Categorie: Vulnerability Posted: 2004-12-22 by ReCall Views: 523 Source: Click here
Current Rating: Not rated
Details
Technical Details
This worm uses a vulnerability in phpBB, which is used to create forums and web sites, to spread via the Internet. phpBB versions lower than 2.0.11 are vulnerable.
The worm is written in Perl, and is 4966 bytes in size.
Propagation
The worm creates a specially formulated Google search request. This request will give a list of sites running vulnerable versions of phpBB. The worm then sends a request to all sites found, which contains an exploit for the vulnerability. When the server under attack processes the exploit, the worm penetrates the site and gains control. This process is then repeated.
The worm scans all site directories, and overwrites files with the following extensions:
.asp
.htm
.jsp
.php
.phtm
.shtm
with the following text:
This site is defaced!!!
This site is defaced!!!
NeverEverNoSanity WebWorm generation
Using MSN to search for sites containing the above strings gives an extensive list of sites; evidence that Santy.a is currently causing an epidemic.
