learn the vectors. spread the data. defend the network.

vectorblog  about  contact

 

Malagents Page

 

 

 

 

 

 


Santy Alert

infectionvectors.com

December 2004

 

Vector:             SQL injection via phpBB version 2.0.10 and prior

 

Impact:             High (overwrites files on web server)

 

Santy is a worm exploiting older unpatched versions of phpBB software (see below for exploit info). Once it injects itself onto a vulnerable server it overwrites HTM, JSP, PHP, PHTM, ASP, and SHTM pages with the following HTML code (note: code constructed from IDS/firewall logs posted from affected web servers, not from actual viewing of malware - all efforts for accuracy have been made, however, this description may be altered with ongoing analysis):

 

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 

<HTML><HEAD><TITLE>This site is defaced!!!</TITLE></HEAD>

<BODY bgcolor="#000000" text="#FF0000">

<H1>This site is defaced!!!</H1>

<HR><ADDRESS><b>NeverEverNoSanity WebWorm generation } 

.  $generation .q{.</b></ADDRESS>

</BODY></HTML>

 

Which creates pages looking like this:

 

 

Santy is written in Perl and only affects servers built with phpBB prior to version 2.0.11. The use of the “generation” number is very interesting; it provides a means of tracking versions of the code as it spreads to other machines. This is controlled by the following parts of the script:

 

my $generation = 9;

PayLoad() if $generation > 3;

 

[script edited here]

 

while(!GrabURL('http://www.google.com/advanced_search')) {

      if($generation > 3) 

      {

            PayLoad() ;

 

[script edited here]

 

$self =~ s/my \$generation = (\d+);/'my $generation = ' . ($1 + 1) . ';'/e;

 

Furthermore, the worm finds additional victims by reaching out to Google, executing a search for possible phpBB targets:

my $startURL = 'http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all' .  '&q=allinurl%3A+%22viewtopic.php%22+%22'

 

and then attempts the exploit known as “highlight” against the server. The exploit is a SQL injection, possible because of improper UTF-8 handling.

 

Details on the exploit can be found here:

http://www.securiteam.com/unixfocus/6J00O15BPS.html

 

that site identifies a posting with temporary fix information for anyone running an older version of the phpBB software at:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

 

 

Copyright Ó 2004 infectionvectors.com. All rights reserved.