Virus that hacks phpbb forum (Not Suggestion)

  • djtheropy
  • Graduate
  • Graduate
  • djtheropy
  • Posts: 111

Post 3+ Months Ago

Wasnt sure where to post this so i posted her as i knew it would be noticed.

New worm, Santy.A, using Google to spread
It infects Web servers running a software package called phpBB

News Story by Paul Roberts

DECEMBER 21, 2004 (IDG NEWS SERVICE) - Antivirus companies are warning Internet users about a new, fast-spreading worm that infects Web servers running a popular package of online bulletin board software and uses the Google search engine to find vulnerable servers to infect.
The worm, dubbed Santy.A, uses a vulnerability in a popular free software package called phpBB to spread across the Internet, infecting computer servers that host online bulletin boards and defacing those sites with the words "This site is defaced!!! NeverEverNoSanity WebWorm."

A Google Inc. spokesman said in an e-mail that the company is looking into reports about Santy.A.

The worm doesn't affect individual computer users but infects Web servers that are hosting online bulletin boards.

Santy.A was first spotted early this morning in the U.S., according to Mikko Hypponen, manager of antivirus research at F-Secure Corp. in Helsinki, Finland.

The worm takes advantage of a critical software vulnerability in the phpBB open-source software, which is widely used to create and maintain online bulletin boards. Although antivirus companies are still analyzing the worm, it appears to use a vulnerability in the PHP scripting language that was recently patched, according to Alexey Zernov, a spokesman for antivirus company Kaspersky Labs Ltd. in Moscow. PhpBB and other common software packages are written using PHP.

Once Santy infects servers running the phpBB software, it scans directories on the infected site and overwrites files with the extensions .htm, .php, .asp, .shtm, .jsp and .phtm with the text "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation," according to an alert from Kaspersky Labs.

The worm also launches a search on the Google search engine for URLs that use a special string, viewtopic.php, which is common to bulletin boards written using the phpBB software, Hypponen said.

The worm's reliance on Google could be its downfall, however. If the search engine company can block the search text used by Santy.A, it would stop the worm from spreading, he said.

Hypponen said he was trying to contact Google to get the company's help in blocking Santy.A requests.

Antivirus experts don't believe Santy.A deposits Trojan horse programs or other malicious code on the systems it infects. Also, Santy doesn't affect individual computer users, unless they are hosting a bulletin board from their computer that uses the phpBB software, antivirus experts said.

However, Santy.A could act as a road map for malicious hackers who are looking for vulnerable computers to exploit, Hypponen said.

Both F-Secure and Kaspersky Labs posted updated antivirus definitions that can spot the Santy.A worm and advised customers to update their antivirus software as soon as possible.

For more info on this go 2 phpbb.com and search the community forums.
  • Axe
  • Genius
  • Genius
  • User avatar
  • Posts: 5739
  • Loc: Sub-level 28

Post 3+ Months Ago

And another one announced a few days ago...

This time a bug in php itself. I'm not sure which version you're using here BigWeb, but upgrade to 4.3.10 :)

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=248046

Apparently all versions up to, and including, 4.3.9 are exploitable, and phpBB (along with a bunch of other popular scripts) is the perfect platform to do it apparently (I've not discovered any specifics, although I didn't really look too much into it)
  • meman
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3432
  • Loc: London Town , Apples and pears and all that crap

Post 3+ Months Ago

I got the source for santy.A , and my AVG gave an alert telling me it was a virus which i thought was strange concidering it only infects forums and not operating systems.
Google have stopped searches carried out by santy.A now so it shouldnt be causing many more problems.

From what i heard there isnt yet a stable version of phpbb that works with php5, so people are Kinda screwed at the moment.

Phpbb will have to pull thier finger out with the next full upgrade of thier forum.

Im sure BigWeb has all the patchs and upgrades, with the traffic ozzu gets it must be quite a target for people wanting to do these things.
  • Maedhros
  • Proficient
  • Proficient
  • User avatar
  • Posts: 325
  • Loc: Durham, England

Post 3+ Months Ago

meman wrote:
From what i heard there isnt yet a stable version of phpbb that works with php5, so people are Kinda screwed at the moment.

True, but it doesn't really matter as the problems are fixed in 4.3.10 as well as the latest php 5...
  • ScienceOfSpock
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1893
  • Loc: Las Vegas

Post 3+ Months Ago

As Maedhros mentioned, the problem was with php, not with phpBB (although phpBB is the target of the virus)
  • meman
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3432
  • Loc: London Town , Apples and pears and all that crap

Post 3+ Months Ago

The first santy worm used the highlight exploit only found in phpbb 2.0.10 and below, but the later variants relesaed exploit the include function in any php.

Post Information

  • Total Posts in this topic: 6 posts
  • Users browsing this forum: No registered users and 2 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.