Anyone been hit by perl.santy?

[adam_uk]

anyone?

going on from the phpbb vuln

http://securityresponse.symantec.com/avcenter/venc/data/perl.santy.html

just advise all your customers to ugprade asap! i am saw someone hit with it earlier and restorted to getting an os reload done on there box :o

havent been hit by it yet and hope i wont.

 

[Boardhost]

My friend has been affected by this although he didn't run phpBB looks like a server-wide thing

Anyone know how to remove it

Danny

 

[adam_uk]

My friend has been affected by this although he didn't run phpBB looks like a server-wide thing

Anyone know how to remove it

Danny

its a hole in php prior to 4.3.10 but is being exploited via phpbb so you need to get php 4.30.10 installed
and im not sure how to remove it im afriad, only way you could be sure though is an os reload

also make backups of your sites!

 

[Boardhost]

kk thanks mate

 

[adam_uk]

http://www.google.co.uk/search?q=NeverEverNoSanity+WebWorm+generation&hl=en&lr=&start=0&sa=N

 

[Boardhost]

bleedin heck, good job i wasn't affected cos if i found out who did it i would find out their IP details and personally fly to their country and well *have a chat* with them

Danny

 

[DSL]

Good thing im switching to windows programming

 

[adam_uk]

also with cpanel hosts

i noticed yesterday i had php 4.3.10 in updateapache checked but it hadnt compiled it, i was still runing php 4.3.9 so i had to recomiple apache with new php to upgrade

 

[Scott]

also with cpanel hosts

i noticed yesterday i had php 4.3.10 in updateapache checked but it hadnt compiled it, i was still runing php 4.3.9 so i had to recomiple apache with new php to upgrade

I think it's been in cPanel for a few days, although it wasn't checked at the default, 4.3.9 was.

 

[Darkfire001]

Yesterday = 780 Websites | Today = 2,800+ Websites :o

Problem with 4.3.10 is it can break the coding for some websites.

 

[deadserious]

I believe it can still be exploited with PHP 4.3.10. I think the two problems are separate. So I wouldn't think you're safe from the phpBB exploit just because you upgraded PHP. You will still want to update/patch all the phpBB's on your server(s).

I think it can also affect other users files once it has entered through the outdated phpBB depending on how the server is set up and such, which might explain why users scripts that are not running phpBB have been affected. For example, world writeable files and such.

 

[Peter]

Good thing im switching to windows programming

dont be so sure it can affect windows machines as well

 

[adam_uk]

I believe it can still be exploited with PHP 4.3.10. I think the two problems are separate. So I wouldn't think you're safe from the phpBB exploit just because you upgraded PHP. You will still want to update/patch all the phpBB's on your server(s).

I think it can also affect other users files once it has entered through the outdated phpBB depending on how the server is set up and such, which might explain why users scripts that are not running phpBB have been affected. For example, world writeable files and such.

yeh i found out today that phpbb 2.0.11 isnt safe and it can still be exploited it

i was hit by it over xmas even and day and crippled my server practically to a stand still

if you check your /tmp dir and look for fliles like php.txt.1 ownz.txt.1 etc etc probably means your infected as well

also heard vbulletin is open to attack as wel?!?

so if php 4.0.10, phpbb 2.0.11 are still open theres cock all i can do to keep my sites safe apart from shut down the server?

 

[Scott]

mod_security with tight rules (and some custom ones) may help. Can't be sure though.

 

[adam_uk]

mod_security with tight rules (and some custom ones) may help. Can't be sure though.

yeh saw something about this just trying to figure it all out now. not much info about it at the moment though

 

[Scott]

yeh saw something about this just trying to figure it all out now. not much info about it at the moment though

Also I'm not sure how the attacks work (if it just be one request or many simultaneous requests) but if the latter mod_dosevasive might be helpful too.

I have reason to believe it's many simultaneous requests since it hit a friends server and completely killed httpd.

 

[adam_uk]

Also I'm not sure how the attacks work (if it just be one request or many simultaneous requests) but if the latter mod_dosevasive might be helpful too.

I have reason to believe it's many simultaneous requests since it hit a friends server and completely killed httpd.

i saw if you look in /tmp for files like .3054.34523434 and pico it up, theres loads of urls in there which ive seen appear with an effected account and it gets pretty long pretyt quick


it uses wget to move it self about, so i chmoded wget in /usr/bin so only root can use it so should be ok from it transfering it self about, ive got rid of it off my box so hopefully fingers crossed.

might have to look into this httpd info a bit more but ive got all accounts upgraded, so ill just keep an eye on activity.

 

[Premium]

My client had a huge, and I mean huge forum that got hit and he lost everything.

He is now starting over with Vbulliten!

 

[adam_uk]

My client had a huge, and I mean huge forum that got hit and he lost everything.

He is now starting over with Vbulliten!

ive heard even vb is vulnrebable, not sure if theres any truth in that though.

 

[Scott]

it uses wget to move it self about, so i chmoded wget in /usr/bin so only root can use it so should be ok from it transfering it self about, ive got rid of it off my box so hopefully fingers crossed.

You could use LES then. Works a treat.

 

[Premium]

Santy must die.. hehe!!! *<|

 

[adam_uk]

You could use LES then. Works a treat.

that looks interesting, but on my box to get to root i use su - and the user before that i use for general stuff so it might start messing with binaries i need when im logged in as my main user

do you know of you can add custom users?

 

[Scott]

It doesnt touch /bin/su, you should be ok. :cy: