Net Worm Uses Google to Spread 309
troop23 writes "A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'-- part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits." Reader pmf sent in a few more information links: F-Secure weblog and Bugtraq posting. Update: 12/22 03:34 GMT by T : ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.
Head line is way to misleading (Score:5, Informative)
Latest Version of phpBB Unaffected (Score:5, Informative)
snort signatures (Score:4, Informative)
Re:Latest Version of phpBB Unaffected (Score:5, Informative)
It will protect your boards from being targeted by the Google component of the worm. However, if your boards are running on a shared server, and someone else has a vulnerable version of phpBB installed on their space, you could still be vulnerable. The worm is designed to poke around once it manages to lodge itself inside a host.
Ordinarily, you could just blame those infected in this manner for not using proper permissions on their board installs, but with the amount of custom modifications many people have installed on their boards, it'd be no surprise if 90% of the people that think they're safe actually aren't. Make sure your files aren't writeable, folks.
Re:Under the Google radar (Score:3, Informative)
Re:Hmmmm (Score:4, Informative)
Re:Head line is way to misleading (Score:5, Informative)
phpBB has an explanation of what the problem is, it can be found at:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=2
OTHER FORUMS ARE VULNERABLE
(and no, I am not a phpBB zealot, I am pointing out a misconception)
Re:NeverEverNoSanity (Score:3, Informative)
If google wants to stop the virus then they could disable "Powered by phpBB" as a search term. The reason "NeverEverNoSanity" doesn't come up on google is becuase googlebot is extreamly slow to index new content on most sites.
Re:Under the Google radar (Score:2, Informative)
Re:I got hit HARD! :( (Score:2, Informative)
Backups are on cold hardware, on a shelf. At the minimum. Preferably in another building.
For all of you saying it's a PHP exploit (Score:5, Informative)
The Robot Threat (Score:2, Informative)
If I've said it once, I've said it 1000 times. When you secure the old tech first, you find fewer problems with the new tech. robots.txt,
Not PHP Bugs - phpBB exploit is used (Score:5, Informative)
This is not caused by the php bugs, it uses an issue in phpBB 2.0.10 and below. 2.0.11 fixes this, and has been available for ages (over a month).
So in summary, if you use phpBB - upgrade to 2.0.11 now - not upgrading is not an option.
I feel the above needs to be clarified, as there are already numerous people posting false information. Upgrading your PHP version won't protect against this (but you need to do it anyway to protect against other issues) - upgrading to phpBB 2.0.11 will. Simple
Re:address tag and no robots (Score:2, Informative)
The ADDRESS element may be used by authors to supply contact information for a document or a major part of a document such as a form. This element often appears at the beginning or end of a document.
http://www.w3.org/TR/html401/struct/global.html#ed ef-ADDRESS [w3.org]
I've used it for years. By the way, how often do you review the html source of webpages you visit?
Re:Ehhh.. Tape drive perhaps?? (Score:4, Informative)
Re:Under the Google radar (Score:5, Informative)
0, 1, 2, 3 - no hits
4 - 2335 hits
5 - 9297 hits
6 - 7218 hits
7 - 7288 hits
8 - 10746 hits
9 - 12009 hits
10 - 11752 hits
11 - 14866 hits
12 - 13267 hits
13 - 8393 hits
14 - 13317 hits
15 - 3840 hits
16 - 5004 hits
17 - 1950 hits
18 - 3344 hits
19 - 6 hits
20 - 1 hit
21 - 3 hits
22 - 1 hit
23 - 1 hit
24 - 1 hit
25, 26, 27, 28, 29, 30 - no hits
Re:Head line is way to misleading (Score:2, Informative)
MSN actually returns 207 results (Score:3, Informative)
MSN's first page estimates are always grossly inflated. Try this link instead:
http://beta.search.msn.com/results.aspx?q=Never
Note that I the "first" param is 200 (which is the equivalent of going to page 20). It hits the end of the results and revises its estimate.
Re:Head line is way to misleading (Score:4, Informative)
That indicates to me that someone may have been doing some active development on it...
Clarification (Score:2, Informative)
For those of you who think this is solely a PHP or PHPBB bug, it's actually quite a bit more involved than that. A series of exploits for PHP were released, and subsequently, a lot of forum software, not just phpBB, is exploitable.
This worm uses a legitimate function which the phpBB developers have for functionality of their forum software. This legitimate function is exploitable in certain versions of PHP. Due to the speed in which the exploit was released, it could be that the worm developer had the engine ready and was simply looking for a PHP exploit to come out for a function that was used with a widely available web application package. They hit jackpot with phpBB and PHP together.
The developer didn't thinking to make it so that it added a random element to it's Google searches or didn't use different search engines. In fact, it almost looks like this was simply a trial run for a future worm that will be much more complex and may possibly span a multitude of web applications.
A concept was written up earlier this year here:
http://www.imperva.com/application_defense
It now appears that niddhog (the concept worm) has been made evident. Fortunately, it did not include such things as Code Red and Nimda did with using IE exploits to infect the clients that would view these websites.
It is a bleak future with the idea of Web Application Worms coupled with IE exploits. Not only do you have the method and distribution combined, but such a thing would be highly anonymous for the malware author and could spread to the highest point of infection in a matter of hours as IE users visited their favorite community websites running exploitable forum software.
Re:This one's fun to debug - perl via url (Score:3, Informative)
You might want to amuse yourself with the following PHP code, add to viewtopic.php right after it checks "isset($HTTP_GET_VARS['highlight']))"...
if (preg_match('/chr\(/', $HTTP_GET_VARS['highlight'])) {
$h = preg_replace('/(?:%2e)?chr\((\d+)\)/ei', 'chr(\1)',
$HTTP_GET_VARS['highlight']);
$h = preg_replace('/%2e/i', '', $h);
$h = preg_replace('/%27/', "'", $h);
error_log("viewtopic hack attempt: $h", 0);
}
Then it will show you the hack attempts in the error log.
Be sure to upgrade your PHP and phpBB FIRST!
My webserver just got hit by this (Score:3, Informative)
Download the full source code (Score:3, Informative)
Looks like you didn't read the Bugtraq posting completely... There's an zip attachment with the fully decoded perl script.
Download link [theaimsgroup.com]
Re:Clarification (Score:5, Informative)
The PHP exploit was to do with the length part of a serialized string, it wasn't correctly enforced and a suitably large enough value would crash a crash and print out contents of the stack which could include any variable within the script. s:1000:"test"; the 1000 part is not correctly checked.
The phpBB exploit is regarding a remote code execution vulnerability, in this case it uses this vulnerability to fetch a perl script from a remote server and write it to the forum before executing it using the system command in PHP.
So this worm only affects phpBB 2.0.10 and below.
Re:phpBB2 need a security mailing list (Score:2, Informative)
Re:phpBB2 need a security mailing list (Score:2, Informative)
Sourceforge offers release trackers which the phpBB team openly point people to if they want mail updates:
http://sourceforge.net/project/filemodule_monitor
Or of course, there is the RSS feed
http://www.phpbb.com/rss.php [phpbb.com]
And, after 'popular demand' they are currently working on a special security mailing list that people can subscribe to.
MOD PARENT UP (Score:2, Informative)
I do wish mods would be careful when modding posts that they obviously no nothing about as 'informative' - to be 'informative' you have to give correct information, not just information that looks technical enough to be correct.
Re:I got hit (Score:3, Informative)
The most secure setup I've come up with is setting up Usermode Linux (or Linux Vservers) so that I have a bunch of virtual OS's running, each with only the bare minimum libraries that are needed to support each one's dedicated services (got one set up for bind, sendmail, apache). Each virtual OS session has multiple network interfaces (one is set up as an "internal" network only, another is set up to accept packets redirected from the outside vi iptables rules). Any config/data files that I need to update periodicaly (such as the html files for the web server process) live in a partition on the parent server, NFS exported read-only to the appropriate session's internal virtual ip address. Any files that they need to write to are symlinked to a locally-owned filesystem. Log files are set up append only (still working on this, I was thinking of using one of the user-space filesystems to impliment this feature, or checking if selinux can handle that).
Re:Latest Version of phpBB Unaffected (Score:3, Informative)
To install many plugins requires making changes to the source by hand. Some of the websites I host have several of these, and I'm not even sure which ones (I didn't add them).
Plus, if you use a custom theme you have to recreate it after upgrading, which is a right pain in the arse as all the paths are hardcoded... even with sed/grep it takes an hour or two to turn subSilver into CustomSilver.
Re:Ehhh.. Tape drive perhaps?? (Score:2, Informative)
I see a couple easy blocks to these, though:
1) write a shell script for mounting the backup drive, both onto the SCSI chain and into the filesystem, performing the backup, and then unmount it.
2) round-robin the drives on a regular basis, so an IT monkey can physically swap out sets when needed to provide off-site storage (basically use hot-swap bays like very large, fast tape jukeboxes).
3) encrypt the pertinent scripts, and use yet another script with a bening name to perform the decryption of the shell script, the chmod to executable of it, and then exec'ing it.
****
Yes, it's still hackable, but it ups the bar considerably, and if you're swaping the drives out nightly/weekly, you've got good backups that are offline, and not too old.
Re:Under the Google radar (Score:2, Informative)