Re: [Full-Disclosure] Re: Possible apache2/php 4.3.9 worm
http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22 viewtopic.php%22+%22topic%3D27516%22btnG=Search http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22 viewtopic.php%22+%22t%3D2580%22btnG=Search http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22 viewtopic.php%22+%22p%3D6653%22btnG=Search If Google were to block this particular pattern of search request it would stop the spread of the worm for now. They are blocking it, at least for me, go try yourself. Is the expecter behavoir from google :-) Max -- Linux garaged 2.6.9-ac9 #2 SMP Tue Nov 16 17:07:13 CST 2004 i686 Intel(R) Pentium(R) 4 CPU 2.80GHz GenuineIntel GNU/Linux -BEGIN GEEK CODE BLOCK- Version: 3.12 GS d- s+:+ a C++ UL+++ P+ L E--- W++ N o-- K w--- O- M-- V-- PS+ PE+++ Y-- PGP- t-- 5 X+ R* tv++ b++ DI++ D+ G++ e+++ h--- r+++ z** --END GEEK CODE BLOCK-- gpg-key: http://garaged.homeip.net/gpg-key.txt ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Possible apache2/php 4.3.9 worm
Below are some examples of what an actual Santy search request would look like: http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22topic%3D27516%22btnG=Search http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22t%3D2580%22btnG=Search http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22p%3D6653%22btnG=Search If Google were to block this particular pattern of search request it would stop the spread of the worm for now. looks like they did... / snip / Google Error We're sorry... .. but we can't process your request right now. A computer virus or spyware application is sending us automated requests, and it appears that your computer or network has been infected. We'll restore your access as quickly as possible, so try again soon. In the meantime, you might want to run a virus checker or spyware remover to make sure that your computer is free of viruses and other spurious software. We apologize for the inconvenience, and hope we'll see you again on Google. / snip / -- cheers, m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Possible apache2/php 4.3.9 worm
If Google were to block this particular pattern of search request it would stop the spread of the worm for now. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ I believe it is blocked now [thanks Google]. Regards, Patrick Nolan Virus Researcher - Fortinet Inc. http://www.fortinet.com To Submit A Virus: pkzip/winzip password infected to submitvirus at fortinet dot com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Possible apache2/php 4.3.9 worm
Hello, Possible apache2/php 4.3.9 worm Confirm, it's an epidemic. The worm is called Perl.Santy.A. Remedy is here (unofficial): http://www.phpbb.com/phpBB/viewtopic.php?f=14t=240513 Continous info about the worm is here: http://www.f-secure.com/weblog/ There were 40k+ infected http servers already (at least). Sincerely: Tamas Feher. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Possible apache2/php 4.3.9 worm
The search query used by the Santy worm uses the following template (parentheses contain substitution choices and are not part of the literal template) : http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22 (random choice between t, p, and topic)%3D( random number between 0 and 3)%22btnG=Search Below are some examples of what an actual Santy search request would look like: http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22topic%3D27516%22btnG=Search http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22t%3D2580%22btnG=Search http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22p%3D6653%22btnG=Search If Google were to block this particular pattern of search request it would stop the spread of the worm for now. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html