Linked by Corrado Cau on Tue 28th Dec 2004 19:18 UTC
Bugs & Viruses Last week a new worm started spreading on the Internet. It's named Santy, and it attempts to deface websites using specific versions of the popular phpBB bulletin board software. Is this just a run-of-the-mill worm causing minor damage to a few thousand websites? Yes. But it's also got something we've never seen before.
Order by: Score:

http://www.webuser.co.uk/news/56950.html

Worm attack makes Google squirm
July 27, 2004
Web User

Creative?
by Fredrik on Tue 28th Dec 2004 19:30 UTC

Yet, the Santy worm sported a relatively new "feature": it was using the Google search engine in order to automatically find its next victims; as far as I know, this might well be the first time such a creative use of search engines has been adopted by a worm spotted in the wild.

Is using a search engine to.. search really a creative usage of a search engine :-)

Solution...
by netscreener on Tue 28th Dec 2004 19:55 UTC

The solution against Santy...

mod_security
http://www.hup.hu/modules.php?name=News&file=article&sid=7689

yeah
by timh - tjhawkins.com on Tue 28th Dec 2004 20:06 UTC

We battled the phpBB exploits for 8 hours.
cPanel did not release a new version of PHP for us in time to dodge the attacks. We defeated everything though.
Right now I would urge everyone to upgrade PHP before your machines are compromised.

RE: Solution...
by timh - tjhawkins.com on Tue 28th Dec 2004 20:10 UTC

mod_security can cause some huge headaches to server admins. It comes packaged with some server administration software that makes it easier to manage though.

I get plenty of customers that bug me about turning off safemode but I always direct them to get a virtual or dedicated server or to use a different service. So yeah, php safemode should be on.. you can turn it off in httpd.conf per site if you wish.

RE: Solution
by kotai on Tue 28th Dec 2004 20:36 UTC

mod_security is greet tool against malicious GET and POST requests. works fine for me.

you need only custom rule for Santy

Check this:
http://www.modsecurity.org/blog/archives/000046.html

Re: Solution..
by Anonymous on Tue 28th Dec 2004 20:38 UTC

..don't use php. I mean, a bug in the *addslashes()* function wich is there exactly to avoid security problems?
In the tenth stable version of a software?
Anyway, IIUC Santy.B uses AOL and MSN

My server was hit with this
by Joe Drago on Tue 28th Dec 2004 20:39 UTC

Its terrible, it overwrote all html and php files on my drive... very, very nasty. I'd gladly form a lynch mob with a few others and find this guy that wrote it. :-D

Safemode
by dpi on Tue 28th Dec 2004 20:42 UTC

No, you put safemode on or off, besides relared configuration, in PHP's configuration file; e.g. /etc/php4/apache/php.ini -- i applaud your efforts regarding of putting and keeping it on though. One could even put it off for specific directories IIRC, but i'm not sure on that.

As for this worm, its not that revolutionary. OpenSSH, BIND, Apache, Sendmail have all been targetted in the past. The fact its a Perl worm is quite unique afaik. The fact its something which customers who host their site and/or forum elsewhere are targetted instead of a system-wide daemon is quite interesting though. Interesting in that sense, that its interesting to see how people are gonna solve this.

RE: Solution
by kotai on Tue 28th Dec 2004 20:44 UTC

"..don't use php."

FYI: osnews.com uses PHP. aproximatelly 60% of web pages uses PHP.

v RE: My server was hit with this
by madprof on Tue 28th Dec 2004 20:48 UTC
RE: Solution
by kotai on Tue 28th Dec 2004 20:54 UTC

Your friends:

mod_security, noexec mount on /tmp, chmod 550 wget, rule for lwp trivial, and LWP::Simple HTTP_USER_AGENT, etc. and of course patch your phpBB installation:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

Hmmmm....
by Truth on Tue 28th Dec 2004 21:46 UTC

....worms written using open source software...

What is the world coming to?

Use of perl notable....
by Matthew Grant on Tue 28th Dec 2004 21:55 UTC

Hackers so far have not used perl, but it is as capable as ANY program/exploit written in C. Perl can do bitwise manipulations, and can call any kernel function. Perl scripts can also be run off file systems with the noexec bit set.... Perl is installed on lots of Linux boxes, as it is required to do package management (Debian for example - perl-base package, can't remove?)

RE: Solution
by Juerd on Tue 28th Dec 2004 22:38 UTC

"aproximatelly 60% of web pages uses PHP. "=

What is that based on?

Damn.
by harper on Tue 28th Dec 2004 22:55 UTC

I can respect the engineering behind the worm, but honestly I believe that all these little pukes who write worms, viri, etc. should be forced to pay outrageously huge fines, like say starting in the area of $50,000 per instance of the worm, and then they should spend some time in jail.

RE: harper (IP: ---.port.east.verizon.net)
by A stranger on Tue 28th Dec 2004 23:13 UTC

Welcome to evolution. Besides this is a social problem. Solve that and it will go away (at best background noise).

RE: My server was hit with this
by Nate on Tue 28th Dec 2004 23:23 UTC

BACKUP BACKUP BACKUP

It shouldn't matter much if your files were overwritten, you should have a backup of them readily accessable. If anything this worm taught some smaller operators to start backing up. In most cases the only downtime would be to rebuild the directory. I know we used to have hot spares of important servers for a situation like this, they were not on the network so a worm or virus couldn't get to them. If something hits and takes down the server, implement a quick patch, and get the hot spare up and running.

Best of luck on your repairs.

Santy source
by Luke McCarthy on Tue 28th Dec 2004 23:43 UTC

You can see the source here (and many other places):

http://vdb.dragonsoft.com/exploit/Santy.A.html

It's only about 200 lines long. I wish they would indent properly!

Heh
by Luke McCarthy on Tue 28th Dec 2004 23:44 UTC

Funnily enough, when I pasted it in to an editor and saved it so I could put in proper indentation, Kaspersky comes up with an alert!

RE: My server was hit with this
by Aaron on Tue 28th Dec 2004 23:50 UTC

Hi there

I agree with he back up server idear where the users
feel a slow down wile the main server is patched or being
repaired (the second should not realy happen often)

The problem is money, even though companies have a big enough budget they oftern don't want to take the safe path
as the manager who signs it off can't see a quick return.

It good to see that the VXers are doing something new to keep
IT departments on their tose.

Worms - not just for Windows anymore :)
by Darius on Wed 29th Dec 2004 00:51 UTC

And they swore that worms like this couldn't spread on a Unix system - HA!! Like I always said, where there's a will, there's a way.

Re: Worms - not just for Windows anymore :)
by dpi on Wed 29th Dec 2004 01:04 UTC

"And they swore that worms like this couldn't spread on a Unix system"

Who swore that? And what made you believe so-called worms were ever Windows-only in the first place? The first worm ever was in 1989, for Sendmail (before NT). You know Sendmail?

v What happened to all those 'eyes' on 'Open Source'
by The Facts on Wed 29th Dec 2004 02:26 UTC
v RE: The Facts
by RaVen_ on Wed 29th Dec 2004 02:30 UTC
@dpi
by MoronPeeCeeUSR on Wed 29th Dec 2004 02:42 UTC

Who swore that? And what made you believe so-called worms were ever Windows-only in the first place? The first worm ever was in 1989, for Sendmail (before NT). You know Sendmail?

lol people are a trip. If the shit is only coming out on windows *nix people take a high and mighty attitude about how it "dosen't happen to them".

Then when it does happen they want bragging rights about it happening to them first!

This place is hilarious!

v @RaVen
by MoronPeeCeeUSR on Wed 29th Dec 2004 02:45 UTC
RE: MoronPeeCeeUSR
by RaVen_ on Wed 29th Dec 2004 03:01 UTC

"Why don't you go review some code so this shit never happens again mmm k ?"

Actually...I do ;) ..however this will always happen. Code will have holes and all of them won't be caught. What makes the difference is how many holes there are and how quickly they can/and are patched. I have no love for PHP, but this was patched quite quickly.

"Got better things to do and honestly don't give a shit."

Then don't post crap like that "The Facts" thing.

(assuming that was you)

Re: MoronPeeCeeUSR
by dpi on Wed 29th Dec 2004 03:05 UTC

This place is hilarious!

Hilarious? Have i ever said claimed there are no worms for *NIX or are you applying what (misinformed) individuals claimed here, then see them as part of some group, then apply the image you have of those who spreaded misinformation to a single individual you also see as part of that very group. That would be hilarious.

As for PHPBB, IMO you could have seen it coming, and i wouldn't run this software not advice one to run it, especially not with precautions. The bug was yet another one in software which has a history of security vulnerabilities due to programming errors, the bug was known for a while already, the bug was patched for a while already, while the software is widely in use. If you insist on using software which frequently has flaws you have to take precautions... some of which are outlined throughout this thread. Oh, and btw -- PHP or PHPBB != UNIX, and the bug and/or the precautions are in no way UNIX-specific. PHP and PHPBB are open source though.

