I just had a couple sites hit with this worm.
Two were phpbb forums, one was a SMF forums like this one.
Still tracking down the cause but it appears to be to be both PHP and phpbb related.
Have you got some pointers to what the worm is or how to protect against it? The name isn’t recognised by either the NAI or Sophos sites. Google doesn’t come with any hits on it either.
It appears to be very new.
I got two phpbb forums hit with it and it took out a SMF forum on the same server, though that might have been caused by a cross contamination. A real version of SMF that I have running was not (yet) effected but it is also on a different server.
I am currently upgrading the apache php ssl package for all my servers to get past it…
As for reported, I haven’t even seen CERT pick it up yet…Nothing much on the web yet, but found info with the following google search
This is the first real hit I’ve ever had to the forums, luckly I am about to migrate them to SMF…
Seems to be called the SANTY worm now if anyone is looking for info http://www.theregister.co.uk/2004/12/21/santy_worm/ this is a new one, it uses Google to find vulnerable sites 8O
Real-To: CERT Advisory [email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA04-356A
Exploitation of phpBB highlight parameter vulnerability
Original release date: December 21, 2004
Last revised: –
Source: US-CERT
Systems Affected
phpBB versions 2.0.10 and prior
On Wednesday, a Google representative told ZDNet Australia that though Google users were not at risk from Santy, the search company had started blocking attempts by the worm to replicate.
This has prompted me to upgrade one of my two remaining phpBB forums to SMF and the other (which is effectively hidden with no links to it) is now at 2.0.11.