Go Back   vb.org Archive > Community Central > Community Lounge
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #11  
Old 12-22-2004, 04:02 PM
tubedogg's Avatar
tubedogg tubedogg is offline
 
Join Date: Oct 2001
Location: Medina, OH
Posts: 785
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by kall
Are those URLs deliberately not working?

I'm getting dots in the middle that are causing odd URLS in firefox.
Somebody copied the URLs directly off another forum, it looks like, and therefore the dots in the middle were copied into the linked URL as well.
Reply With Quote
  #12  
Old 12-22-2004, 04:23 PM
ericgtr's Avatar
ericgtr ericgtr is offline
 
Join Date: Apr 2003
Location: Portland, Oregon
Posts: 1,407
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Isn't this a php exploit for versions 4.3.9 and 5.0.2 or is it something different? http://www.hardened-php.net/advisories/012004.txt
Reply With Quote
  #13  
Old 12-22-2004, 04:54 PM
Andrew's Avatar
Andrew Andrew is offline
 
Join Date: Nov 2004
Location: Pennsylvania
Posts: 441
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by ericgtr
Isn't this a php exploit for versions 4.3.9 and 5.0.2 or is it something different? http://www.hardened-php.net/advisories/012004.txt
No - This was caused by a security loophole found specifically in the phpBB software. The error you're reffering to was a broader PHP error that affected almost all the PHP based bulletin boards.
Reply With Quote
  #14  
Old 12-22-2004, 07:36 PM
ericgtr's Avatar
ericgtr ericgtr is offline
 
Join Date: Apr 2003
Location: Portland, Oregon
Posts: 1,407
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ouch.. this is what it does once it gets on your server, from news.com

"After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm."

Makes me wonder if it is able to get past the webroot, wiping out all backups as well.
Reply With Quote
  #15  
Old 12-22-2004, 07:53 PM
Andrew's Avatar
Andrew Andrew is offline
 
Join Date: Nov 2004
Location: Pennsylvania
Posts: 441
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I don't think it managed to get past the webroot - Alot of the sites I've seen have been repaired either from main server backups or personal backups of their files.
Reply With Quote
  #16  
Old 12-22-2004, 08:26 PM
moethelawn's Avatar
moethelawn moethelawn is offline
 
Join Date: Nov 2003
Location: Iowa
Posts: 53
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yeah, I got an email yesterday from the company I bought my server from and they talked about that worm. Good thing I don't use phpBB
Reply With Quote
  #17  
Old 12-22-2004, 09:12 PM
trackpads's Avatar
trackpads trackpads is offline
 
Join Date: Aug 2003
Location: Armyville
Posts: 1,074
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

phpbb is the best free forum software that is. The fact that this virus spread so fast is a testament to the massive use of it on the internet. In that news.com post it said that their are voer 6,000,000 phpbb's out there. It has its flaws of course and the fact that its code is freely available makes it a good candidate for something like this.

Of course once you move up in needs you have to go to VB
Reply With Quote
  #18  
Old 12-22-2004, 09:13 PM
trackpads's Avatar
trackpads trackpads is offline
 
Join Date: Aug 2003
Location: Armyville
Posts: 1,074
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by True.Rooster
I don't think it managed to get past the webroot - Alot of the sites I've seen have been repaired either from main server backups or personal backups of their files.
SQL injection I think.
Reply With Quote
  #19  
Old 12-22-2004, 10:45 PM
kall's Avatar
kall kall is offline
 
Join Date: Apr 2004
Location: New Zealand
Posts: 2,608
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by tubedogg
Somebody copied the URLs directly off another forum, it looks like, and therefore the dots in the middle were copied into the linked URL as well.
Ahh. Good lateral thinking there.
Reply With Quote
  #20  
Old 12-23-2004, 12:39 AM
Erwin's Avatar
Erwin Erwin is offline
 
Join Date: Jan 2002
Posts: 7,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It's quite amazing really.

The search on Google for "NeverEverNoSanity WebWorm generation" shows this at the moment:

Results 1 - 10 of about 1,480 for NeverEverNoSanity WebWorm generation. (0.10 seconds)
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 10:04 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04069 seconds
  • Memory Usage 2,257KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete