Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


phpBB worm in-the-wild

  • Please log in to reply
6 replies to this topic

#1 harrywaldron


    Security Reporter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:11:27 AM

Posted 21 December 2004 - 12:09 PM

The Internet Storm Center just issued this alert:

phpBB Worm (added Dec 21st 12 pm EST)

We just received a number of reports about a new worm that infects web servers running phpBB. Apperently, there is no patch at this point. However, according to viruslist.com, a workaround can be found here:


BC AdBot (Login to Remove)


#2 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,637 posts
  • Gender:Male
  • Local time:10:27 AM

Posted 21 December 2004 - 01:24 PM

Kaspersky Labs has sent out an email newsletter warning about this one, dubbed Net-Worm.Perl.Santy.a. Good article here:

Kaspersky Lab, a leading developer of secure content management systems, has detected a new worm, Net-Worm.Perl.Santy.a. This worm infects certain web sites by exploiting a vulnerability in phpBB, a popular package used to create Internet forums. Santy.a is spreading rapidly, and has caused an epidemic. However, this does not directly affect end users - although the worm infects web sites, it does not infect computers used to view these sites.

Once the worm has gained control over a site, it will scan all directories on the infected site. All files with the extensions .htm, .php, .asp, .shtm, .jsp and phtm will be overwritten with the text 'This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation'.

Apart from defacing infected sites with this text, the worm has no payload. It will not infect machines which are used to view infected sites. Kaspersky Lab recommends that all users of phpBB should upgrade to version 2.0.11 to prevent their sites from being defaced.

Edited by Papakid, 22 December 2004 - 12:46 AM.

The thing about people

is they change

when they walk away.--Mipso

#3 harrywaldron


    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:11:27 AM

Posted 21 December 2004 - 06:11 PM



#4 Tweener


  • Members
  • 56 posts
  • Location:Ohio
  • Local time:11:27 AM

Posted 21 December 2004 - 08:25 PM

These guys need to get out once in a while. Why not go to a freight yard with a few cans of spray paint for the boxcars instead? :thumbsup:
There are 10 kinds of people, those that understand binary - and those that don't.

#5 phawgg


    Learning Daily

  • Members
  • 4,543 posts
  • Location:Washington State, USA
  • Local time:07:27 AM

Posted 21 December 2004 - 10:07 PM

:flowers: My thoughts too. Nothin' better to do? :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#6 Daisuke


    Cleaner on Duty

  • Members
  • 5,575 posts
  • Gender:Male
  • Location:Romania
  • Local time:10:27 AM

Posted 27 December 2004 - 08:52 PM

PHP Worm in the wild

Spyki.a and Spyki.b

Santy updates - worm renamed
We've decided to rename Santy.d and Santy.e to Spyki.a and b. We are doing this because:

A deeper analysis of the new worm that we detected at the weekend, which seemed to be a new version of Santy, shows that it's different to Santy. The most important difference is that it doesn't exploit vulnerable versions of phpBB to spread. It attacks any vulnerability which contains the 'Remote file inclusion' vulnerability. So the problem is that this vulnerability isn't connected with which version of PHP is installed on the server - it happens because of errors in programming PHP pages.

Once the worm penetrates the server, it uploads Backdoor.Perl.Shellbot.a - also written in Perl. This backdoor connects with certain IRC channels to receive and execute commands from its author/ user.

The new worm uses the Brazilian Google server for search requests, and includes the copyright of the Brazil hacker group 'Atrix Team' - it seems that this group probably wrote the new worm.

We recommend everyone using PHP for web page programming to check their servers for errors. A description of the errors is here

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 raw


    Bleeping Hacker

  • Members
  • 2,577 posts
  • Gender:Male
  • Location:Texas
  • Local time:10:27 AM

Posted 27 December 2004 - 09:58 PM

In case anyone wants to analyze Santy/PHPInclude.Worm

Santy.b: http://www.k-otik.com/exploits/20041225.SantyB.php
PHPInclude.Worm: http://www.k-otik.com/exploits/20041225.PhpIncludeWorm.php

Simply amazing what a small PERL script can do.


 rawcreations.net          @raw_creations

Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users