RSI Posted December 24, 2004 Posted December 24, 2004 Unfortunately when I log into my .htaccess 'protected' admin site I'm displayed a page that says the site has been defaced by "NeverEverNoSanity WebWorm generation 23". Is this a server (ISP), config or osComerce bug? Whats the best way to recover and get the admin site working again ? Is this the result of one of the 'new' worms about at the moment? Regards, RSI.
Iggy Posted December 24, 2004 Posted December 24, 2004 Unfortunately when I log into my .htaccess 'protected' admin site I'm displayed a page that says the site has been defaced by "NeverEverNoSanity WebWorm generation 23". Is this a server (ISP), config or osComerce bug? Whats the best way to recover and get the admin site working again ? Is this the result of one of the 'new' worms about at the moment? Regards, RSI. <{POST_SNAPBACK}> From ZDnet: "After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm." I'm a little confused as to whether it will traverse just your web dir or the entire server looking for pages to replace. You might want to contact your service provider. Iggy Everything's funny but nothing's a joke...
bglkk Posted December 24, 2004 Posted December 24, 2004 Unfortunately when I log into my .htaccess 'protected' admin site I'm displayed a page that says the site has been defaced by "NeverEverNoSanity WebWorm generation 23". Is this a server (ISP), config or osComerce bug? <{POST_SNAPBACK}> It exploits a vulnerability in phpBB versions prior to 2.0.11. "Buy the ticket, take the ride..." -HST
♥Vger Posted December 24, 2004 Posted December 24, 2004 Actually, what it does is to use an exploit in PHP itself, using a feature which just happens to be used in many php based programmes. The only solution is for the server itself to be upgraded to either PHP 4.3.10 or PHP 5+ (if PHP5 is chosen, don't forget about the osCommerce PHP5 fix). Unless the server is upgraded this hack will happen time and again. Vger
stevel Posted December 24, 2004 Posted December 24, 2004 Actually, no. Santy exploits a bug in phpBB, the "PHPBB Remote URLDecode Input Validation Vulnerability". There is a security hole in PHP itself, fixed in the versions you mention, but Santy doesn't use that. Given that these two security problems were popularized at about the same time, the confusion is understandable, and I have seen some press reports make the same mistake. Steve Contributions: Country-State Selector Login Page a la Amazon Protection of Configuration Updated spiders.txt Embed Links with SID in Description
freshjuice Posted December 24, 2004 Posted December 24, 2004 Actually, no. Santy exploits a bug in phpBB, the "PHPBB Remote URLDecode Input Validation Vulnerability". There is a security hole in PHP itself, fixed in the versions you mention, but Santy doesn't use that. Given that these two security problems were popularized at about the same time, the confusion is understandable, and I have seen some press reports make the same mistake. <{POST_SNAPBACK}> I have phpBB on my site that is on a dedicated managed server. Would it make a difference that it uses a different database than the store?
stevel Posted December 24, 2004 Posted December 24, 2004 No. You need to upgrade phpBB to a version that does not include the security hole. As I understand it, this exploit allows the attacker to modify files on the server and to execute arbitrary code. Steve Contributions: Country-State Selector Login Page a la Amazon Protection of Configuration Updated spiders.txt Embed Links with SID in Description
Guest Posted December 25, 2004 Posted December 25, 2004 upgrading to php 4.3.10 also will solve the exploit, see the php website for their explanation.
stevel Posted December 25, 2004 Posted December 25, 2004 I can't find any such statement on the PHP website. You are confusing two different exploits. The Santy worm exploits a flaw in the way that phpBB does highlighting of a thread based on a specially formatted URL. A quote from http://isc.sans.org/diary.php?date=2004-12-21 says "As part of our first post on this, we speculated that the worm may be using one of the recent problems in php to spread. After getting a hold of the code, it turned out that it is specific to phpBB and only uses the highlight vulnerability in phpBB." There are also several recently discovered bugs in PHP fixed by 4.3.10 and 5.0.3. The Santy worm does not use these. See http://secunia.com/advisories/13481/ for more information. Steve Contributions: Country-State Selector Login Page a la Amazon Protection of Configuration Updated spiders.txt Embed Links with SID in Description
JB04 Posted December 25, 2004 Posted December 25, 2004 Your web host normally makes a backup copy every so often, mine does, why not get in touch with them, I always keep at least 3 copies around just to be sure.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.