A nice contribution of making this place a tad more hilarious. Thanks, post another one, but i'm not gonna take it seriously.

v Don't use *nix
by galaga on Wed 29th Dec 2004 03:12 UTC
v DON'T use **NIX
by The Truth on Wed 29th Dec 2004 03:27 UTC
v Excuses, excuses and more excuses
by Anonymous on Wed 29th Dec 2004 03:52 UTC
v A better solution
by jobe3x on Wed 29th Dec 2004 04:01 UTC
v It is
by Father Baker on Wed 29th Dec 2004 04:17 UTC
v RE: DON'T use **NIX
by Anonymous on Wed 29th Dec 2004 04:20 UTC
Wow
by Anonymous on Wed 29th Dec 2004 04:27 UTC

This is fun... not.

v @ By Anonymous (IP: ---.bchsia.telus.net)
by The Facts on Wed 29th Dec 2004 04:36 UTC
Re: dpi
by Darius on Wed 29th Dec 2004 05:01 UTC

"And they swore that worms like this couldn't spread on a Unix system"

Who swore that?


I've seen it in various places - it can't happen in *nix because the browser isn't embeded into the OS, files don't have execute privileges by default, email programs can't launch attachments directly, yada ... yada ... yada ....

And you know people are saying things like that, because we've all heard it before - not like I'm making the shit up myself.

Re: When Worms Get Literate
by myrddn on Wed 29th Dec 2004 05:32 UTC

Found this over on NeoWin.com 5 minutes after reading about Santy.A here -

As we reported last week, Google had been used by the "Santy.A" worm to infect websites using vulnerable versions of phpBB. Google has since disallowed such search attempts by the worm, by simply not listing vulnerable sites in their search results.

Variants are now attempting to exploit search engines offered by Yahoo and AOL, targeting sites running versions of phpBB prior to version 2.0.11. Some variants of the worm damage sites using poorly coded php instances of include() and require(). AOL claims that they are no longer contributing to the spread of the worm, and Yahoo has declined all requests for comment.

Santy deletes content from effected php-based sites, and replaces it with information found within the worm itself. Luckily this worm is not communicable to computers who visit effected sites. Sites using older versions of phpBB should update immediately, and some sites utilizing php may have to be rewritten all together.

Site defacement was only part of the story
by Khoji on Wed 29th Dec 2004 09:45 UTC

Actually, defacement of sites and overwriting files was only part of the story. For a few days this worm was installed on so many sites and Googling so hard that it was effectively running a mini-DOS attack on many popular phpBB forums. Even on sites with updated, "safe" versions of phpBB it racked up traffic volume astronomically, because each attempt would load a full page twice (I was getting around 3000 visits a day on a site that normally has around 100). It was possible to counter this with some .htaccess rewrites but many small forum operators probably didn't know how to do this.

One interesting question is, what was the motive of the worm author(s)? AFAIK so far it's just doing damage, without pursuing any traditional profit motives, such as installing a spambot or trawling for valuable data. I suppose it's most likely that it was just another emotionally challenged teenager with nothing better to do. However, specifically attacking an open-source, free software project does seem out of character, even for a black hat. Perhaps it was someone with a personal peeve against the phpBB crew...

first i'd recommend you guys update your PHP to the latest and safest version, same goes for your phpBB boards and apache versions, anything that is out of date risks being exploited either by human hackers or automated worms/scripts such as Santy.

That said, losing your 'data' be it php or html files is surely not nice, so backup !!

heres a very simple way of backing up apache once a week into a nice tar.gz file which could come in handy one day ;)

http://www.linux-noob.com/forums/index.php?showtopic=1181

cheers

anyweb

Duh
by bikerboy on Wed 29th Dec 2004 11:58 UTC

Well a lot of "hackers" use google for website vuln. scans to pick up websites that're running the proper verisons of what they need for the hack to work. Besides that fact though it is kinda cool to see software using Google. Now wouldn't it be a lot nicer if they used their power for good rather then evil?

Just a simple thought though.

article
by Evert on Wed 29th Dec 2004 12:26 UTC

thanks for this informative article. i wonder when the next worm will appear. for sure it will make use of random queries to avoid being blocked by google.

