phpBB virus... look at this..
 

Saw this earlier today

http://searchsecurity.techtarget.co...1036174,00.html

Defaced forums:
http://www.google.com/search?source...verEverNoSanity


Crazy, thats why i use VBB :)

will vbb attacked by webworm also?

i doubt it.

It's a phpbb only worm, I read about this on vbulletin.com earlier in the day.

No it will not affect vBulletin users :)

Are those URLs deliberately not working?

I'm getting dots in the middle that are causing odd URLS in firefox.

Some vBulletin forums are defaced :(

They don't work in IE6 either.

<a href="https://www.google.co.uk/search?ie=UTF-8&oe=UTF-8&q=NeverEverNoSanity+WebWorm+generation" target="_blank">http://www.google.co.uk/search?ie=UT...orm+generation</a>

Wow - I guess it made it to like generation 24 before it stopped spreading. Which means if it each instance infected 12 others there was like 8916100448256 sites that go defaced. Somehow it used the Google search engine to find phpBB sites that it could exploit - I'm glad my other site was using 2.0.11 which was safe from the exploit.

Somebody copied the URLs directly off another forum, it looks like, and therefore the dots in the middle were copied into the linked URL as well.

Isn't this a php exploit for versions 4.3.9 and 5.0.2 or is it something different? http://www.hardened-php.net/advisories/012004.txt

No - This was caused by a security loophole found specifically in the phpBB software. The error you're reffering to was a broader PHP error that affected almost all the PHP based bulletin boards.

Ouch.. this is what it does once it gets on your server, from news.com

"After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm."

Makes me wonder if it is able to get past the webroot, wiping out all backups as well.

I don't think it managed to get past the webroot - Alot of the sites I've seen have been repaired either from main server backups or personal backups of their files.

Yeah, I got an email yesterday from the company I bought my server from and they talked about that worm. Good thing I don't use phpBB :)

phpbb is the best free forum software that is. The fact that this virus spread so fast is a testament to the massive use of it on the internet. In that news.com post it said that their are voer 6,000,000 phpbb's out there. It has its flaws of course and the fact that its code is freely available makes it a good candidate for something like this.

Of course once you move up in needs you have to go to VB :)

SQL injection I think.

Ahh. Good lateral thinking there. :)

It's quite amazing really.

The search on Google for "NeverEverNoSanity WebWorm generation" shows this at the moment:

Results 1 - 10 of about 1,480 for NeverEverNoSanity WebWorm generation. (0.10 seconds)

Doing a search for this - "NeverEverNoSanity WebWorm generation 24"
http://www.google.com/search?hl=en&q...on+24%22&meta=

gives 2 sites that have been infected by Generation 24.

However, no sites come up for "NeverEverNoSanity WebWorm generation 25"

That's because Google blocked it. If they didn't we'd probably see many more generations.

I run a phpbb forum on a private site and I removed it when a forum I visit was hacked. I don't think it could be found in Google, but, I took no chances and removed it.

Ahhh... makes sense.

hopefully vbulletin won't get into this problem. ;)

The problem doesn't affect vBulletin. ;)

Anyways, http://www.google.com/search?hl=en&l...22&btnG=Search shows some results now.

EDIT: Seems to go all the way to generation 29 now. Eeek.

was gaia online attacked cause there is a critical error on their site saying it cant connect to database?

This particular exploit can't hit vbulletin, but you can guarantee there are - for lack of a better word - +++++++s - who are trying to find such an exploit in the vbulletin code. It's how they get their rocks off because finding a girlfriend is completely beyond them.

Here are some official reads about the PHP issue pointed out in this thread and the more ontopic issue: phpBB worm.

PHP Vulnerabilities in <= 4.3.9 and <= 5.0.2
http://www.vbulletin.com/forum/showthread.php?t=123531

How to avoid being damaged by the phpBB worm
http://www.vbulletin.com/forum/showthread.php?t=124008

That's for the links Floris.

My comment still stands though - while all known vulnerabilities are patched, that doesn't mean that tomorrow the script-kiddies won't find a hole. It is sad though that some people waste their time destroying other folks work.

One of the regulars at EN World lost his entire campaign site to this worm. Say what you will about the failure to keep backups, it's still sad to see this happen so needlessly.

Always have backups. :)

There is a new worm that exploits the safe mode file traversal bug in php versions prior to 4.3.10. It uploads files to /tmp and excutes them. This makes the box a zombie. It joins an irc channel and from there the botmaster can control the box and make it do whatever it is he is going to do with all the zombies he is creating.
Upgrade php to the latest version if you haven't done so already. If you are on a shared host make sure to let the isp know about upgrading. There are other vulns in php and will be more worms like this one to exploit the other bugs.

Also see http://www.vbulletin.com/forum/showthread.php?t=124159