Santy is a network worm written in the Perl scripting language and exploiting the vulnerability present in the phpBB online forum version lower than 2.0.11.
| Santy | |
|---|---|
| Full name (Kaspersky) | Net-Worm.Perl.Santy.a |
| Type of | internet worm |
| Year of appearance | 2004 |
| Software used | phpBB |
| Symantec Description | |
| Description of Securelist | |
The virus generated a request for the Google search engine containing the string “Powered by phpBB” and thus received the addresses of the attacked forums . Then, having generated an incorrect request to the viewtopic.php file, I was able to execute arbitrary code on the server and replaced the contents of all files with the extension asp , htm , jsp , php , phtm , shtm with “This site is defaced !!! This site is defaced !!! NeverEverNoSanity WebWorm generation X ”, where X is a number indicating the generation of the worm.
Just a day after its appearance on December 20, 2004, the worm successfully attacked a huge number of sites (according to various estimates, from 30 to 40 thousand). On the second day, Google did not search for the phrase “Powered by phpBB”. After that, modifications of the worm appeared, using other search engines .
It is noteworthy that the vulnerability was discovered in November 2004, a new version with fixes was released a month before the attack - November 21, 2004 [1] , but such a huge number of sites were left without updates.
After this incident, the function of automatically checking for new versions was added to the phpBB admin panel.
It is also interesting that a worm was released that, using the same vulnerability, updates the phpBB source code to a new version and eliminates it [2] .