!!! Santy worm defaces websites using php bug !!!

**bartdotla** · 12-21-2004, 02:24 PM

too quick again, sorry!

see also http://forums.dathorn.com/showthread.php?t=1250

**Frank Hagan** · 12-21-2004, 04:32 PM

I have already upgraded all my sites using phpBB to 2.0.11, but even before that I had read that you should always remove the notice of what version of the script is running that the authors insist on putting at the bottom of the pages.

Hackers simply Google for the version of the software to find their victims. Now, it seems they have written that function into the worm, so it does it automatically:

Santy.a is something of a novelty - it creates a specially formulated Google search request, which results in a list of sites running vulnerable versions of phpBB.

So update your scripts, of course, but go one step further. In phpBB, edit the "overall_footer.tpl" file so that the version of the software no longer prints out at the bottom of each page. Or, put an exclude for your forums in the robots.txt file. And then do the same for the rest of your scripts.

**ChrisTech** · 12-21-2004, 04:48 PM

Any idea where the version feild is located in IPB forums ?

**-Oz-** · 12-22-2004, 10:03 AM

I was running 2.0.11 and got hacked.

**oarenj** · 12-22-2004, 10:06 AM

Same Here.

**Jonathan** · 12-22-2004, 12:56 PM

Originally posted by ChrisTech

Any idea where the version feild is located in IPB forums ?

Off the top of my head, I'd say check the Boards.php file;
That has the title part, and I think also the vers. field. Not 100% sure though.

**Klaassh** · 12-22-2004, 04:02 PM

Originally posted by ChrisTech

Any idea where the version feild is located in IPB forums ?

On 1.3.1
Check in sources\functions.php (line2015) for {$ibforums->version}
It is also in sources\dynamiclite\csite.php (line285) if your using dynamic lite

on 2.0.3
index.php(112): var $version = "v2.0.3 ";
it is also in
admin.php(129): var $version = 'v2.0.3 ';
but I believe this is there version checking for upgrades

Should be similar for earlier versions of both

Removing the entire copyright will get you in trouble with IPB(unless you've paid for the right) but just the version info might be OK

**ChrisTech** · 12-22-2004, 06:58 PM

Originally posted by Klaassh

On 1.3.1
Check in sources\functions.php (line2015) for {$ibforums->version}
It is also in sources\dynamiclite\csite.php (line285) if your using dynamic lite

on 2.0.3
index.php(112): var $version = "v2.0.3 ";
it is also in
admin.php(129): var $version = 'v2.0.3 ';
but I believe this is there version checking for upgrades

Should be similar for earlier versions of both

Removing the entire copyright will get you in trouble with IPB(unless you've paid for the right) but just the version info might be OK

Hmm, Im lower than 1.3.1 =) Will look at it later on tonite.

**Frank Hagan** · 12-22-2004, 09:15 PM

One of my sites was hacked. I thought I had updated all the forums, but I had one old one I forgot about,and the worm found it. So I'm restoring it in the background. Luckily, it was one of my slowest sites out there, and not an income generating one. Gotta' be more careful next time.

!!! Santy worm defaces websites using php bug !!!

!!! Santy worm defaces websites using php bug !!!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment