phpBB worm hits more than 40,000 sites

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Santy worm makes unwelcome visit
Thousands of website bulletin boards have been defaced by a virus that
used Google to spread across the net.
The Santy worm first appeared on 20 December and within 24 hours had
successfully hit more than 40,000 websites.

The malicious program exploits a vulnerability in the widely used
phpBB software.

Santy's spread has now been stopped after Google began blocking
infected sites searching for new victims.

Fast response

The worm replaces chat forums with a webpage announcing that the site
had been defaced by the malicious program.

Soon after being infected, sites hit by the worm started randomly
searching for other websites running the vulnerable phpBB software.

Once Google started blocking these search queries the rate of
infection tailed off sharply.

A message sent to Finnish security firm F-Secure by Google's security
team said: "While a seven hour response for something like this is
not outrageous, we think we can and should do better."

"We will be reviewing our procedures to improve our response time in
the future to similar problems," the Google team said.

Security firms estimate that about 1m websites run their discussion
groups and forums with the open source phpBB program.

The worst of the attack now seems to be over as a search conducted on
the morning of the 22 December produced only 1,440 hits for sites
showing the text used in the defacement message.

People using the sites hit by Santy will not be affected by the worm.

Santy is not the first malicious program to use Google to help it

In July a variant of the MyDoom virus slowed down searches on Google
as the program flooded the search site with queries looking for new
e-mail addresses to send itself to.

re: phpBB worm hits more than 40,000 sites

This morning there appears to be a new version of Santy wandering the

This one spoofs a User-Agent of "Mozilla/4.0".

Re: phpBB worm hits more than 40,000 sites

Quoted text here. Click to load it

It doesn't only affect phpBB boards. I have a client whose site has a
Discus board in a directory only accessible to members with a username
and password (so no one could even access it or know it was there unless
they were a member and had a user name and password). Although the
Discus board is not itself vulnerable to the worm, because it is hosted
on a *shared server* on which other sites presumably are using the phpBB
board, the exploit was also able to deface all the messages on my
client's board - because of the shared server status!

So, user beware! I don't check that particular client's board very
often, so I wouldn't even have known about the attack if another
moderator had not e-mailed me to tell me about it.

By the way - a happy new year to all readers of this group!

Jane M Patience - Patience Design
Web Design Services for small business

Site Timeline