My site has been defaced

**AndrewT** · 12-21-2004, 11:31 AM

What scripts are runnong on the domains?

**rod** · 12-21-2004, 11:52 AM

Im running wordpress 1.2
Imagevue (a flash gallery)

Let me check my other scripts

I lost tons of things!!!

I also running an old version of pivotlog (a private url)
Phpbb forums

**ErDrRon** · 12-21-2004, 12:29 PM

I also have one user with the same hack.. it has overwritten all of his files. The following message shows on index.html:

This site is defaced!!!

NeverEverNoSanity WebWorm generation 9.We are on cpanel25. Any thoughts?

Ron

**AndrewT** · 12-21-2004, 12:31 PM

Please post a list of the scripts that are on your sites as that is how this is occuring.

**ErDrRon** · 12-21-2004, 12:34 PM

Outside of phpBB the only scripts are those that are installed when originally setting up the site.

Ron

**AndrewT** · 12-21-2004, 12:36 PM

phpBB is most likely the problem. That is one of the easiest scripts to exploit at this point if it is not upgraded.

**rod** · 12-21-2004, 12:38 PM

looks like phpbb is the script.

**ErDrRon** · 12-21-2004, 12:41 PM

It looks like this is the latest iteration of a phpBB exploit. Read the following Security bulletin. I am upgrading his phpBB version to 2.0.11 as we speak.

Press Releases & News | Kaspersky | Kaspersky

http://www.kaspersky.com/news?id=156681162

Keep up-to-date with the latest Kaspersky news, press releases, and access media resources.

Ron

**ErDrRon** · 12-21-2004, 12:47 PM

Net-Worm.Perl.Santy.a

Dec 21 2004

BehaviorNet-WormTechnical DetailsThis worm uses a vulnerability in phpBB, which is used to create forums and web sites, to spread via the Internet. phpBB versions lower than 2.0.11 are vulnerable.

The worm is written in Perl, and is 4966 bytes in size.

Propagation

The worm creates a specially formulated Google search request. This request will give a list of sites running vulnerable versions of phpBB. The worm then sends a request to all sites found, which contains an exploit for the vulnerability. When the server under attack processes the exploit, the worm penetrates the site and gains control. This process is then repeated.

The worm scans all site directories, and overwrites files with the following extensions:

.asp.htm.jsp.php .phtm.shtmwith the following text:

This site is defaced!!!This site is defaced!!!NeverEverNoSanity WebWorm generationUsing MSN to search for sites containing the above strings gives an extensive list of sites; evidence that Santy.a is currently causing an epidemic.

Users should note that this worm is not dangerous; it will not infect computers if users view an infected site.

**rod** · 12-21-2004, 01:13 PM

we dont have a backup right?

**-Oz-** · 12-22-2004, 10:01 AM

I also got hacked.

Andrew: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=248046

**Frank Hagan** · 12-22-2004, 10:34 AM

Dathorn is upgrading PHP as soon as the Cpanel upgrade comes through (I asked in a trouble ticket earlier this week.)

**Jonathan** · 12-22-2004, 12:59 PM

Originally posted by ErDrRon

Net-Worm.Perl.Santy.a
The worm scans all site directories, and overwrites files with the following extensions:

.asp.htm.jsp.php .phtm.shtmwith the following text:

This site is defaced!!!This site is defaced!!!NeverEverNoSanity WebWorm generationUsing MSN to search for sites containing the above strings gives an extensive list of sites; evidence that Santy.a is currently causing an epidemic.

Users should note that this worm is not dangerous; it will not infect computers if users view an infected site.

Why not use .htaccess to force PHP to phrase, say, .file or some
off the wall extention? Maybe the initials of the site?

Though for something like forums, it'd not be worth it

**Frank Hagan** · 12-22-2004, 01:18 PM

One of my sites got hit ... but the rest appear to be OK. Dathorn has upgraded Cpanel08 to the most recent PHP version that is supposed to protect us, so we'll see.

I hope it only affected the index.php files ... if it did them all, we'll have to restore them all! That would be a pain.

My site has been defaced

My site has been defaced

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment