PDA

View Full Version : phpBB virus... look at this..


chrisroo
22 Dec 2004, 04:06
Saw this earlier today

http://searchsecurity.techtarget.co...1036174,00.html

Defaced forums:
http://www.google.com/search?source...verEverNoSanity


Crazy, thats why i use VBB :)

gigg
22 Dec 2004, 04:20
will vbb attacked by webworm also?

chrisroo
22 Dec 2004, 04:39
i doubt it.

Brent H
22 Dec 2004, 05:56
It's a phpbb only worm, I read about this on vbulletin.com earlier in the day.

Dean C
22 Dec 2004, 08:30
No it will not affect vBulletin users :)

kall
22 Dec 2004, 09:09
Saw this earlier today

http://searchsecurity.techtarget.co...1036174,00.html

Defaced forums:
http://www.google.com/search?source...verEverNoSanity


Crazy, thats why i use VBB :)
Are those URLs deliberately not working?

I'm getting dots in the middle that are causing odd URLS in firefox.

HiDeo
22 Dec 2004, 10:30
Some vBulletin forums are defaced :(

SVTBlackLight01
22 Dec 2004, 10:44
Are those URLs deliberately not working?

I'm getting dots in the middle that are causing odd URLS in firefox.

They don't work in IE6 either.

patriotcow
22 Dec 2004, 12:50
http://www.google.co.uk/search?ie=UTF-8&oe=UTF-8&q=NeverEverNoSanity+WebWorm+generation

Andrew
22 Dec 2004, 16:12
http://www.google.co.uk/search?ie=UTF-8&oe=UTF-8&q=NeverEverNoSanity+WebWorm+generation
Wow - I guess it made it to like generation 24 before it stopped spreading. Which means if it each instance infected 12 others there was like 8916100448256 sites that go defaced. Somehow it used the Google search engine to find phpBB sites that it could exploit - I'm glad my other site was using 2.0.11 which was safe from the exploit.

tubedogg
22 Dec 2004, 17:02
Are those URLs deliberately not working?

I'm getting dots in the middle that are causing odd URLS in firefox.
Somebody copied the URLs directly off another forum, it looks like, and therefore the dots in the middle were copied into the linked URL as well.

ericgtr
22 Dec 2004, 17:23
Isn't this a php exploit for versions 4.3.9 and 5.0.2 or is it something different? http://www.hardened-php.net/advisories/012004.txt

Andrew
22 Dec 2004, 17:54
Isn't this a php exploit for versions 4.3.9 and 5.0.2 or is it something different? http://www.hardened-php.net/advisories/012004.txt
No - This was caused by a security loophole found specifically in the phpBB software. The error you're reffering to was a broader PHP error that affected almost all the PHP based bulletin boards.

ericgtr
22 Dec 2004, 20:36
Ouch.. this is what it does once it gets on your server, from news.com (http://news.com.com/Net%2Bworm%2Busing%2BGoogle%2Bto%2Bspread/2100%2D7349_3%2D5499725.html)

"After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm."

Makes me wonder if it is able to get past the webroot, wiping out all backups as well.

Andrew
22 Dec 2004, 20:53
I don't think it managed to get past the webroot - Alot of the sites I've seen have been repaired either from main server backups or personal backups of their files.

moethelawn
22 Dec 2004, 21:26
Yeah, I got an email yesterday from the company I bought my server from and they talked about that worm. Good thing I don't use phpBB :)

trackpads
22 Dec 2004, 22:12
phpbb is the best free forum software that is. The fact that this virus spread so fast is a testament to the massive use of it on the internet. In that news.com post it said that their are voer 6,000,000 phpbb's out there. It has its flaws of course and the fact that its code is freely available makes it a good candidate for something like this.

Of course once you move up in needs you have to go to VB :)

trackpads
22 Dec 2004, 22:13
I don't think it managed to get past the webroot - Alot of the sites I've seen have been repaired either from main server backups or personal backups of their files.
SQL injection I think.

kall
22 Dec 2004, 23:45
Somebody copied the URLs directly off another forum, it looks like, and therefore the dots in the middle were copied into the linked URL as well.
Ahh. Good lateral thinking there. :)

Erwin
23 Dec 2004, 01:39
It's quite amazing really.

