A malicious script, a worm named “Santy”, was used to search through Google results to target tens of thousands of phpbb forums.
According to an article in Computer Review, Worm uses Google to hit thousands of PHP sites,
The worm, Santy, exploited a vulnerability in phpBB, a bulletin board plug-in for the popular PHP web site scripting environment, to deface at least tens of thousands of web sites, deleting data from servers as it went.
It is believed to be the first major automated threat to use a search engine, Google in this case, to identify potentially vulnerable targets. This tactic has been known about and used by hackers in more targeted attacks for a long time.
The worm searches Google for the term “viewtopic.php”, the name of the vulnerable component, in URLs, a signature of the presence of phpBB. Google returns about 7.5 million hits for the query “allinurl:viewtopic.php”.
Once it has found a vulnerable machine, the exploit is executed. On the target server, all files with the extensions .asp, .htm, .jsp, .php, .phtm and .shtm are overwritten with an HTML page announcing “This site is defaced!!!”
The defacement page also contains the text: “NeverEverNoSanity WebWorm generation X”, where X is the number of infections that iteration of the worm has so far caused. Google did not return any hits for a query on the defacement text.
A report on the event can be found at Kaspersky: Net-Worm.Perl.Santy.a threatens Internet forums:
This worm infects certain web sites by exploiting a vulnerability in phpBB, a popular package used to create Internet forums. Santy.a is spreading rapidly, and has caused an epidemic. However, this does not directly affect end users - although the worm infects web sites, it does not infect computers used to view these sites.
Santy.a is something of a novelty - it creates a specially formulated Google search request, which results in a list of sites running vulnerable versions of phpBB. It then sends a request containing a procedure which will trigger the vulnerability to these sites. Once the attacked server processes the request, the worm will penetrate the site, gaining control over the resource. It then repeats this routine.
Once the worm has gained control over a site, it will scan all directories on the infected site. All files with the extensions .htm, .php, .asp, .shtm, .jsp and phtm will be overwritten with the text ‘This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation’.
Apart from defacing infected sites with this text, the worm has no payload. It will not infect machines which are used to view infected sites. Kaspersky Lab recommends that all users of phpBB should upgrade to version 2.0.11 to prevent their sites from being defaced.
PHPBB forums also offered support for how affected sites should look to repair themselves in NeverEverNoSanityforDummies - Beginner How To Fix It Thread.
Additionally, in Channel 9, it was suggested in the thread Those running phpbb and php 4 or 5 should also update PHP:
php4 should be patched to 4.3.1, and 5 should also be patched immediately.
Additionally,
BEWARE, there is a bug in php-imap that was only fixed 2 days ago. so Ultimately, there’s a good chance your exploit fixed 4.3.10 rpm will have this bug in it.
http://bugs.php.net/bug.php?id=31142&edit=2
If you update php imap with an rpm of 4.3.10 it will most likely break your php email programs that work on the php-imap library.
Solution, here’s what I did. I used the faulty php imap rpm, then built the latest snapshot of php from the source
http://snaps.php.net/
from the dir where I makefile’d the source to binaries, I copied out only modules/imap.so to the one the php-imap rpm (the faulty one) had installed so
cp modules/imap.so /usr/lib/php4/
from the dir where you made php from the source. This fixes the imap_mail_compose bug with the 4.3.10 rpm (the one I had anyway) and doesn’t break RPM, RPM doesn’t know any better and still thinks it’s the original imap.so.
Problem solved!
Google noticed the use of the worm to automate queries on its search engines, and was able top kill the process after 10 hours. However, thousands of phpbb forums were believed to have ben affected in that time.
Forums that had not patched to the latest phpbb version 2.0.11 were affected, while forums patched up to date were protected from this attack.
However, this was the latest in a run of security exploits to affect the phpbb forum project.
Ultimately, in an ironic reverse on how open source vs licenced operating systems work, the phpbb forum project suffers from limited volunteer help and support. Despite the dedicated work of key developers, licenced forum software releases, such as vBulletin and Invision Power Board, have been able to hold much higher standards of security.
Link: Santy: Automated attack on phpbb forums