On behalf of the Security Community I have been asked to spread the word on this threat as it is very real and growing worse as time passes.

Posted on Saturday, 25 December 2004 @ 16:33:38 EST by Paul Laudanski at http://castlecops.com/

Folks, it seems that Santy worm has taken on a new strain. It also searches Yahoo now in addition to Google, but it looks for any PHP scripts with all possible arguments passed thru in the HTTP GET. This worm tries all arguments in your PHP script to throw in a shell commands that access a particular website, download some text files into /tmp, and then execute them using Perl. If you are using Mod_Security, you might want to try something like this (its working for us so far):

SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
SecFilter ":/"
Just in case the URL changes, the latter should still get all sorts of:


Naturally, the latter also filters on


It is Christmas after all, so a quick patch to throw HTTP 406s at the requester works thru the above..

The new strain is now called Santy.c

Merry Christmas and be prepared.

13 Years
Discussion Span
Last Post by mikeSQL

Oo OO OO, I appriciate that. I have to go update the pages now. My site that is. Not here. I wish.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.