(Net-Worm.Perl.)Santy.a Clause, the not-so-nice Santa...




 
--
 
December 28th, 2004  
Redleg
 
 

Topic: (Net-Worm.Perl.)Santy.a Clause, the not-so-nice Santa...


Net-Worm.Perl.Santy.a

Anyone who got a visit by Santy this year??

A new Worm/Virus spread like wildfire through phpBB forums (like this one) this Christmas..

It doesn't affect home computers, just using a security flaw in older versions of the phpBB forum script to spread through the internet..
It is also using a vulnerability in PHP itself, so your host needs to upgrade that as well.

More info about the Santy worm here:
Quote:
Santy is a worm was found at December 21st, 2004. It uses a vulnerability in popular phpBB discussion forum software to spread and it uses Google search engine to find vulnerable servers. It does not infect end user computers.

Google has started filtering requests made by the worm at December 22nd, 2004, in order to stop the worm.
http://www.f-secure.com/v-descs/santy_a.shtml
and here:
http://www.google.com/search?sourcei...GLD:en&q=santy

Over 40,000 forums are supposed to be infected/defaced.

This forum was not defaced by the virus, but you can see that it has REALLY tried if you look at the info at the bottom of the index page...
Quote:
Most users ever online was 507 on 24 Dec 2004 17:25 pm
It has eaten a significant amount of the bandwidth, but it should't have done any more harm than that.

There are a few temporary fixes to prevent the worm from entering your forum.
http://www.phpbb.com/phpBB/viewtopic.php?t=249010
But the most important one is to upgrade your forum(s) to version 2.0.11 ASAP!!
December 28th, 2004  
implicature
 
 
can you fix the "most users ever online" or is it just going to be like that until we break it?

also what did it do as far as "vandalism" did it put curse words into posts or did it change around pics etc?
December 28th, 2004  
Redleg
 
 
I will change the number soon..
But it's kinda cool to have had 500+ users online at once...


You can see what the worm do on the F-secure site here:
http://www.f-secure.com/v-descs/santy_a.shtml

It changes (defaces) every .php .htm .html .asp etc. file into:
This site is defaced!!!
NeverEverNoSanity WebWorm generation X

So it totaly ruins the forum(s), and most of the site(s) it can enter.
--
December 28th, 2004  
implicature
 
 
i'm really thankful that didn't happen here otherwise "santy" would have had a lot of military techies comin down hard on it!!!
December 28th, 2004  
Redleg
 
 
Quote:
Originally Posted by implicature
i'm really thankful that didn't happen here otherwise "santy" would have had a lot of military techies comin down hard on it!!!
I just wonder what the next one will/could do...

Do you see the ads at the top of this page by the way??
Looks like big G can't decide if this topic is about viruses and worms, or about Santa/Christmas...
(I'm seeing two ads for each)
December 28th, 2004  
implicature
 
 
yeah i noticed that with the name... some of the viruses and worm names symantec etc etc comes up with are very ... stupid. why santy i know what it does but santy... come on ppl just call it forum worm/virus/bug/nasty creature! whe did name this btw? i understand that CARO has the final say for the most part but is there some guy sitting in a room and all the sudden somebody opens the door and says we have a virus/worm/bug/ nasty that doed this can you give us some off the wall name that makes no sense and let us send it to everyone else in the world? it really baffles me!
the melissa virus was named after a stripper. that makes sense because the guy that wrote it named it. is there a hacker or hacker org that is laying claim to this?
December 30th, 2004  
Turner
 
lucky this site did not go down
December 30th, 2004  
Locke
 
 
maybe thats what has taken my beloved gathering forum down...:sobs: