User Name Password Register
DaniWeb IT Discussion Community
Home
Forums
Tutorials
Code Snippets
Blogs
Link Directory
All
What is DaniWeb IT Discussion Community?
You're currently browsing the PHP section within the Web Development category of DaniWeb, a massive community of 423,521 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 4,361 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Join our community!
Please support our PHP advertiser: Lunarpages PHP Web Hosting
Views: 1510 | Replies: 1
Reply
Join Date: Dec 2004
Location: Canada
Posts: 1
Reputation: Prince Serendip is an unknown quantity at this point 
Rep Power: 0
Solved Threads: 0
Prince Serendip's Avatar
Prince Serendip Prince Serendip is offline Offline
Newbie Poster

PHP Forums Warning: New Strain Santy Worm Attacks

  #1  
Dec 26th, 2004
On behalf of the Security Community I have been asked to spread the word on this threat as it is very real and growing worse as time passes.

Posted on Saturday, 25 December 2004 @ 16:33:38 EST by Paul Laudanski at http://castlecops.com/

Folks, it seems that Santy worm has taken on a new strain. It also searches Yahoo now in addition to Google, but it looks for any PHP scripts with all possible arguments passed thru in the HTTP GET. This worm tries all arguments in your PHP script to throw in a shell commands that access a particular website, download some text files into /tmp, and then execute them using Perl. If you are using Mod_Security, you might want to try something like this (its working for us so far):


SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
SecFilter ":/"
Just in case the URL changes, the latter should still get all sorts of:

http://
ftp://

Naturally, the latter also filters on

%3a%2f

It is Christmas after all, so a quick patch to throw HTTP 406s at the requester works thru the above..


The new strain is now called Santy.c


Merry Christmas and be prepared.
AddThis Social Bookmark Button
Reply With Quote  
Join Date: Dec 2004
Location: Fort Bragg, NC
Posts: 189
Reputation: mikeSQL is an unknown quantity at this point 
Rep Power: 4
Solved Threads: 3
mikeSQL's Avatar
mikeSQL mikeSQL is offline Offline
Junior Poster

Re: PHP Forums Warning: New Strain Santy Worm Attacks

  #2  
Dec 26th, 2004
Oo OO OO, I appriciate that. I have to go update the pages now. My site that is. Not here. I wish.
dynastyCODERS#1 when it comes to Programming Tutorials, Database designs and discussions, Operating Systems, you name it, check us out and drop us a line to tell us your opinions on any and everything in mind!;)
Reply With Quote  
Reply

Only community members can participate in forum threads. You must register or log in to contribute.

Register
DaniWeb PHP Marketplace
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

 

Thread Tools Display Modes
Linear Mode Linear Mode

antivirus:worm:trojan:rootkit blog competition corporation daniweb gentoo linux myspace news offenders php quicktime security skype spam trojan web worm
Similar Threads
Other Threads in the PHP Forum

Advertising Opportunities on DaniWeb
Contact Us - Newsletter Archive - Sitemap - Privacy Statement
All times are GMT -4. The time now is 5:04 pm.
Forum system based on vBulletin Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
©2003 - 2008 DaniWeb® LLC