According to this news story, versions of PHP prior to 4.3.10 are vulnerable. (The version on the server where my site is hosted is s 4.3.8. Am talking with tech support about how to get it fixed.
According to the F-Secure weblog, Google has at least for the moment shut the worm down (see http://www.f-secure.com/weblog/).
Afraid this worm may prove more extensive than just wordpress. There is an alert for this for phpBB as well.
My WP affected secion: http://www.hammondgallery.com/wordpress
Fortunately I backed the site up only yesterday. But I have another site using phpBB. Apparently I must now update to the latest versions of WP and phpBB on these sites and then hope the ISPs have got some other means of keeping this out.
Anonymous
phpBB is the only software directly affected by the Santy worm – it infects a server by using the “highlight” exploit (fixed in 2.0.11 of phpBB) to get into phpBB, then searches the server for PHP, ASP, and HTML files to deface, then defaces them, then uses Google to find more phpBB boards to infect.
There is a simple fix for phpBB versions earlier than 2.0.11 on their website.
This particular worm has nothing to do with the version of PHP or WordPress you run.
Of course, the latest PHP builds fix some other severe security issues, so it’s a good idea to upgrade anyways 😉
This is not correct. The site I referred to (hammondgallery.com) is not using phpBB. It is using Gallery and WordPress. The WordPress wp-config.php file was overwritten by a version (8?) of the worm in question. The default file permissions were set to 664. I changed them to 644. There is no mention of setting file permissions in the installation documentation that I have read. Whether or not this is a security issue remains to be determined.
The vulnerability that was exploited by this version of the NeverEverNoSanity worm may in fact have something to do with the PHP function urldecode. If you read this bug report at phpBB.com (http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513), you will note that the suggested fix removes the function in question.
Getting back to the WordPress files:
The script google-hilite.php (wp-content/plugins/) uses the urldecode function in fact, and as I am reading, the worm in question is using google to get at vulnerable sites.
I suggest getting in touch with photomatt on this one as he wrote the script.
In the meantime I suggest that anyone concerned about this does the following:
1. Back up your site IMMEDIATELY.
2. Set permissions on wp-config.php to 644.
It may be possible to set the wp-config.php permissions to be more restrictive, but I haven’t attempted this.
Futher to this I post the following from my hosting support (ICDSoft.com – highly recommended)
Although phpBB is not installed on your site, there were many other users on the same server that were using phpBB, and once they got infected, the worm tried to overwrite all world-writable files on the same machine. This is why your pages have been defaced.
There are many script installations, which advise the users to set 777 permissions to some of the files. This is because SuExec is not a part of a standard web server and in most cases, all scripts on the server (no matter which user is their actual owner) are executed with the permissions of the web-server user. So, if these scripts need to write something to some file, they should that file will need world-writable permissions. This is not the case with our hosting environment – with us all scripts are executed with the specific permissions of their owner, so any files that need to be written to, can just have owner-writable permissions.
Currently, there is no way of telling whether you had files with world-writable permissions on your account. In order to prevent further defacements, we have set 775 permissions to all world-writable files when the worm hit us.
However, world-writable permissions on your files are the _only_ way that a script running as another user can damage your files. There is no hole in the SuExec wrapper that we use – we have carefully reviewed the worm’s code (it is coded in Perl), and we are quite familiar with its course of action and it signature.
You should not worry about your WordPress installation – there is actually no security hole in the urldecode() function, it is the specific way that its output was later used, that caused the vulnerability in phpBB. google-hilite.php is also not related to this.
Do we accept this as gospel? Is there some file in a default installation of WP that has permissions set to 777? Because I personally would never set permissions on a website to that.
In any event, it would appear that this attack come into my WP scripts via another user’s phpBB scripts.
Moderator
James Huff
(@macmanx)
Volunteer Moderator
Just a reminder, before you take any drastic measures, make sure that you don’t have PHP v4.3.10. v4.3.10 plugs this whole, making it immune to the threat. You can find out what version you have by creating a text file with only the following:
<?php phpinfo(); ?>
Now, save that text file as phpinfo.php, upload it to your webserver, and access it with your browser.
Anonymous
Goborobo, the Santy worm *only* uses phpBB sites to deface web pages. Only. That’s it, that’s all. For proof? Once it infects a phpBB installation (and those are the only installations it infects), it searches Google for the string “Powered by phpBB”. End of story.
True, the exploit could potentially work on other PHP sites that use the “urldecode” function, but this worm is written to *only* infect phpBB sites – though it’s actions, of course, affect every site it possibly can on the same server. Including such sites as
Sadly, new versions of this buggerdly thing will undoubtedly be released any moment now affecting several other PHP web apps.
But, reading your last post, I see you’ve noticed this by now.
Finally, upgrading to the latest PHP does *NOT* appear to prevent Santy from infecting your phpBB (at least according to the PHP changelogs). Only upgrading (or fixing yourself) phpBB will do that.
But again, definitely upgrade your PHP installations anyways. Several other security vulnerabilities have been patched.
