subject:"\[Full\-Disclosure\] Re\: Possible apache2\/php 4.3.9 worm"

Re: [Full-Disclosure] Re: Possible apache2/php 4.3.9 worm

2004-12-22 Thread Max Valdez


 http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22
viewtopic.php%22+%22topic%3D27516%22btnG=Search
 http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22
viewtopic.php%22+%22t%3D2580%22btnG=Search
 http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22
viewtopic.php%22+%22p%3D6653%22btnG=Search

 If Google were to block this particular pattern of search request it
 would stop the spread of the worm for now.

They are blocking it, at least for me, go try yourself.

Is the expecter behavoir from google :-)

Max
-- 
Linux garaged 2.6.9-ac9 #2 SMP Tue Nov 16 17:07:13 CST 2004 i686 Intel(R) 
Pentium(R) 4 CPU 2.80GHz GenuineIntel GNU/Linux
-BEGIN GEEK CODE BLOCK-
Version: 3.12
GS d- s+:+ a C++ UL+++ P+ L E--- W++ N o-- K w--- O- M-- V-- PS+ PE+++ Y-- 
PGP- t-- 5 X+ R* tv++ b++ DI++ D+ G++ e+++ h--- r+++ z**
--END GEEK CODE BLOCK--
gpg-key: http://garaged.homeip.net/gpg-key.txt
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Possible apache2/php 4.3.9 worm

2004-12-22 Thread morning_wood

 Below are some examples of what an actual Santy search request would
 look like:


http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22topic%3D27516%22btnG=Search

http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22t%3D2580%22btnG=Search

http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22p%3D6653%22btnG=Search

 If Google were to block this particular pattern of search request it
 would stop the spread of the worm for now.

looks like they did...
 / snip / 

Google Error

We're sorry...
.. but we can't process your request right now. A computer virus or spyware
application is sending us automated requests, and it appears that your
computer or network has been infected.
We'll restore your access as quickly as possible, so try again soon. In the
meantime, you might want to run a virus checker or spyware remover to make
sure that your computer is free of viruses and other spurious software.
We apologize for the inconvenience, and hope we'll see you again on Google.

 / snip / --

cheers,

m.w
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Re: Possible apache2/php 4.3.9 worm

2004-12-22 Thread Patrick Nolan

 If Google were to block this particular pattern of search 
 request it would stop the spread of the worm for now.
 
 -Joe
 
 --
 Joe Stewart, GCIH
 Senior Security Researcher
 LURHQ http://www.lurhq.com/

I believe it is blocked now [thanks Google].

Regards, 

Patrick Nolan
Virus Researcher - Fortinet Inc.
http://www.fortinet.com 

To Submit A Virus:
pkzip/winzip password infected to
submitvirus at fortinet dot com


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Possible apache2/php 4.3.9 worm

2004-12-21 Thread Feher Tamas

Hello,

Possible apache2/php 4.3.9 worm

Confirm, it's an epidemic. The worm is called Perl.Santy.A.

Remedy is here (unofficial):
http://www.phpbb.com/phpBB/viewtopic.php?f=14t=240513

Continous info about the worm is here:
http://www.f-secure.com/weblog/

There were 40k+ infected http servers already (at least).

Sincerely: Tamas Feher.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Possible apache2/php 4.3.9 worm

2004-12-21 Thread Joe Stewart

The search query used by the Santy worm uses the following template 
(parentheses contain substitution choices and are not part of the 
literal template) :
 
http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22
(random choice between t, p, and topic)%3D( random number between 
0 and 3)%22btnG=Search

Below are some examples of what an actual Santy search request would 
look like:

http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22topic%3D27516%22btnG=Search
http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22t%3D2580%22btnG=Search
http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22p%3D6653%22btnG=Search

If Google were to block this particular pattern of search request it 
would stop the spread of the worm for now.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Possible apache2/php 4.3.9 worm

Re: [Full-Disclosure] Re: Possible apache2/php 4.3.9 worm

RE: [Full-Disclosure] Re: Possible apache2/php 4.3.9 worm

[Full-Disclosure] Re: Possible apache2/php 4.3.9 worm

[Full-Disclosure] Re: Possible apache2/php 4.3.9 worm

5 matches

Site Navigation

Mail list logo

Footer information