3 replies to this topic

[DaveBeck]

Apparently the "Santy" worm is exploiting a vulnerability in phpBB by searching Google for the term "Powered by phpBB".

If it finds a vulnerable installation of the worm will remove any HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X.

Worm uses Google to spread

I guess anybody using this form software needs to head straight over to the phpBB Web site and make sure that they have the latest version

dave

[Randy]

I didn't read all of it for the details, but it sounds like it may be related to a recently documented security flaw in PHP itself, not something specifically in PHPbb.

If your site is on an affected server, please contact your hosting company to make sure they apply the appropriate patch for PHP. Gonna start a thread on that in just a sec since I'm not 100% sure this is related, and the overall PHP vulnerability will affect far more.

[Tom Philo]

Google yesterday (or maybe Tuesday) wrote high level code to block the worm from searching Google in order for it to find sites running the PHPBB script which had not been infected yet.

The term "Powered by phpBB" was required to be on the home page thus it did a unique search in Google to find those sites running it then replicate itself to the first site it found in the list (or maybe a number of sites, I did not read the details of how it completely works and replicates).

In Google this AM I see 295 references to the full defacement text but likely 1/2 of those are news articles about it.

[OldWelshGuy]

It took Google 7 hours to identify the threat, and code a solution to it.

So, all you Google bashers out there, you gptta love that. I mean how cool is that?