Last week a new worm started spreading on the Internet. It’s named Santy, and it attempts to deface websites using specific versions of the popular phpBB bulletin board software. Is this just a run-of-the-mill worm causing minor damage to a few thousand websites? Yes. But it’s also got something we’ve never seen before.
In total, the worm seems to have compromised about 1 website in 150, among those using phpBB (less than 40,000 websites, on an estimated user base exceeding six million sites). Not too many, that is.
In fact, the phpBB vulnerability being exploited by the worm was already known, and administrators were advised to patch their installations as soon as possible, since the flaw was quite critical.
So far, nothing new… A new worm hitting the internet isn’t something very thrilling these days, especially when it is neither that aggressive nor extremely devastating.
Yet, the Santy worm sported a relatively new “feature”: it was using the Google search engine in order to automatically find its next victims; as far as I know, this might well be the first time such a creative use of search engines has been adopted by a worm spotted in the wild.
We’ve already seen automated programs (mainly spiders, but recently also a few viruses) using search engines for collecting e-mail addresses and other pieces of information, but the idea of Google hacking for vulnerabilities was until now only used by human crackers, not by smart worms.
So, are we witnessing the dawn of a new era in malware? The short answer is probably yes.
Santy is written in Perl, a very popular scripting language, and its source code is already appearing on “selected” websites on the ‘net. It’s only a matter of time before someone starts hacking the Santy source code in order to adapt it to new targets.
Fortunately Google took action quite promptly, and in a little more than six hours it started rejecting queries from the worm instances; this was relatively easy to accomplish, for the worm always submitted the same query to the search engine.
So this time we were able to cut the worm’s supply line in less than half a day; I’d bet the next incarnation of Santy will feature differentiated queries to multiple search engines…
Be prepared, and keep on patching your software!
Corrado Cau has worked in IT for 15-plus years, spending most of his career as a system and network administrator on many platforms. Since a few years he’s more and more involved in managing IT security matters.
Related Links:
http://www.webuser.co.uk/news/56950.html
Worm attack makes Google squirm
July 27, 2004
Web User
Yet, the Santy worm sported a relatively new “feature”: it was using the Google search engine in order to automatically find its next victims; as far as I know, this might well be the first time such a creative use of search engines has been adopted by a worm spotted in the wild.
Is using a search engine to.. search really a creative usage of a search engine
The solution against Santy…
mod_security
http://www.hup.hu/modules.php?name=News&file=article&sid=7689
We battled the phpBB exploits for 8 hours.
cPanel did not release a new version of PHP for us in time to dodge the attacks. We defeated everything though.
Right now I would urge everyone to upgrade PHP before your machines are compromised.
mod_security can cause some huge headaches to server admins. It comes packaged with some server administration software that makes it easier to manage though.
I get plenty of customers that bug me about turning off safemode but I always direct them to get a virtual or dedicated server or to use a different service. So yeah, php safemode should be on.. you can turn it off in httpd.conf per site if you wish.
mod_security is greet tool against malicious GET and POST requests. works fine for me.
you need only custom rule for Santy
Check this:
http://www.modsecurity.org/blog/archives/000046.html
..don’t use php. I mean, a bug in the *addslashes()* function wich is there exactly to avoid security problems?
In the tenth stable version of a software?
Anyway, IIUC Santy.B uses AOL and MSN
Its terrible, it overwrote all html and php files on my drive… very, very nasty. I’d gladly form a lynch mob with a few others and find this guy that wrote it.
No, you put safemode on or off, besides relared configuration, in PHP’s configuration file; e.g. /etc/php4/apache/php.ini — i applaud your efforts regarding of putting and keeping it on though. One could even put it off for specific directories IIRC, but i’m not sure on that.
As for this worm, its not that revolutionary. OpenSSH, BIND, Apache, Sendmail have all been targetted in the past. The fact its a Perl worm is quite unique afaik. The fact its something which customers who host their site and/or forum elsewhere are targetted instead of a system-wide daemon is quite interesting though. Interesting in that sense, that its interesting to see how people are gonna solve this.
“..don’t use php.”
FYI: osnews.com uses PHP. aproximatelly 60% of web pages uses PHP.
Your friends:
mod_security, noexec mount on /tmp, chmod 550 wget, rule for lwp trivial, and LWP::Simple HTTP_USER_AGENT, etc. and of course patch your phpBB installation:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
….worms written using open source software…
What is the world coming to?
Hackers so far have not used perl, but it is as capable as ANY program/exploit written in C. Perl can do bitwise manipulations, and can call any kernel function. Perl scripts can also be run off file systems with the noexec bit set…. Perl is installed on lots of Linux boxes, as it is required to do package management (Debian for example – perl-base package, can’t remove?)
