Is Our Site at risk?

Spikey_2

Having just read an article on ZDNET I wonder is our site at risk from the Santa worm?

The article read:

Net worm using Google to spreadBy Robert Lemos CNET News.com December 21, 2004, 11:01 AM PT

Security Search Viruses and worms Security threats Programming languages Google

A Web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday.

The Santy worm uses a flaw in the widely used community forum software known as the PHP Bulletin Board (phpBB) to spread, according to updated analyses. The worm searches Google for sites using a vulnerable version of the software, antivirus firm Kaspersky said in a statement.

Almost 40,000 sites may have already been infected. Using Microsoft's Search engine to scan for the phrase "NeverEverNoSanity"--part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits.

"Santy.a is spreading rapidly," antivirus firm Kaspersky stated in a new release published Tuesday. "However, this does not directly affect users. Although the worm infects Web sites, it does not infect computers used to view those sites."

The worm sends Google a specific search request, essentially asking for a list of vulnerable sites. Armed with the list, the worm then attempts to spread to those sites using a PHP request designed to exploit the phpBB bulletin board software.

The worm is the latest twist on using Google as an attack tool, a practice known as Google hacking. It may also be the first time a program used Google to identify victims for an attack.

Around 6 million sites appear to be running the phpBB software, according to a search of Google for the phrase "Powered by phpBB"--an acknowledgment appended to the bottom of any site that uses the software.

"There are tons of these PHP bulletin board installs around," said Johannes Ullrich, chief technology officer of the Internet Storm Center, which tracks online threats. Initial analyses by the ISC had concluded that the flaw exploited by the worm occured in the software that interprets Web pages written scripting language PHP: Hypertext Preprocessor (PHP). That flaw was found last week.

Using Google to determine vulnerable sites is not an academic exercise. The worm does exactly that: Once Santy infects a Web site, it searches Google for other sites running phpBB and then attempts to infect those sites as well.

After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm.

Google did not immediately comment on the worm, but a spokesman did say that the company had seen the information and had started to study the issue.

The response, or lack thereof, frustrated some members of the antivirus community, who believed that the search giant could easily stop the worm by filtering out its search for victims.

"We know exactly which searches to stop," said Mikko Hypponen, research director of antivirus firm F-Secure. "It would be trivial to stop this thing."

Web sites using a vulnerable version of phpBB should upgrade, the phpBB Project site advises.

Anybody know?

Spikey

alexj2002

If by our site you mean the forums here at moneysavingexpert.com then no because it's YaBB that's used here and not phpBB.

monomer

I've already seen one such defaced page (not on this site though).

From the page that I visited, it seems to affect some comment systems used on personal weblogs as well (which I presume are running phpBB).

alexj2002

http://www.google.co.uk/search?q=This+site+is+defaced!!!+This+site+is+defaced!!!+NeverEverNoSanity"
Currently about 1400 sites have been defaced.

wirm

I have noticed this on quite a few sites latly! :-/

sra

I found this interesting little site the other day: big-boards.com

While not knowing how accurate the site is, it's interesting to note that of the biggest boards on the web, only two use yabb (click here) which I assume would mean no-one would even bother targeting it.

On the other hand, look at vbulletin (which we're changing to). If this kind of attack becomes common, guess who the bad guys will want to taget the most

monomer

Google have responded to the worm and is filtering its results so that the worm can't spread any more.

Reference:
Google squashes Santy worm (ZDNet)

alexj2002

I think there's a reason only two use YABB based on this sites problems with it ability to handle large amounts of traffic.

Also interesting to note that in just over 400,000 posts time these forums will be able to join big boards

I found this interesting little site the other day: big-boards.com

While not knowing how accurate the site is, it's interesting to note that of the biggest boards on the web, only two use yabb (click here) which I assume would mean no-one would even bother targeting it.

On the other hand, look at vbulletin (which we're changing to). If this kind of attack becomes common, guess who the bad guys will want to taget the most

sra

Also interesting to note that in just over 400,000 posts time these forums will be able to join big boards

noticed that. I suppose total posts will depend on how much of the backed up board is restored