The search on Google for "NeverEverNoSanity WebWorm generation" shows this at the moment:

Results 1 - 10 of about 1,480 for NeverEverNoSanity WebWorm generation. (0.10 seconds)

Erwin
23 Dec 2004, 01:42
Doing a search for this - "NeverEverNoSanity WebWorm generation 24"
http://www.google.com/search?hl=en&q=%22NeverEverNoSanity+WebWorm+generation+24%22&meta=

gives 2 sites that have been infected by Generation 24.

However, no sites come up for "NeverEverNoSanity WebWorm generation 25"

AWS
23 Dec 2004, 02:41
Doing a search for this - "NeverEverNoSanity WebWorm generation 24"
http://www.google.com/search?hl=en&q=%22NeverEverNoSanity+WebWorm+generation+24%22&meta=

gives 2 sites that have been infected by Generation 24.

However, no sites come up for "NeverEverNoSanity WebWorm generation 25"
That's because Google blocked it. If they didn't we'd probably see many more generations.

I run a phpbb forum on a private site and I removed it when a forum I visit was hacked. I don't think it could be found in Google, but, I took no chances and removed it.

Erwin
23 Dec 2004, 04:26
Ahhh... makes sense.

nghiasi
23 Dec 2004, 05:31
hopefully vbulletin won't get into this problem. ;)

Link14716
23 Dec 2004, 17:00
The problem doesn't affect vBulletin. ;)

Anyways, http://www.google.com/search?hl=en&lr=&safe=off&q=%22NeverEverNoSanity+WebWorm+generation+25%22&btnG=Search shows some results now.

EDIT: Seems to go all the way to generation 29 now. Eeek.

AN-net
23 Dec 2004, 18:07
was gaia online attacked cause there is a critical error on their site saying it cant connect to database?

Michael Morris
24 Dec 2004, 09:06
This particular exploit can't hit vbulletin, but you can guarantee there are - for lack of a better word - +++++++s - who are trying to find such an exploit in the vbulletin code. It's how they get their rocks off because finding a girlfriend is completely beyond them.

Floris
24 Dec 2004, 14:32
This particular exploit can't hit vbulletin, but you can guarantee there are - for lack of a better word - +++++++s - who are trying to find such an exploit in the vbulletin code. It's how they get their rocks off because finding a girlfriend is completely beyond them.
Here are some official reads about the PHP issue pointed out in this thread and the more ontopic issue: phpBB worm.

PHP Vulnerabilities in <= 4.3.9 and <= 5.0.2
http://www.vbulletin.com/forum/showthread.php?t=123531

How to avoid being damaged by the phpBB worm
http://www.vbulletin.com/forum/showthread.php?t=124008

Michael Morris
24 Dec 2004, 23:50
That's for the links Floris.

My comment still stands though - while all known vulnerabilities are patched, that doesn't mean that tomorrow the script-kiddies won't find a hole. It is sad though that some people waste their time destroying other folks work.

One of the regulars at EN World lost his entire campaign site to this worm. Say what you will about the failure to keep backups, it's still sad to see this happen so needlessly.

Erwin
25 Dec 2004, 06:53
That's for the links Floris.

My comment still stands though - while all known vulnerabilities are patched, that doesn't mean that tomorrow the script-kiddies won't find a hole. It is sad though that some people waste their time destroying other folks work.

One of the regulars at EN World lost his entire campaign site to this worm. Say what you will about the failure to keep backups, it's still sad to see this happen so needlessly.
Always have backups. :)

AWS
26 Dec 2004, 15:16
Always have backups. :)
There is a new worm that exploits the safe mode file traversal bug in php versions prior to 4.3.10. It uploads files to /tmp and excutes them. This makes the box a zombie. It joins an irc channel and from there the botmaster can control the box and make it do whatever it is he is going to do with all the zombies he is creating.
Upgrade php to the latest version if you haven't done so already. If you are on a shared host make sure to let the isp know about upgrading. There are other vulns in php and will be more worms like this one to exploit the other bugs.

Smitty
26 Dec 2004, 18:30
Also see http://www.vbulletin.com/forum/showthread.php?t=124159