“aproximatelly 60% of web pages uses PHP. “=
What is that based on?
I can respect the engineering behind the worm, but honestly I believe that all these little pukes who write worms, viri, etc. should be forced to pay outrageously huge fines, like say starting in the area of $50,000 per instance of the worm, and then they should spend some time in jail.
Welcome to evolution. Besides this is a social problem. Solve that and it will go away (at best background noise).
BACKUP BACKUP BACKUP
It shouldn’t matter much if your files were overwritten, you should have a backup of them readily accessable. If anything this worm taught some smaller operators to start backing up. In most cases the only downtime would be to rebuild the directory. I know we used to have hot spares of important servers for a situation like this, they were not on the network so a worm or virus couldn’t get to them. If something hits and takes down the server, implement a quick patch, and get the hot spare up and running.
Best of luck on your repairs.
You can see the source here (and many other places):
http://vdb.dragonsoft.com/exploit/Santy.A.html
It’s only about 200 lines long. I wish they would indent properly!
Funnily enough, when I pasted it in to an editor and saved it so I could put in proper indentation, Kaspersky comes up with an alert!
Hi there
I agree with he back up server idear where the users
feel a slow down wile the main server is patched or being
repaired (the second should not realy happen often)
The problem is money, even though companies have a big enough budget they oftern don’t want to take the safe path
as the manager who signs it off can’t see a quick return.
It good to see that the VXers are doing something new to keep
IT departments on their tose.
And they swore that worms like this couldn’t spread on a Unix system – HA!! Like I always said, where there’s a will, there’s a way.
“And they swore that worms like this couldn’t spread on a Unix system”
Who swore that? And what made you believe so-called worms were ever Windows-only in the first place? The first worm ever was in 1989, for Sendmail (before NT). You know Sendmail?
Who swore that? And what made you believe so-called worms were ever Windows-only in the first place? The first worm ever was in 1989, for Sendmail (before NT). You know Sendmail?
lol people are a trip. If the shit is only coming out on windows *nix people take a high and mighty attitude about how it “dosen’t happen to them”.
Then when it does happen they want bragging rights about it happening to them first!
This place is hilarious!
“Why don’t you go review some code so this shit never happens again mmm k ?”
Actually…I do ..however this will always happen. Code will have holes and all of them won’t be caught. What makes the difference is how many holes there are and how quickly they can/and are patched. I have no love for PHP, but this was patched quite quickly.
“Got better things to do and honestly don’t give a shit.”
Then don’t post crap like that “The Facts” thing.
(assuming that was you)
This place is hilarious!
Hilarious? Have i ever said claimed there are no worms for *NIX or are you applying what (misinformed) individuals claimed here, then see them as part of some group, then apply the image you have of those who spreaded misinformation to a single individual you also see as part of that very group. That would be hilarious.
As for PHPBB, IMO you could have seen it coming, and i wouldn’t run this software not advice one to run it, especially not with precautions. The bug was yet another one in software which has a history of security vulnerabilities due to programming errors, the bug was known for a while already, the bug was patched for a while already, while the software is widely in use. If you insist on using software which frequently has flaws you have to take precautions… some of which are outlined throughout this thread. Oh, and btw — PHP or PHPBB != UNIX, and the bug and/or the precautions are in no way UNIX-specific. PHP and PHPBB are open source though.
A nice contribution of making this place a tad more hilarious. Thanks, post another one, but i’m not gonna take it seriously.
This is fun… not.
“And they swore that worms like this couldn’t spread on a Unix system”
Who swore that?
I’ve seen it in various places – it can’t happen in *nix because the browser isn’t embeded into the OS, files don’t have execute privileges by default, email programs can’t launch attachments directly, yada … yada … yada ….
And you know people are saying things like that, because we’ve all heard it before – not like I’m making the shit up myself.
Found this over on NeoWin.com 5 minutes after reading about Santy.A here –
As we reported last week, Google had been used by the “Santy.A” worm to infect websites using vulnerable versions of phpBB. Google has since disallowed such search attempts by the worm, by simply not listing vulnerable sites in their search results.
Variants are now attempting to exploit search engines offered by Yahoo and AOL, targeting sites running versions of phpBB prior to version 2.0.11. Some variants of the worm damage sites using poorly coded php instances of include() and require(). AOL claims that they are no longer contributing to the spread of the worm, and Yahoo has declined all requests for comment.
Santy deletes content from effected php-based sites, and replaces it with information found within the worm itself. Luckily this worm is not communicable to computers who visit effected sites. Sites using older versions of phpBB should update immediately, and some sites utilizing php may have to be rewritten all together.
