ENSRT Incident Note ETS-i-2004-12513
The Enterasys Networks Security Response Team (ENSRT) publishes incident notes to provide information for our constituents to raise awareness of issues deemed threatening to the security and integrity of our customers.
Worm - Santy.A
Release Date: 12/21/2004
Last Updated:
Overview
A vulnerability in the "phpBB" open source WEB server based bulletin board system has been exploited by a new family of worms. The first variant to date is currently being called "Santy.A". It attacks vulnerable WEB servers running the "phpBB" bulletin board and defaces the content on those systems.
Systems affected
Systems running "phpBB" WEB server bulletin board software.Systems not affected
N/ADescription
The Santy.A worm begins its attack by performing a specialized Google search which looks for vulnerable WEB servers running "phpBB". Once the list of potentially vulnerable WEB sites has been retrieved via Google, the worm sends a request containing the exploit to each WEB server from the Google list. If successful, the WEB server is then conquered and all files of type ".asp", ".htm", ".jsp", ".php", ".phtm", and ".shtm" are overwritten with the following content:
This site is defaced!!!
This site is defaced!!!
NeverEverNoSanity WebWorm generation [X].
Note: [X] in the above worm output is the number of times the WEB server was defaced.
Once the attacked WEB server is fully under control of the worm the spreading process is continued by the newly conquered machine.
Threat Assessment
At present end users are not affected by this worm and can not be infected by simply visiting a compromised WEB server. Enterprises with WEB servers running phpBB software should immediately review "phpbb" statements regarding the vulnerability.
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=248046
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=244451
Remediation
| Matrix N7 | X |
| Matrix E7 | X |
| Matrix E6 | X |
| Matrix E5 | X |
| Matrix E1 | X |
| VH | X |
Detection
Updated IDS signatures can be downloaded here: https://dragon.enterasys.com (requires login)
Prevention
Trusted End System solutions are capable of monitoring various end system activity. TES is able to take immediate action such as firewalling specific IPs, TCP/UDP ports, applications, or placing the user into a Quarantine policy or VLAN until end system threat is mitigated. Learn more at: http://www.enterasys.com/solutions/secure-networks/trusted_end_system/
Containment
Internet or edge facing firewalls should be configured with a default 'Deny' policy and contain 'Permit' policies for only needed services and applications. Furthermore, careful inspection of firewall policies that allow TCP traffic streams to be initiated from the Internet into internal enterprise resources is required. These policies should only allow specific protocols to trusted servers thereby combating the increased use of random TCP ports by Internet Trojans and worms.
Repair
Review the documentation provided by "phpbb" on their WEB page .
References
http://www.viruslist.com/en/viruses/encyclopedia?virusid=68388
http://www.kaspersky.com/news?id=156681162
This document and the information contained herein are intended solely for informational use. Enterasys Networks, Inc. makes no representations or warranties of any kind, whether expressed or implied, with respect to this information and assumes no responsibility for its accuracy or completeness. Enterasys Networks, Inc. hereby disclaims all liability and warranty for any information contained herein and all the material and information herein exists to be used only on an "as is" basis. More specific information may be available on request. By your review and/or use of the information contained herein, you expressly release Enterasys from any and all liability related in any way to this information.
A copy of the text of this section is an uncontrolled copy, and may lack important information or contain factual errors. All information herein is Copyright ©Enterasys Networks, Inc. All rights reserved. All information above is subject to change without notice.
Revision History:
|
Version: 1.0 |
Date: 12/21/2004 |
Author: ENSRT STAFF |
Change |