Sanity worm defaces websites using php bug
Gadi Evron
ge at linuxbox.org
Tue Dec 21 21:26:27 UTC 2004
cw wrote:
> Does anyone have any more detail on exactly what this thing does after
> it gets into a system?
Check *any* AV web site.
> The cgi platform for a company I use has been hit and the effect is
> not just limited to phpBB, it seems to get into the server and then go
> through everything it can write to..
Naturally. This can teach you a few lessons, ranging from, but not
limited to:
1. Using packages that have a heigher rate of disclosed vulnerabilities
than....
2. Using packages that demand certain privileges.
3. Not limiting privileges.
4. Not patching.
> I lost a copy of UBB to this worm even though I don't rund phpBB off
> the same vhost.
>
> Gonna be a nightmare for server ops to ensure that all client copies
> of phpBB are patched..
It shouldn't be a nightmare for people to do proper patching, especially
when it is not a client application at all (I got what you meant..).
A few months ago I heard and later made a joke about creating a random
program that will build fake PHP applications advisories and email them
to bugtraq daily. That's pretty much how it looks like today, as it is.
This worm is finite, it won't last virtually forever like some other
worms. I haven't looked at it yet, but my bet would be most of its harm
is overhead of wasted traffic.
Gadi.
More information about the NANOG
mailing list