NeverEverNoSanity worm

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
FFIndonesia
Registered User
Posts: 164
Joined: Sun Apr 13, 2003 10:49 am
Location: Indonesia
Contact:

Post by FFIndonesia » Wed Dec 22, 2004 11:14 am

Oh ya, guys. Don't you see the number of generation of that sick worm is always increase.... More tough or what? :? :(
Yogya-Earthquake 2006
Almost 4000 people die
Thousands of builiding crashed

User avatar
Redondo
Registered User
Posts: 210
Joined: Sun Dec 08, 2002 2:26 pm
Location: Sweden
Contact:

Post by Redondo » Wed Dec 22, 2004 12:24 pm

Correct me if I'm wrong, but all I have to do to recover from this is to replace/overwrite the phpbb-folder with my backup. Is that correct ?
Looking for: FI subice Xmas-pack
www.windsurf.se

cdllt
Registered User
Posts: 42
Joined: Wed Dec 22, 2004 3:01 am

Post by cdllt » Wed Dec 22, 2004 12:26 pm

I found this one but not sure it is okie to use for now, hope phpBB support team can comment about it

http://www.phpbbstyles.com/viewtopic.php?t=1904

User avatar
Drexion
Former Team Member
Posts: 8892
Joined: Sat Jan 25, 2003 9:54 pm
Location: City 17

Post by Drexion » Wed Dec 22, 2004 12:36 pm

cdllt wrote: I found this one but not sure it is okie to use for now, hope phpBB support team can comment about it

http://www.phpbbstyles.com/viewtopic.php?t=1904

That MOD will prevent malicious users/scripts from taking advantage of the PHP bug via phpBB, but via phpBB alone. So if you have another php script which uses any of those functions (and most do), you will still be vulnerable (unless your host upgrades PHP), as that specific issue lies with PHP and not phpBB. If your host has upgraded PHP then there is no need for that modification.

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Wed Dec 22, 2004 2:25 pm

The PHP vulnerabilities, if I'm not mistaken, only came to light a few days ago.


Officially, yes - but I have log entries from November 21 that show someone was already testing aspects of this worm against PHPBB, using the highlight= code. Most vulnerabilities like this get reported to the authors days or weeks before they're publicly announced, so that fixes can be put in place.

But there is a completely separate distribution network for vulnerabilities in the "bad guys" end of the net world...

espicom
Registered User
Posts: 17905
Joined: Wed Dec 22, 2004 1:14 am
Location: Woodstock, IL

Post by espicom » Wed Dec 22, 2004 2:56 pm

... if you have another php script which uses any of those functions (and most do), you will still be vulnerable ...


It isn't a question about whether or not the functions are used, but how they are used. serialize() and unserialize() shouldn't BE a problem, except that PHPBB uses them against data that has left the server's control. Proper session management would have that information stored on the server, so that the session cookie only refers to it.

Even with trying to maintain compatibility with PHP versions too old to have session management built in, you don't have to expose yourself to this vulnerability. I've got code here that I modified from the book MySQL Cookbook that can put all the session management into a table, and it wouldn't take that much extra to add PHP3-compatible session control to the mix. unserialize() shouldn't have to choke on user input...

jethrek
Registered User
Posts: 17
Joined: Tue Dec 21, 2004 8:24 am

Post by jethrek » Wed Dec 22, 2004 4:02 pm

Redondo wrote: Correct me if I'm wrong, but all I have to do to recover from this is to replace/overwrite the phpbb-folder with my backup. Is that correct ?


See this thread:
http://www.phpbb.com/phpBB/viewtopic.php?t=249047

SailorDonut
Registered User
Posts: 12
Joined: Wed Dec 22, 2004 4:18 am

Re: I

Post by SailorDonut » Wed Dec 22, 2004 11:51 pm

cubechris wrote: im trying to upgrade fresh, but i keep getting this error

Code: Select all

phpBB : Critical Error

Could not connect to the database


That's what happened to me. Try creating a new user and entering that user's name and password in config.php, and make sure that user has all the proper permissions. For more specific answers, scroll up and read blujay's post in this page and the previous page, they were really helpful.

Hope that's all it is. :)

sneakyimp
Registered User
Posts: 162
Joined: Sat Nov 06, 2004 4:50 am
Contact:

Post by sneakyimp » Thu Dec 23, 2004 3:44 am

for anyone who's interested, i have written a script which attempts to detect backdoor files left by Santy and also detect any admin-level users too.

http://www.phpbb.com/phpBB/viewtopic.php?p=1363529

let me know what you think...how it could be improved, etc.

Skyraider
Registered User
Posts: 89
Joined: Mon May 19, 2003 9:05 pm

Post by Skyraider » Fri Dec 24, 2004 2:31 pm

Hope this helps, if it hasn't already been posted:

Symantec's response to Perl.Santy

blujay
Registered User
Posts: 11
Joined: Wed Dec 22, 2004 3:24 am

Post by blujay » Sat Dec 25, 2004 9:59 pm

People are claiming on Bugtraq that a new variant of the worm is successfully exploiting phpBB 2.0.11.

http://marc.theaimsgroup.com/?l=bugtraq ... 310128&w=2

CICarScene
Registered User
Posts: 176
Joined: Thu Apr 24, 2003 8:12 am
Contact:

Post by CICarScene » Sun Dec 26, 2004 10:24 am

blujay wrote: People are claiming on Bugtraq that a new variant of the worm is successfully exploiting phpBB 2.0.11.

http://marc.theaimsgroup.com/?l=bugtraq ... 310128&w=2


Interesting that it now installs a bot, any more information on this?

dupa
Registered User
Posts: 1
Joined: Sun Dec 05, 2004 4:34 pm

Post by dupa » Wed Dec 29, 2004 12:49 pm

CICarScene wrote:
blujay wrote:People are claiming on Bugtraq that a new variant of the worm is successfully exploiting phpBB 2.0.11.

http://marc.theaimsgroup.com/?l=bugtraq ... 310128&w=2


Interesting that it now installs a bot, any more information on this?


Is there any solution to that problem available?

Canislupus
Registered User
Posts: 104
Joined: Tue Nov 23, 2004 12:42 pm

Post by Canislupus » Wed Dec 29, 2004 1:21 pm

The latest 2 variants of santy have been mislabelled. They do not exploit anything within phpBB but go for the publicised exploits inherrent in php itself. They are only related to santy in the message they leave etc. They should be relabelled as a different virus as they use a different attack to gain access.

Update to the latest version of php and remove the issue.

blujay
Registered User
Posts: 11
Joined: Wed Dec 22, 2004 3:24 am

Post by blujay » Wed Dec 29, 2004 4:23 pm

If I understand the latest two "Santy" variants, they do not exploit a native PHP vulnerability, but vulnerabilities in PHP scripts created by script authors; namely, unchecked variables passed in URLs, that are used to access files. The worm replaces that variable with a URL to another file, and the file gets downloaded and used instead.

Being vulnerable to that is the responsibility of the script author, and can be avoided by good coding practices.

Locked

Return to “2.0.x Support Forum”