Last night at 8:01pm (GMT8+), the LRM forum was exploited by the ‘Santy.A’ worm. The santy worm was using Google to search for forums using versions of phpBB 2.0.10 or below. When a suitable site was found, the worm used a remote exploit to gain access to the site, replaced all .htm .php .asp .shtm .jsp .phtm files with “This site is defaced. NeverEverNoSanity Webworm generation X” (X represents the generation of the worm), and then restarted scanning for new sites.
I was online when I happened and I it took about five minutes for the files to be changed. Luckily there was a daily back up, but there were a few files that were 0kb, mainly ones that had been updated over the last few days (including some from a re-design I was about to release). Thankfully Iâ€™m one of those people who never empty their recycle bin and most of it was still in there.
Apparently the worm is not spreading any more, thanks to Google’s quick response. Google started filtering the queries made by the worm, effectively stopping the spread of the worm. Even so, I’d advise you to take note internet. Upgrade any phpBB and check any other php based scripts now (I’ve noticed some top sites got exploited), before you see the ‘defaced’ file.
There’s a lot of sites that were exploited, but it’s hard to estimate just how many, the highest generation number is 22, and I can’t even remember what generation number I had. The first report of a sighting was 9:25 GMT on 20th of December.