Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Anyone seen this yet??? Maybe new worm, i'm wondering... 1
- Thread starter karmic
- Start date
-
1
- #2
MichealC4
Programmer
- Jun 26, 2003
- 457
- 0
- 0
Not to be mean, but are you sure it is a worm? It may be a calling card from a new script kiddie group. However, going on the assumption that it is a worm, I can't see to find anything on it. So, my question is do you have access logs from your server? You might get better results in Forum83.
----------------------------
"Security is like an onion" - Unknown
----------------------------
"Security is like an onion" - Unknown
MichealC4
Programmer
- Jun 26, 2003
- 457
- 0
- 0
I've made some progress on tracking this down. Were you running PHP on your site? Specifically <= 4.3.9? Or <= 5.0.2? (not including 4.3.10)
If so, it appears to be an automated attack of some sort exploiting the recent vulnerabilites found in the above PHP versions. The issue is fixed in 4.3.10 and 5.0.3, respectively.
----------------------------
"Security is like an onion" - Unknown
If so, it appears to be an automated attack of some sort exploiting the recent vulnerabilites found in the above PHP versions. The issue is fixed in 4.3.10 and 5.0.3, respectively.
----------------------------
"Security is like an onion" - Unknown
- Thread starter
- #4
It's not my site, fortunately...
Not sure what the version is... It's a concern to me as i've had a few clients with defaced websites but nothing to this extreme... This hacker seems to have taken over the entire server. My concern is what's next, and who is this group...
~ K.I.S.S - Don't make it any more complex than it has to be ~
Not sure what the version is... It's a concern to me as i've had a few clients with defaced websites but nothing to this extreme... This hacker seems to have taken over the entire server. My concern is what's next, and who is this group...
~ K.I.S.S - Don't make it any more complex than it has to be ~
MichealC4
Programmer
- Jun 26, 2003
- 457
- 0
- 0
I found one of the tools that could have been used, but it depends on certain software running in order for the PHP exploit to work. And it doesn't appear to leave the calling card that I found. So at the moment, it is either something so new, nobody has heard of it yet (which I'm guessing is correct), or they do a very good job of hiding their tracks thus far. Access logs will be important however.
----------------------------
"Security is like an onion" - Unknown
----------------------------
"Security is like an onion" - Unknown
- Thread starter
- #6
I don't have access to the logs, it's not my site... The site is not my concern, the hacker is...
My main concern is if anyone has heard of this as of yet, it seems to be new. My concern is finding information about "NeverEverNoSanity WebWorm generation 13" and is this going to be a trend...
It may be a tool but it's definitely a direct access to the PHPBB site, don't know if it's an IIS hack or not.
I'm going to try to contact the web admin to see if he/she is willing to part with the information or not.
In the meantime, if you find information on the web about this, please post it here.
Thanks.
~ K.I.S.S - Don't make it any more complex than it has to be ~
My main concern is if anyone has heard of this as of yet, it seems to be new. My concern is finding information about "NeverEverNoSanity WebWorm generation 13" and is this going to be a trend...
It may be a tool but it's definitely a direct access to the PHPBB site, don't know if it's an IIS hack or not.
I'm going to try to contact the web admin to see if he/she is willing to part with the information or not.
In the meantime, if you find information on the web about this, please post it here.
Thanks.
~ K.I.S.S - Don't make it any more complex than it has to be ~
MichealC4
Programmer
- Jun 26, 2003
- 457
- 0
- 0
Oops. Sorry. I keep reading your posts, understand what you say, and keep thinking it is your site. 
Okay, the fact that it is a phpBB site does indeed help. However, for anybody reading, it is not an exploit in phpBB (as far as I can tell anyway, unless they did not update to 2.0.11), but rather PHP.
In the interest of not posting exploit code (as a) I don't like it and b) I'm a support tech for phpBB), I'll only give the site. However, it should be pretty obvious where to go from there.
That's what I found earlier. I hope the admins don't mind my posting that link.
----------------------------
"Security is like an onion" - Unknown
Okay, the fact that it is a phpBB site does indeed help. However, for anybody reading, it is not an exploit in phpBB (as far as I can tell anyway, unless they did not update to 2.0.11), but rather PHP.
In the interest of not posting exploit code (as a) I don't like it and b) I'm a support tech for phpBB
), I'll only give the site. However, it should be pretty obvious where to go from there.That's what I found earlier. I hope the admins don't mind my posting that link.
----------------------------
"Security is like an onion" - Unknown
- Thread starter
- #8
MichealC4
Programmer
- Jun 26, 2003
- 457
- 0
- 0
Okay, some more information for you. I was contacted by a phpBB user who was attacked with this worm.
The worm attacks phpBB, exploiting the recent highlight vulnerability (which means the site is unpatched), the worm then defaces the site, google's for more sites, and then spreads, each time increasing its generation number by one.
So, the lesson to be learned here is to keep the software you use up-to-date.
----------------------------
"Security is like an onion" - Unknown
The worm attacks phpBB, exploiting the recent highlight vulnerability (which means the site is unpatched), the worm then defaces the site, google's for more sites, and then spreads, each time increasing its generation number by one.
So, the lesson to be learned here is to keep the software you use up-to-date.
----------------------------
"Security is like an onion" - Unknown
- Thread starter
- #10
Thanks micheal, that helps greatly.
Got an email from a friend of mine last night regarding NeverEverNoSanity. He recalls hearing about a group called this from years back...
~ K.I.S.S - Don't make it any more complex than it has to be ~
Got an email from a friend of mine last night regarding NeverEverNoSanity. He recalls hearing about a group called this from years back...
~ K.I.S.S - Don't make it any more complex than it has to be ~
Story about this worm using google to propagate itself:
- Thread starter
- #13
sydspirit2
Technical User
Cert has an alert out, too.
James P. Cottingham
-----------------------------------------
[sup]To determine how long it will take to write and debug a program, take your best estimate, multiply that by two, add one, and convert to the next higher units.[/sup]
James P. Cottingham
-----------------------------------------
[sup]To determine how long it will take to write and debug a program, take your best estimate, multiply that by two, add one, and convert to the next higher units.[/sup]
- Thread starter
- #19
- Status
Similar threads
- Locked
- Question