Santy Worm Defaces Web Forums | eWeek

Santy Worm Defaces Web Forums

Écrit par
Ryan Naraine
Ryan Naraine
Dec 21, 2004
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Anti-virus vendors have raised the threat level on a new Internet worm squirming through Web servers that are running unpatched versions of the popular phpBB Web forum software.

The worm, known as Net-Worm.Perl.Santy.A or Santy, uses Google search to randomly find sites running phpBB and overwrites several different files to deface the forums.

By targeting the freely distributed phpBB, the defacement worm has become a major nightmare for some businesses that use the forum software to handle customer-service queries and other support issues.

In an advisory, security research outfit Kaspersky Lab said the Santy worm is “extra tricky” because it replaces several files on the server with its own code, meaning that other sites using the same host get infected.

Kaspersky Labs advisory carries a “Red Alert” rating.

On the phpBB support forum, administrators urged users to upgrade to the newest available release of the software.

In a forum notice, the volunteers at phpBB said the issue was traced back to a serious exploitable flaw in PHP, the scripting language on which phpBB is based.

“It has come to our attention that code has now been released which uses this exploit in PHP to obtain confidential information in phpBB. Such information includes data contained in phpBBs config.php file,” the notice read.

/zimages/3/28571.gifClick hereto read about a new Internet Explorer exploit that spoofs Web sites.

Forum administrators who maintain their own server are urged to upgrade to the newest available release of PHP (both versions 4 and 5).

“Fixed versions of PHP do exist and as above we encourage you to ensure your system is running such a version. Equally, please examine any hacking issues you have carefully to ensure they are not caused by this PHP problem (rather than phpBB),” the group said.

“Remember, this is not a phpBB exploit or problem, its a PHP issue and thus can affect any PHP script which uses the noted functions.”

F-Secure, an anti-virus vendor tracking the defacements, said Santy was only defacing servers and not infecting end-users.

An alert from F-Secure confirmed Kasperskys findings and warned that the worm overwrites files with the following extensions: .htm, .php, .asp, .shtm, .jsp and .phtm.

Because the worm specifically uses Google queries to find vulnerable servers, F-Secure said the search engine giant could stop the outbreak by simply not responding to the queries the virus uses.

“This wouldnt hurt any end-users and would in fact take load off from Google servers,” the company said in an updated notice posted late Tuesday.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.