Net Worm Uses Google to Spread 309
troop23 writes "A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'-- part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits." Reader pmf sent in a few more information links: F-Secure weblog and Bugtraq posting. Update: 12/22 03:34 GMT by T : ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.
Under the Google radar (Score:5, Interesting)
This site is defaced!!! NeverEverNoSanity WebWorm generation 10.
I tried to find some kind of reference and Googled [google.com] for it, but I got no results.
Still nothing on it, wonder how long it'll be before it shows up?
MSN search [msn.com] returns 3 results, that's just a bit short of 39,000, so I guess they must be using the beta [msn.com] engine for the article.
I got hit HARD! :( (Score:5, Interesting)
What it does is search all volumes on the server for files with the
I had a backup drive with everything mirrored that was unshared and secure and it managed to overwrite my ENTIRE backup as well on that machine.
I've been spening the past 24 hours picking up the pieces and trying to get everything back online. 1/2 Done now.
If you want to see what a defaced website looks like go to: http://www.sherwoodoregon.com and check it out before i get that site back online.
-BB
Re:NeverEverNoSanity (Score:1, Interesting)
Re:A few things.. (Score:2, Interesting)
Re:Quick! (Score:2, Interesting)
This is from one of the links above. So, it sounds like if a machine doesn't have Perl installed, the thing can't go to work. By sheer coincidence, most windows boxes will be immune to this particular instance of this worm (by not having Perl installed).
That's not to say that it can't be modified to carry a more portable payload. Thank god the payload wasn't itself written in PHP.
This one's fun to debug - perl via url (Score:5, Interesting)
This exploit is actually quite clever. It inputs values into the URL field that use the chr() function in PHP to pass text. It then writes its own perl script and executes it on the server.
Here's the first line from the logfile:
If you decode the ascii characters [asciitable.com], you get:
I didn't have enough freetime to decode the whole thing due to.. actual work having to be done, but it's quite clever.
--falz
Worm's genealogy? (Score:2, Interesting)
Searching for "neverevernosanity webworm generation X" on MSN Beta Search [msn.com] yields the following number of results for each value of X:
Hmm, if these numbers are to be trusted, the infections are 10.5 generations old, on average.
Interestingly, these numbers add to 124k, much more than the reported 39k number of pages reported by merely searching for "NeverEverNoSanity". This would imply that many of the defaced pages contain messages for different generations. Weird.
It would be interesting if the defaced pages included the URL of the parent, the one that the worm used to infect the server from which it infected the current one.
Found this in my server logs (Score:3, Interesting)
When I first saw that page a few days ago, it had several boxes for inputs, the site URL, code, and execute button. The page is now gone, and if someone speaks Spanish, please let us all know what the site is about.