Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-12-21 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

*Santy worm defaces websites using php bug

Published: 2004-12-21
Last Updated: 2004-12-21 23:58:30 UTC
by Chris Carboni (Version: 1)
0 comment(s)
Santy worm defaces websites using phpBB bug

A worm taking advantage of a phpBB vulnerability has been defacing websites.
The worm uses the 'highlight' vulnerability found in phpBB version 2.0.10 and
earlier. It uploads and executes a perl script.

From user reports, the worm was active as early as yesterday.


The perl script first checks if it can access Google's "advanced search" page.
If it can, it will use Google to find other vulnerable sites and try to infect them. Even if it is not able to reach Google, it will try to replace all files that contain '.php', '.htm', '.asp' and '.shtm'.

As an additional feature, the script track its "generation". Each time it installs itself on a new machine, the "generation" is incremented. The defacement only takes place if the generation is larger then 3, indicating
that the script initially spread in a more stealthy mode to infect systems
silently before being discovered.

Most php installs terminate scripts that exceed a given runtime. In order to
avoid this problem, and to avoid having the script terminated once the
connection is closed, it forks itself right at the start, essentially
running in the background.

In order to verify a successful infection, the worm first attempts to create a small "marker file". If it can find this file, it will try to upload and run itself on the target system.

The URL used to search Google for vulnerable systems is:
q=allinurl%3A+%22viewtopic.php%22+%22 RANDOM1 %3d RANDOM2 %22&btnG=Search.

'RANDOM1' is one of the strings 't', 'p' or 'topic', while
'RANDOM2' is a number from 0 to 30000
A sample Google URL as it would be used by Santy:

which results in the Google search string:

allinurl: "viewtopic.php" "topic=12345"

"viewtopic.php" is the vulnerable page in phpBB, which can be used to
trigger the 'highlight' vulnerability.
The perl script makes use of to setup the HTTP connections. The headers the script generates are:

GET $res HTTP/1.0
Host: $host
Accept-Language: en-us,en-gb;q=0.7,en;q=0.3
Pragma: no-cache
Cache-Control: no-cache
Referer: http://" . $host . $res .
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: close

$host and $res are replaced with the hostname and URL respectively.
More details on the Sanity worm are available at:

Public exploit code for the php vulnerability has recently been made available.

If you are infected and are able to extract a copy of the perl script, please
submit it via our contact form: .

Preliminary Snort Signatures

here some preliminary snort signatures. Let us know if they work:

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "phpBB highlight exploit
attempt"; content: "&highlight=%2527%252Esystem(";)
alert tcp any any -> any 80 (msg: "Possible Santy.A worm searching google for
targets"; content: "&q=allinurl%3A+%22viewtopic.php%22+%22";)

A bit more then a year ago, we did discuss a web defacement against another bulletin board ("yabb") which used Google as well to find vulnerable sites. See . While this wasn't a worm back then, it is another example how search engines can be used to find vulnerable sites. Also see Friday's diary about some php security tips: .

Web Server Logs

A number of users posted web server logs that show the inital check
to see if files can be written. For example, this log entry was posted
to the Unisog list:
Defacement Message

Content of the page left by the worm:

<HTML><HEAD><TITLE>This site is defaced!!!</TITLE></HEAD>
<BODY bgcolor="#000000" text="#FF0000">;
<H1 >This site is defaced!!!</H1>;
<ADDRESS>< b>NeverEverNoSanity WebWorm generation } .
$generation .q{.< /b

('$generation' is replaced with the worm's generation count. I added spaces
to the 'H1' and 'B' tags to avoid them being parsed by the diary posting


As part of our first post on this, we speculated that the worm may be using
one of the recent problems in php to spread. After getting a hold of the
code, it turned out that it is specific to phpBB and only uses the highlight
vulnerability in phpBB.

isc dot chris at gee mail dot com & jullrich \'AT
0 comment(s)
Diary Archives