Jump to content
Posted 21 December 2004 - 12:09 PM
Posted 21 December 2004 - 01:24 PM
Kaspersky Lab, a leading developer of secure content management systems, has detected a new worm, Net-Worm.Perl.Santy.a. This worm infects certain web sites by exploiting a vulnerability in phpBB, a popular package used to create Internet forums. Santy.a is spreading rapidly, and has caused an epidemic. However, this does not directly affect end users - although the worm infects web sites, it does not infect computers used to view these sites.
Once the worm has gained control over a site, it will scan all directories on the infected site. All files with the extensions .htm, .php, .asp, .shtm, .jsp and phtm will be overwritten with the text 'This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation'.
Apart from defacing infected sites with this text, the worm has no payload. It will not infect machines which are used to view infected sites. Kaspersky Lab recommends that all users of phpBB should upgrade to version 2.0.11 to prevent their sites from being defaced.
Edited by Papakid, 22 December 2004 - 12:46 AM.
The fate of all mankind, I see
Is in the hands of fools
Posted 21 December 2004 - 06:11 PM
Posted 21 December 2004 - 08:25 PM
Posted 21 December 2004 - 10:07 PM
Posted 27 December 2004 - 08:52 PM
Santy updates - worm renamed
We've decided to rename Santy.d and Santy.e to Spyki.a and b. We are doing this because:
A deeper analysis of the new worm that we detected at the weekend, which seemed to be a new version of Santy, shows that it's different to Santy. The most important difference is that it doesn't exploit vulnerable versions of phpBB to spread. It attacks any vulnerability which contains the 'Remote file inclusion' vulnerability. So the problem is that this vulnerability isn't connected with which version of PHP is installed on the server - it happens because of errors in programming PHP pages.
Once the worm penetrates the server, it uploads Backdoor.Perl.Shellbot.a - also written in Perl. This backdoor connects with certain IRC channels to receive and execute commands from its author/ user.
The new worm uses the Brazilian Google server for search requests, and includes the copyright of the Brazil hacker group 'Atrix Team' - it seems that this group probably wrote the new worm.
We recommend everyone using PHP for web page programming to check their servers for errors. A description of the errors is here
Posted 27 December 2004 - 09:58 PM
Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux
and a custom Linux From Scratch server hosting a bunch of top secret stuff.
0 members, 0 guests, 0 anonymous users