Oddworld Forums

Oddworld Forums (http://www.oddworldforums.net/index.php)
-   Off-Topic Discussion (http://www.oddworldforums.net/forumdisplay.php?f=9)
-   -   NeverEverNoSanity (http://www.oddworldforums.net/showthread.php?t=10956)

Fuzzle Guy 12-23-2004 12:39 AM
NeverEverNoSanity
 
BEWARE of a virus worm that is going round and infecting forums and chatrooms. If you own a forum then this can be aimed at you
:
Summary

Santy is a worm was found at December 21st, 2004. It uses a vulnerability in popular phpBB discussion forum software to spread and it uses Google search engine to find vulnerable servers. It does not infect end user computers.

Google has started filtering requests made by the worm at December 22nd, 2004, in order to stop the worm.

Detailed Description

The worm is written in Perl scripting language. When executed, the worm uses the Google search engine to look for hosts that have phpBB software in use. It does this by searching URLs that contain string "viewtopic.php". In order to get different results with different searches, the worm uses a random string in the search as well.

After the search has been performed, the worm parses the resulting page and attempts to exploit a vulnerability in phpBB software. This vulnerability, known as Highlight Vulnerability, can be used to execute arbitary code on the server running vulnerable version of phpBB. Further information about the vulnarbility is available from phpBB web site at:

http://www.phpbb.com/phpBB/viewtopic.php?t=240513

If the worm is able to exploit the vulnerablity, it will attempt to transfer itself to the victim host in 20-byte chunks. If any of the chunks is lost during the transfer, it will cause the worm to get corrupted, which can render the worm disfunctional on the victim.

The worm is written to a file "m1ho2of" on the victim. After the transfer is complete, the worm will use the exploit once again to execute the code using the system default Perl interpreter.

Santy contains also a generation counter that is increased every time the worm is executed, i.e. once per infected host. If the number of generations is higher than three (3), it will execute its payload. The payload attempts to replace all files with the following extensions ".htm", ".php", ".asp", ".shtm", ".jsp" and ".phtm". The result is the these files are replaced with a HTML page that contains the following text:

This site is defaced!!!
NeverEverNoSanity WebWorm generation X

...where X keeps growing from one infection to another.
If the Forum is infectected, the page will look like this:
http://www.f-secure.com/virus-info/v-pics/santy.jpg

I am trying to keep my forum safe from it, pelase keep yours (Especialy these forums, I can't go without them again!)

Alcar 12-23-2004 01:00 AM
I read about this last night over on vBulletin. The good news is that it only affects phpBB installations, so we are perfectly safe. Although the scary thought is that the person who created this didn't actually do much damage, only the files were touched, not the database. Yet, he / she COULD have deleted the database if he / she wanted to.

Alcar...

Facsimile 12-23-2004 01:07 AM
Jeez... That's terrible. I mean they really could have came up with something better than "This site is defaced!!!"

Esus 12-23-2004 03:02 AM
Phew, I use InvisionBoards.

Fuzzle Guy 12-23-2004 03:05 AM
I use invisionboards too, but it's still a php, and your old Oddworld junkie might get caught: http://s2.invisionfree.com/owjunkie/

TheRaisin 12-23-2004 01:48 PM
What an incredibly complex thing a worm is. I almost feel some admiration for someone who could think something like this up. Then I remember that they're a worthless attention-seeking bastard and I hate them again.

sligster 12-23-2004 01:53 PM
are .tk forums effected?

The Shadowman 12-23-2004 02:05 PM
I don't beleave so, neither is the Oddworld Spectator sight and thats good news for me

Alcar 12-23-2004 04:34 PM
Only forums running phpBB. Oddworld Spectator runs on MSN Communities, and isn't .tk just a domain extension? Therefore, couldn't you put any forum system under that domain? You should check what system you are running.

Alcar...

a flock of seagulls 12-23-2004 05:01 PM
yeah, i already knew about this. it effected soldat.pl on the view mirrors page, but they fixed it... hope this forum doesnt get defaced...

Facsimile 12-24-2004 01:17 AM
And seriously, 'NeverEverNoSanity'? This guy sucks. If I ever made something like this I'd make people feel humbled to be graced by such awesome destroying power.

I'd probably do ghost things. Man, ghost viruses rule so much.

mawk 12-24-2004 02:15 AM
Oh yeah, I let the virus out accidentally with my amazing hacking skillz, so sorry my bad. :p

PHEW all this hacking is making me thirsty.

Abeguy 12-30-2004 12:29 PM
Yay, we don't phpbb or whatever it is

Alcar 12-30-2004 03:17 PM
Initially I thought it only affected phpBB, and it does, but it uses phpBB to get into the server. If your server is slack on security, and your files are modifiable by users on the same server (through Telnet / SSH for example, not FTP), then this virus can spread and destroy all of your PHP / ASP / HTML files as well.

We're lucky we're on a secure server, as I'm sure there are a qutie a few phpBB's running on here somewhere.

Alcar...

Abeguy 12-31-2004 02:03 PM
:
Initially I thought it only affected phpBB, and it does, but it uses phpBB to get into the server. If your server is slack on security, and your files are modifiable by users on the same server (through Telnet / SSH for example, not FTP), then this virus can spread and destroy all of your PHP / ASP / HTML files as well.
oh crap :lick: