francois Posted January 24, 2005 Share Posted January 24, 2005 hi' a techy news .. Virus Santy. In Santy. In is a worm which targets only Web sites hosting a phpBB forum. If this last one is not up to date, the worm infects the Web site by exploiting a critical vulnerability recently revealed, then replace its home page by a message " This site is defaced!!! " In red on black bottom, preventing his(her) guests from accessing it. The Internet users guests are not affected by this worm, which automates the piracy of Web sites. PREVENTION: The webmasters having installed a phpBB forum have to update it by downloading at once the last version on the site of the editor. The Internet users are not affected by this worm, which risks simply to make inaccessible certain Web sites. DISINFECTION: The concerned webmasters have to update their forum (see Prevention), delete files installed by the worm may restore pages modified or deleted by the worm. TYPE: Worm SYSTEM (S) CONCERNS (S): PhpBB forum version 2.0.10 and subordinates ALIAS: Santy. To ( F-Secure) Net-Worm. Perl. Santy.a ( Kaspersky) PERL / Santy.worm ( Mc Afee) Perl / Santy-A ( Sophos) Perl. Santy (Symantec) WORM_SANTY.A ( Trend Micro) DISCOVERY: 21/12/2004 DETAILED(RETAILED) DESCRIPTION: Santy. In is a worm which targets only Web sites hosting a phpBB forum. This worm is a script Perl which uses Google to find forums and test their safety(security) by making a search on the name of the page susceptible to be vulnerable in a fault SQL injection recently bare viewtopic.php ). If the tested forum is not up to date in its correctives, the worm infects the Web site by exploiting(running) a critical vulnerability recently revealed, then replace the home page of the site as well as all the files .asp.htm.jsp.php.phtm and .shtm by a message " This site is defaced!!! NeverEverNoSanity WebWorm generation [number of infected sites]. " In red on black bottom, preventing the guests from accessing it: The worm copies on the server infected under the name m1ho2of and can run and seek the other sites to be infected if the interpretor Perl is installed. The Internet users guests of the site so modified are not affected by this worm, which has in fact for purpose to automate the piracy(hacking) of Internet sites. Several dozens thousand vulnerable Web sites would so have been "deformed". Further to the blocking of the queries of the worm by Google the 22/12/04, Santy. In is not effective any more. The code of the worm having been published on internet, it is nevertheless necessary to expect the appearance of variants using the other search engines. 25/12/04: A minor variant Santy. B (also called Perl. Santy. try to install a hidden door controlled by IRC and to use the AOL and Yahoo search engines to propagate. AOL blocks henceforth the queries of the virus, so preventing its distribution. 25/12/04: A minor variant Santy. C (also called Perl. Santy. C) try to install a hidden door controlled by IRC and to use Google to propagate, unsuccessfully because his(her,its) queries are henceforth blocked. concern administrators of sites with forum ... but it has to be said ... [translated with prompt5] francois Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now