mortepa - heads up - cracker's next

ORCA Online Forum - Feel free to talk or ask about ALL kinds of old tackle here, with an emphasis on old reels!
Post Reply
User avatar
Ron Mc
Star Board Poster
Posts: 3401
Joined: Thu Apr 29, 2004 7:49 am
Location: downtown Bulverde, Texas
Contact:
Contact Ron Mc

mortepa - heads up - cracker's next

Post by Ron Mc »

New Worm Spreads Via Google



Santy.A infects servers that host online bulletin boards.



Paul Roberts, IDG News Service

Tuesday, December 21, 2004

Antivirus companies are warning Internet users about a fast-spreading new worm that infects Web servers running a popular package of online bulletin board software, and uses the Google search engine to find vulnerable servers to infect.

The worm, dubbed Santy.A, uses a vulnerability in a popular free software package called phpBB to spread across the Internet, infecting computer servers that host online bulletin boards and defacing those sites with the words "This site is defaced! NeverEverNoSanity WebWorm."

A Google spokesman said in an e-mail the company was looking into reports about Santy.A.

The worm does not affect individual computer users, but infects Web servers that are hosting online bulletin boards.

Santy.A was first spotted early Tuesday morning, Eastern Standard Time in the United States, according to Mikko Hypponen, manager of antivirus research at F-Secure in Helsinki.

Santy's Claws

The worm takes advantage of a critical software vulnerability in the phpBB open source software, which is widely used to create and maintain online bulletin boards. While antivirus companies were still analyzing the worm, it appears that the worm may use a vulnerability in the PHP scripting language that was recently patched, according to Alexey Zernov, a spokesman for antivirus company Kaspersky Labs in Moscow.

PhpBB, as well as other common software packages are written using PHP.

Once Santy infects servers running the phpBB software, it scans directories on the infected site and overwrites files with the extensions HTM, PHP, ASP, SHTM, JSP, and PHTM with the text "This site is defaced! This site is defaced! NeverEverNoSanity WebWorm generation," according to an alert from Kaspersky Labs.

The worm also launches a search on the Google search engine for URLs that use a special string, viewtopic.php, which is common to bulletin boards written using the phpBB software, Hypponen said.

Block That Worm

The worm's reliance on Google could be its downfall, however. If the search engine company can block the search text used by Santy.A, it would stop the worm from spreading, he said.

Hypponen was trying to contact Google Tuesday to get the company's help in blocking Santy.A requests, he said.

Antivirus experts do not believe Santy.A deposits Trojan horse programs or other malicious code on the systems it infects. Also, Santy does not affect individual computer users, unless they are hosting a bulletin board from their computer that uses the phpBB software, antivirus experts said.

However, Santy.A could act as a road map for malicious hackers who are looking for vulnerable computers to exploit, Hypponen said.

Both F-Secure and Kaspersky Labs posted updated antivirus definitions Tuesday that can spot the Santy.A worm and advised customers to update their antivirus software as soon as possible.
Top
reels4me

computer knowledge

Post by reels4me »

WOW, I wish I knew just half of what you just iterated, hope all web
sites get this warning !
Top
Post Reply

Return to “Reel Talk - General”