug, it's actually quite a bit more involved than that. A series of exploits for PHP were released, and subsequently, a lot of forum software, not just phpBB, is exploitable.

    This worm uses a legitimate function which the phpBB developers have for functionality of their forum software. This legitimate function is exploitable in certain versions of PHP. Due to the
    • Re:Clarification (Score:5, Informative)

      by ScottMacVicar (751480) * on Tuesday December 21, 2004 @07:39PM (#11153960)
      I've been looking at the PHP related security hole and this does not have anything to do with the exploit the worm uses.

      The PHP exploit was to do with the length part of a serialized string, it wasn't correctly enforced and a suitably large enough value would crash a crash and print out contents of the stack which could include any variable within the script. s:1000:"test"; the 1000 part is not correctly checked.

      The phpBB exploit is regarding a remote code execution vulnerability, in this case it uses this vulnerability to fetch a perl script from a remote server and write it to the forum before executing it using the system command in PHP.

      So this worm only affects phpBB 2.0.10 and below.
      • MOD PARENT UP (Score:2, Informative)

        by a16 (783096)
        The worm is related to an issue in phpBB 2.0.10 as per the parent, nothing to do with any PHP issues.

        I do wish mods would be careful when modding posts that they obviously no nothing about as 'informative' - to be 'informative' you have to give correct information, not just information that looks technical enough to be correct.
  • by AC-x (735297) on Tuesday December 21, 2004 @07:27PM (#11153845)
    Looking at all the automatic PHP error responses, it seems that as long as the web server's task does not have write access to the web sites folder you're safe.
  • I was hit with the security exploit when the vulnerability was first announced in mid November (The Hilight bug at least). Since then I've upgraded php and phpbb on all my hosted sites (it ended up being resold sites that got me), and done some other things reguarding file rights and access.

    The main thing though that I've done that I hope to help me stay a little in front of these types of exploits is implement mod_security and add some rules which block the more 'common' exploits and sql injections.

    Does
  • Worm's genealogy? (Score:2, Interesting)

    by Azul (12241)

    Searching for "neverevernosanity webworm generation X" on MSN Beta Search [msn.com] yields the following number of results for each value of X:

    1: 0
    2: 0
    3: 0
    4: 2335
    5: 9297
    6: 7218
    7: 7288
    8: 10746
    9: 12009
    10: 11752
    11: 14866
    12: 13267
    13: 8393
    14: 13317
    15: 3840
    16: 5004
    17: 2032
    18: 3344
    19: 7
    20: 1
    21: 3
    22: 1
    23: 1
    24: 1
    25: 0

    Hmm, if these numbers are to be trusted, the infections are 10.5 generations old, on average.

    Interestingly, these numbers add to 124k, much more than the reported 39k number of pages repo

  • by Chatmag (646500) <editor@chatmag.com> on Tuesday December 21, 2004 @10:09PM (#11155110) Homepage Journal
    http://www.hackgeneral.net/phpbb_exploit.php

    When I first saw that page a few days ago, it had several boxes for inputs, the site URL, code, and execute button. The page is now gone, and if someone speaks Spanish, please let us all know what the site is about.

It is better to give than to lend, and it costs about the same.

Working...