• Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

phpBB Worm: Net-Worm.Perl.Santy.a

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms

View previous topic :: View next topic  
Author Message
Just Arrived
Just Arrived

Joined: 08 Aug 2003
Posts: 2
Location: Pennsylvania


PostPosted: Tue Dec 21, 2004 6:39 pm    Post subject: phpBB Worm: Net-Worm.Perl.Santy.a Reply with quote


Perl.Santy is infecting phpBB boards that are older than 2.0.11, by using a vulnerability. It defaces the pages then infects the next target. There is no risk to visitors.

I assume that Security Forums Dot Com is already at 2.0.11?
Back to top
View user's profile Send private message Visit poster's website
Forum Fanatic
Forum Fanatic

Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia


PostPosted: Wed Dec 22, 2004 4:57 am    Post subject: Reply with quote

Aye we are indeed safe Smile It wouldn't find us anyway as we've removed version info.

From the original post on BugTraq:

This morning one of our client's sites was found to have been defaced
with the words "NeverEverNoSanity WebWorm Generation 9." The defacement
appeared to take place on all .html files in the web root trees of
multiple virtual hosts on the web server in a very short period of time.

After some investigation, we determined that the attacker had gained
access via phpbb in a series of crafted URL requests, like so: - - [20/Dec/2004:08:41:35 -0800] "GET
r(32)),exit%252e%2527 HTTP/1.0" 200 13648 "http://forum.CLIENT SITE
hr(115)%252echr(101)%252echr(32)),exit%252e%2527" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)"

After checking the phpbb site, it turns out that this is a vulnerability
posted the 18th of November, called Hilight; we didn't update to prevent
it because the client whose domain it was has their own admin, and we
thought he was taking care of phpBB. Oops. The exploit is described here:


When I copied all these entries out of the log and translated the chr()
calls, they turned out to be the attached perl script, which is capable
of finding .html files to deface, and then going to google and finding
more instances of phpbb to infect. Which makes it a worm. It also
tracks itself by generation; we were generation 9.

Please find attached the above-mentioned script as well as the series of
log entries from access_log.

I've heard of a few people being infected, the lesson is patch!
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms All times are GMT + 2 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register