Santy Worm Defaces Web Forums

Anti-virus vendors have raised the threat level on a new Internet worm squirming through Web servers that are running unpatched versions of the popular phpBB Web forum software.

The worm, known as Net-Worm.Perl.Santy.A or Santy, uses Google search to randomly find sites running phpBB and overwrites several different files to deface the forums.

By targeting the freely distributed phpBB, the defacement worm has become a major nightmare for some businesses that use the forum software to handle customer-service queries and other support issues.

In an advisory, security research outfit Kaspersky Lab said the Santy worm is “extra tricky” because it replaces several files on the server with its own code, meaning that other sites using the same host get infected.

Kaspersky Labs advisory carries a “Red Alert” rating.

On the phpBB support forum, administrators urged users to upgrade to the newest available release of the software.

In a forum notice, the volunteers at phpBB said the issue was traced back to a serious exploitable flaw in PHP, the scripting language on which phpBB is based.

“It has come to our attention that code has now been released which uses this exploit in PHP to obtain confidential information in phpBB. Such information includes data contained in phpBBs config.php file,” the notice read.

/zimages/3/28571.gifClick here to read about a new Internet Explorer exploit that spoofs Web sites.

Forum administrators who maintain their own server are urged to upgrade to the newest available release of PHP (both versions 4 and 5).

“Fixed versions of PHP do exist and as above we encourage you to ensure your system is running such a version. Equally, please examine any hacking issues you have carefully to ensure they are not caused by this PHP problem (rather than phpBB),” the group said.

“Remember, this is not a phpBB exploit or problem, its a PHP issue and thus can affect any PHP script which uses the noted functions.”

F-Secure, an anti-virus vendor tracking the defacements, said Santy was only defacing servers and not infecting end-users.

An alert from F-Secure confirmed Kasperskys findings and warned that the worm overwrites files with the following extensions: .htm, .php, .asp, .shtm, .jsp and .phtm.

Because the worm specifically uses Google queries to find vulnerable servers, F-Secure said the search engine giant could stop the outbreak by simply not responding to the queries the virus uses.

“This wouldnt hurt any end-users and would in fact take load off from Google servers,” the company said in an updated notice posted late Tuesday.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.