Actually, defacement of sites and overwriting files was only part of the story. For a few days this worm was installed on so many sites and Googling so hard that it was effectively running a mini-DOS attack on many popular phpBB forums. Even on sites with updated, “safe” versions of phpBB it racked up traffic volume astronomically, because each attempt would load a full page twice (I was getting around 3000 visits a day on a site that normally has around 100). It was possible to counter this with some .htaccess rewrites but many small forum operators probably didn’t know how to do this.
One interesting question is, what was the motive of the worm author(s)? AFAIK so far it’s just doing damage, without pursuing any traditional profit motives, such as installing a spambot or trawling for valuable data. I suppose it’s most likely that it was just another emotionally challenged teenager with nothing better to do. However, specifically attacking an open-source, free software project does seem out of character, even for a black hat. Perhaps it was someone with a personal peeve against the phpBB crew…
first i’d recommend you guys update your PHP to the latest and safest version, same goes for your phpBB boards and apache versions, anything that is out of date risks being exploited either by human hackers or automated worms/scripts such as Santy.
That said, losing your ‘data’ be it php or html files is surely not nice, so backup !!
heres a very simple way of backing up apache once a week into a nice tar.gz file which could come in handy one day
http://www.linux-noob.com/forums/index.php?showtopic=1181
cheers
anyweb
Well a lot of “hackers” use google for website vuln. scans to pick up websites that’re running the proper verisons of what they need for the hack to work. Besides that fact though it is kinda cool to see software using Google. Now wouldn’t it be a lot nicer if they used their power for good rather then evil?
Just a simple thought though.
thanks for this informative article. i wonder when the next worm will appear. for sure it will make use of random queries to avoid being blocked by google.
” The bug was yet another one in software which has a history of security vulnerabilities due to programming errors… If you insist on using software which frequently has flaws you have to take precautions… PHP and PHPBB are open source though.”
What a spectacular way to prove that Open Source does not guarantee better software.
One of the pillars of Open Source ideology falls and anyone could see how it falls by Googling for NeverEverNoSanity
“the bug was known for a while already, the bug was patched for a while already, while the software is widely in use”
If it were not about Open Source exposed bug, that statement of yours would look like taken word for word from Windows advocate explaining why W32.Blaster worm should not be used to blame Microsoft.
After all, the bug exploited by Blaster was known, the bug was patched, the workaround was available since day one of Win XP (enable firewall), users were warned by CNN and Office of Homeland Security, while the software (Windows) is widely in use.
Too bad, I can’t recall you or any other anti-Microsoft activist giving Microsoft at least the credit you give to PHP and phpBB.
That’s the example of double standard. Prove me wrong.
I haven’t heard ANYONE claim that *NIX has no worms and Windows is wide open to them. I have only heard the broad term ‘virus’ vulnerabilities. So, MoronPeeCeeUser, In my book, you haven’t a leg to stand on in this. Now, if you wish to know the difference between a virus and a worm, here you go:
Worms exploit vulnerabilities in running programs (usually, but maybe not required to be, Internet-connected daemons) to transfer their payload to another system.
Viruses (Virii? Virus? what’s the plural?) use primarily social engineering and the poor design of entire software systems (Windows as a whole, perhaps KDE, GNOME, MSOffice, whatever) to dump their payload and spread.
Examples of each:
Worm (finger example from way back when): Program queries the ‘finger’ daemon running on a remote machine, giving it just a little too much data (the payload), and exploiting a vulnerability, dumping the payload into the running process image. This causes the finger daemon to crash, and execute the payload.
Virus (Pick one, any one, how about the IloveYou): I don’t exactly recall if this spread automatically, or only if you clicked on the message. But, it had the message “I Love You”, from a known contact (from another’s address book). When this dropped its payload, it used Outlook (express?) to scan the victim’s address book, and email itself to everyone listed.
Now, do you understand the difference yet? This was a WORM, therefore, ANYTHING CONNECTED TO THE INTERNET is vulnerable, not just th4t w1nd0z3, lun1>< is vulnerable too (god I hate typing that, but did to make a point that you’re shitting about nothing).
nobody cares about being it a worm or virus if it compromises your system / website. it was a vulnurability similar to windows blaster, and the oss folks should care about it. i guess gentoo machines that are auto-updates were not affected, but i’m not sure if phpbb is a package.
“Viruses (Virii? Virus? what’s the plural?)”
