Santy Worm

Last night at 8:01pm (GMT8+), the LRM forum was exploited by the ‘Santy.A’ worm. The santy worm was using Google to search for forums using versions of phpBB 2.0.10 or below. When a suitable site was found, the worm used a remote exploit to gain access to the site, replaced all .htm .php .asp .shtm .jsp .phtm files with “This site is defaced. NeverEverNoSanity Webworm generation X” (X represents the generation of the worm), and then restarted scanning for new sites.

This site is defaced!!!

I was online when I happened and I it took about five minutes for the files to be changed. Luckily there was a daily back up, but there were a few files that were 0kb, mainly ones that had been updated over the last few days (including some from a re-design I was about to release). Thankfully I’m one of those people who never empty their recycle bin and most of it was still in there.

Apparently the worm is not spreading any more, thanks to Google’s quick response. Google started filtering the queries made by the worm, effectively stopping the spread of the worm. Even so, I’d advise you to take note internet. Upgrade any phpBB and check any other php based scripts now (I’ve noticed some top sites got exploited), before you see the ‘defaced’ file.

There’s a lot of sites that were exploited, but it’s hard to estimate just how many, the highest generation number is 22, and I can’t even remember what generation number I had. The first report of a sighting was 9:25 GMT on 20th of December.

Official home page of phpBB has yet to comment, but there are quite a few threads in their forum.

Category: General    

16 Comments on “Santy Worm”

  1. Well I for one am delighted it’s back. It’s public knowledge that for me, Kitta.net IS the internet!
    So when it is down, Loddy is also down…

    I will stop doing the third person thing now and say BOOYAH!
    Mwah Mwah Mwah! Oh it’s like coming home after the crusades!!

    Like

    Reply

  2. You had version 20. I nearly panicked when it happened. One second it was fine, the net it was “Argh! What did I do?”.

    I found myself hoping Loddy would come online so he could call Candy who could call you. Luckily you were online anyway!

    Good work with the fix!

    PS… the automatic comment preview thingy, and the changing colour boxes… havent seen them before, and I like!

    Like

    Reply

  3. Metao, I was actually midway thru an email to Kitta about her site when she came online, so I nabbed her, but alas, in her infinite wisdom she already knew!

    She’s so cheek pinchingly clever that girl! 🙂

    Like

    Reply

  12. Rule Number One of the little red monkey forum: DO NOT TALK ABOUT THE LITTLE RED MONKEY

    Rule Number two of the little red monkey forum: DO NOT TALK ABOUT THE LITTLE RED MONKEY

    Rule Number three of the little red monkey forum: OBEY THE RULES

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

About the Author

Nikita is a 30-something year old geeky girl that resides in Perth, Western Australia studies event management, works at events and runs EnjoyPerth. She is a self confessed high heel worshipper that suffers from multipletabitis. Kitta spends her spare time blogging sporadically, volunteering, gaming and likes taking photos of the contents of the universe.

%d bloggers like this: