The Arcive of Official vBulletin Modifications Site.

tubedogg · #11 12-22-2004, 04:02 PM

Quote:

Originally Posted by kall

Are those URLs deliberately not working?

I'm getting dots in the middle that are causing odd URLS in firefox.

Somebody copied the URLs directly off another forum, it looks like, and therefore the dots in the middle were copied into the linked URL as well.

ericgtr · #12 12-22-2004, 04:23 PM

Isn't this a php exploit for versions 4.3.9 and 5.0.2 or is it something different? http://www.hardened-php.net/advisories/012004.txt

Andrew · #13 12-22-2004, 04:54 PM

Quote:

Originally Posted by ericgtr

Isn't this a php exploit for versions 4.3.9 and 5.0.2 or is it something different? http://www.hardened-php.net/advisories/012004.txt

No - This was caused by a security loophole found specifically in the phpBB software. The error you're reffering to was a broader PHP error that affected almost all the PHP based bulletin boards.

ericgtr · #14 12-22-2004, 07:36 PM

Ouch.. this is what it does once it gets on your server, from news.com

"After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm."

Makes me wonder if it is able to get past the webroot, wiping out all backups as well.

Andrew · #15 12-22-2004, 07:53 PM

I don't think it managed to get past the webroot - Alot of the sites I've seen have been repaired either from main server backups or personal backups of their files.

moethelawn · #16 12-22-2004, 08:26 PM

Yeah, I got an email yesterday from the company I bought my server from and they talked about that worm. Good thing I don't use phpBB

trackpads · #17 12-22-2004, 09:12 PM

phpbb is the best free forum software that is. The fact that this virus spread so fast is a testament to the massive use of it on the internet. In that news.com post it said that their are voer 6,000,000 phpbb's out there. It has its flaws of course and the fact that its code is freely available makes it a good candidate for something like this.

Of course once you move up in needs you have to go to VB

trackpads · #18 12-22-2004, 09:13 PM

Quote:

Originally Posted by True.Rooster

I don't think it managed to get past the webroot - Alot of the sites I've seen have been repaired either from main server backups or personal backups of their files.

SQL injection I think.

kall · #19 12-22-2004, 10:45 PM

Quote:

Originally Posted by tubedogg

Somebody copied the URLs directly off another forum, it looks like, and therefore the dots in the middle were copied into the linked URL as well.

Ahh. Good lateral thinking there.

Erwin · #20 12-23-2004, 12:39 AM

It's quite amazing really.

The search on Google for "NeverEverNoSanity WebWorm generation" shows this at the moment:

Results 1 - 10 of about 1,480 for NeverEverNoSanity WebWorm generation. (0.10 seconds)

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04131 seconds Memory Usage 2,257KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (4)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (3)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!