RE: dpi (IP: ---.ipv4.freeshell.bofx.net)
by Russian Guy on Wed 29th Dec 2004 13:48 UTC

" The bug was yet another one in software which has a history of security vulnerabilities due to programming errors... If you insist on using software which frequently has flaws you have to take precautions... PHP and PHPBB are open source though."

What a spectacular way to prove that Open Source does not guarantee better software.
One of the pillars of Open Source ideology falls and anyone could see how it falls by Googling for NeverEverNoSanity

"the bug was known for a while already, the bug was patched for a while already, while the software is widely in use"

If it were not about Open Source exposed bug, that statement of yours would look like taken word for word from Windows advocate explaining why W32.Blaster worm should not be used to blame Microsoft.

After all, the bug exploited by Blaster was known, the bug was patched, the workaround was available since day one of Win XP (enable firewall), users were warned by CNN and Office of Homeland Security, while the software (Windows) is widely in use.

Too bad, I can't recall you or any other anti-Microsoft activist giving Microsoft at least the credit you give to PHP and phpBB.

That's the example of double standard. Prove me wrong.

@ anyone who claims *NIX has no worms
by Anonymous on Wed 29th Dec 2004 14:02 UTC

I haven't heard ANYONE claim that *NIX has no worms and Windows is wide open to them. I have only heard the broad term 'virus' vulnerabilities. So, MoronPeeCeeUser, In my book, you haven't a leg to stand on in this. Now, if you wish to know the difference between a virus and a worm, here you go:

Worms exploit vulnerabilities in running programs (usually, but maybe not required to be, Internet-connected daemons) to transfer their payload to another system.

Viruses (Virii? Virus? what's the plural?) use primarily social engineering and the poor design of entire software systems (Windows as a whole, perhaps KDE, GNOME, MSOffice, whatever) to dump their payload and spread.

Examples of each:

Worm (finger example from way back when): Program queries the 'finger' daemon running on a remote machine, giving it just a little too much data (the payload), and exploiting a vulnerability, dumping the payload into the running process image. This causes the finger daemon to crash, and execute the payload.

Virus (Pick one, any one, how about the IloveYou): I don't exactly recall if this spread automatically, or only if you clicked on the message. But, it had the message "I Love You", from a known contact (from another's address book). When this dropped its payload, it used Outlook (express?) to scan the victim's address book, and email itself to everyone listed.


Now, do you understand the difference yet? This was a WORM, therefore, ANYTHING CONNECTED TO THE INTERNET is vulnerable, not just th4t w1nd0z3, lun1>< is vulnerable too (god I hate typing that, but did to make a point that you're shitting about nothing).

worm or virus
by Evert on Wed 29th Dec 2004 15:04 UTC

nobody cares about being it a worm or virus if it compromises your system / website. it was a vulnurability similar to windows blaster, and the oss folks should care about it. i guess gentoo machines that are auto-updates were not affected, but i'm not sure if phpbb is a package.

Viruses
by Don Cox on Wed 29th Dec 2004 15:08 UTC

"Viruses (Virii? Virus? what's the plural?)"

Viruses

Re: Worm or virus (@Evert)
by Anonymous on Wed 29th Dec 2004 15:19 UTC

I never said they shouldn't care, just that MoronPeeCeeUser and friends shouldn't get their panties in a bunch over it. If you run the software, be alert of it, watch bugtraq, take steps to secure it, that's all there is too it. Don't bitch and moan about how one group appears hypocritical, or how the lightbulb just went on in your head saying that nothing is perfect (not directed to you specifically, just generally to anyone who reads this). Sure there are zealots who say 'yes, windows sucks, unix forever, blah blah blah' but they're idiots, and shouldn't be taken seriously. (My opinion: Windows has some fundamental design flaws, but people use it, so it exists. I just avoid it wherever I can, as I feel *NIX systems are designed better, at least the ones I use are).

But, back to my original rant of this: It is next to impossible, if not impossible, to build a completely bullet-proof system, so admins just need to be careful no matter what OS they run and packages they install. Simple as that. (rant over, commence flaming or ignoring).

@RaVen
by MoronPeeCeeUSR on Wed 29th Dec 2004 16:03 UTC

Actually...I do ;) ..however this will always happen. Code will have holes and all of them won't be caught. What makes the difference is how many holes there are and how quickly they can/and are patched. I have no love for PHP, but this was patched quite quickly.

Honestly I don't mind PHP. I rather like it. I agree bugs will always be there and there will always be holes. Quick turnaround on patches is important.

I feel that exploits and viruses are a problem that as a whole the industry is still learning to deal with. To try and determine how someone might exploit code and make it perform in ways it was never designed to perform is not an easy task for any group of people.

Then don't post crap like that "The Facts" thing.

(assuming that was you)


Wasn't me. I don't post anon on this forum.

Re: Russion Guy - Double Standard
by d advocate on Wed 29th Dec 2004 16:25 UTC

Excusing flawed software for one vendor while apologizing for another is a double standard. But Microsoft does not exclusively represent proprietary software, nor should you overly represent open/free(dom) software with PHP.

Open source does not 'guarantee' better security. But having the source code does allow for peer review and the ability for more people to contribute 'fixes.' This would certainly be an 'advantage' of open source over proprietary software.

For fun, imagine that Microsoft and Zend Technologies were not responsive to fixing their software. How would proprietary and free/open source software compare? Hint: there would be a patch for PHP.

RE: d advocate (IP: ---.psfarms.com)
by Russian Guy on Wed 29th Dec 2004 22:38 UTC

>Open source does not 'guarantee' better security.

Mr. Stallman will disagree. So will many, many other open source advocates.
I agree with you.:)

>peer review... would certainly be an 'advantage' of open source over proprietary software.

It would, except hackers usually work this way:

1. Bug found by independent reviewer or software developer.
2. Bug fixed.
3. Patch released.
4. Hackers review the patch.
5. Hackers write exploit and release it to the wild.
6... Infection.
7... Infection.
8... Infection.
9... Finally, end users reluctantly patch their software.

Open Source may be better in getting from 1 to 3, but lazy hackers wait at 4- why bother reading tens of millions of source code lines (if available) when patch will reveal all they need in few hundred lines? Then, 5 to 9 is not different between proprietary and open source software.

>Hint: there would be a patch for PHP.

Hint: it was! Not very many people bothered to download it. It has nothing to do with openess of software and this is the point: no open source software in the world force people to change their habits.

Open source may be good in sharing intellectual property with less fortunate, but it is not a silver bullet for security, does not matter how many times Stallman and his followers want us believe the opposite.

I am glad we both agree on this: open source does not 'guarantee' better security.

Open source needs more people like you.

v Re: Russian guy
by The Facts on Wed 29th Dec 2004 23:42 UTC
Re: Russian guy
by Nog on Thu 30th Dec 2004 00:43 UTC

Maybe you guys ought to stipulate WHICH open source you're talking about. Is Windows as secure as OpenBSD? Why not?

RE: By Nog (IP: ---.dialup.mindspring.com)
by Anonymous on Thu 30th Dec 2004 01:48 UTC

"Maybe you guys ought to stipulate WHICH open source you're talking about. Is Windows as secure as OpenBSD? Why not?"

Can you explain to me why it is?

OpenBSD can be hacked up quite easily, give someone time and nothing to do. You would be amazed what they can do.

RE: Safemode
by timh - tjhawkins.com on Thu 30th Dec 2004 03:57 UTC

..what are you talking about???

I just said that I have safemode on server wide, but you can also turn it off in the httpd.conf file. you can use the httpd config file to turn it off or on for specific sites.

"No, you put safemode on or off, besides relared configuration, in PHP's configuration file; " Makes no sense to me in a reply to my safemode comments.

Safemode is a very good thing to have on.

RE: Worms - not just for Windows anymore :)
by Richard James on Thu 30th Dec 2004 07:36 UTC

I think your confusing desktops with servers Darius. Linux/UNIX servers have seen worms for years but there are still no desktop attacks. These are not mom/pop systems but systems run by Administrators who are meant to have a clue.

@ Russian Guy
by dpi on Thu 30th Dec 2004 13:42 UTC

>Open source does not 'guarantee' better security.

Mr. Stallman will disagree


Quote him. I don't think he ever said that and he doesn't say that much. When he does, its mostly the same, and afaik he never ranted on security issues or so.

As for PHPBB, you can't use that to make an overal claim about open source given its merely one the very many. Youcan't say "all women are murderers" simply because one evil Soviet female pressed the nuke button. You don't say "Oh, my, Coldfusion is so insecure. Its because its proprietary! Oh my, all proprietary software is insecure!" -- when you say that you haven't connected the dots, because you haven't proven that because of B hence A. And C is even more global than B. Its hard to compare it to Outlook as well since they're used on a different field and since the damage done also varies. IOW, bullshit discussion, bullshit arguments.

Those who use similar arguments in other examples (e.g. Microsoft software) are equally using falacies to make some kind of moot point.