Viruses
I never said they shouldn’t care, just that MoronPeeCeeUser and friends shouldn’t get their panties in a bunch over it. If you run the software, be alert of it, watch bugtraq, take steps to secure it, that’s all there is too it. Don’t bitch and moan about how one group appears hypocritical, or how the lightbulb just went on in your head saying that nothing is perfect (not directed to you specifically, just generally to anyone who reads this). Sure there are zealots who say ‘yes, windows sucks, unix forever, blah blah blah’ but they’re idiots, and shouldn’t be taken seriously. (My opinion: Windows has some fundamental design flaws, but people use it, so it exists. I just avoid it wherever I can, as I feel *NIX systems are designed better, at least the ones I use are).
But, back to my original rant of this: It is next to impossible, if not impossible, to build a completely bullet-proof system, so admins just need to be careful no matter what OS they run and packages they install. Simple as that. (rant over, commence flaming or ignoring).
Actually…I do ..however this will always happen. Code will have holes and all of them won’t be caught. What makes the difference is how many holes there are and how quickly they can/and are patched. I have no love for PHP, but this was patched quite quickly.
Honestly I don’t mind PHP. I rather like it. I agree bugs will always be there and there will always be holes. Quick turnaround on patches is important.
I feel that exploits and viruses are a problem that as a whole the industry is still learning to deal with. To try and determine how someone might exploit code and make it perform in ways it was never designed to perform is not an easy task for any group of people.
Then don’t post crap like that “The Facts” thing.
(assuming that was you)
Wasn’t me. I don’t post anon on this forum.
Excusing flawed software for one vendor while apologizing for another is a double standard. But Microsoft does not exclusively represent proprietary software, nor should you overly represent open/free(dom) software with PHP.
Open source does not ‘guarantee’ better security. But having the source code does allow for peer review and the ability for more people to contribute ‘fixes.’ This would certainly be an ‘advantage’ of open source over proprietary software.
For fun, imagine that Microsoft and Zend Technologies were not responsive to fixing their software. How would proprietary and free/open source software compare? Hint: there would be a patch for PHP.
>Open source does not ‘guarantee’ better security.
Mr. Stallman will disagree. So will many, many other open source advocates.
I agree with you.:)
>peer review… would certainly be an ‘advantage’ of open source over proprietary software.
It would, except hackers usually work this way:
1. Bug found by independent reviewer or software developer.
2. Bug fixed.
3. Patch released.
4. Hackers review the patch.
5. Hackers write exploit and release it to the wild.
6… Infection.
7… Infection.
8… Infection.
9… Finally, end users reluctantly patch their software.
Open Source may be better in getting from 1 to 3, but lazy hackers wait at 4- why bother reading tens of millions of source code lines (if available) when patch will reveal all they need in few hundred lines? Then, 5 to 9 is not different between proprietary and open source software.
>Hint: there would be a patch for PHP.
Hint: it was! Not very many people bothered to download it. It has nothing to do with openess of software and this is the point: no open source software in the world force people to change their habits.
Open source may be good in sharing intellectual property with less fortunate, but it is not a silver bullet for security, does not matter how many times Stallman and his followers want us believe the opposite.
I am glad we both agree on this: open source does not ‘guarantee’ better security.
Open source needs more people like you.
Maybe you guys ought to stipulate WHICH open source you’re talking about. Is Windows as secure as OpenBSD? Why not?
“Maybe you guys ought to stipulate WHICH open source you’re talking about. Is Windows as secure as OpenBSD? Why not?”
Can you explain to me why it is?
OpenBSD can be hacked up quite easily, give someone time and nothing to do. You would be amazed what they can do.
..what are you talking about???
I just said that I have safemode on server wide, but you can also turn it off in the httpd.conf file. you can use the httpd config file to turn it off or on for specific sites.
“No, you put safemode on or off, besides relared configuration, in PHP’s configuration file; ” Makes no sense to me in a reply to my safemode comments.
Safemode is a very good thing to have on.
I think your confusing desktops with servers Darius. Linux/UNIX servers have seen worms for years but there are still no desktop attacks. These are not mom/pop systems but systems run by Administrators who are meant to have a clue.
>Open source does not ‘guarantee’ better security.
Mr. Stallman will disagree
Quote him. I don’t think he ever said that and he doesn’t say that much. When he does, its mostly the same, and afaik he never ranted on security issues or so.
As for PHPBB, you can’t use that to make an overal claim about open source given its merely one the very many. Youcan’t say “all women are murderers” simply because one evil Soviet female pressed the nuke button. You don’t say “Oh, my, Coldfusion is so insecure. Its because its proprietary! Oh my, all proprietary software is insecure!” — when you say that you haven’t connected the dots, because you haven’t proven that because of B hence A. And C is even more global than B. Its hard to compare it to Outlook as well since they’re used on a different field and since the damage done also varies. IOW, bullshit discussion, bullshit arguments.
Those who use similar arguments in other examples (e.g. Microsoft software) are equally using falacies to make some kind of moot point.