Worm Defaces phpBB Forums via Google

Thread Title:
Santy Worm Defaces Web Forums
Thread Description:

If you're not running the very latest version of phpBB then you'd better get cracking. A worn called "Santy" is using Google to find phpBB sites and replace files on the server through a security hole in PHP.

By targeting the freely distributed phpBB, the defacement worm has become a major nightmare for some businesses that use the forum software to handle customer-service queries and other support issues.

In an advisory, security research outfit Kaspersky Lab said the Santy worm is "extra tricky" because it replaces several files on the server with its own code, meaning that other sites using the same host get infected.

Kaspersky Lab's advisory carries a "Red Alert" rating.

Anyone hit by this?


Its moved from Generation 8 - 25 over the last 24Hrs

All sorts of pages get replace with the following:

This site is defaced!!!


NeverEverNoSanity WebWorm generation 25.

A client (not on our servers I must add) got hit yesterday, they and the hosting company haven't managed to remove it yet.

If anyone knows of a removal tool let me know please.

Removal tool

Removal tool is a fresh install of phpBB 2.0.11, make sure your PHP is up to date (4.3.10), check file permissions (web server shouldn't have write permissions - apparently all of these hacks happened when the file permissions were 666 rather than 644), and then reinstate from the last known good backup for all .html, .asp and .php files on the server.

The bugs were known, the phpBB ones for more than a week and the PHP ones for a few days: patched systems were unaffected.

Good luck to them for the clean-up - it's a big job.

Interestingly its a Windows server that has been infected

Though I have seen reports of both Windows and Linux servers being infected.

The problem's OS-independent:

The problem's OS-independent: I'm still reading conflicting reports on whether it is the phpBB bug reported and fixed a couple of weeks back, or the PHP bug from a few days back. Possibly a combination of the two. But as both run on Linux and Windows servers, the effect is similar. It's a professional and very nasty worm.

There is actually quite a good discussion and analysis on Slashdot about this:



the cleanup for the worm is easier as you know what the worm does - replace certian files. However, if you got hit by the worm you may have also been backdoored.

Google responds

"We are aware of an Internet worm that exploits a vulnerability in third-party Web servers that use PHP bulletin board software. While the worm does not put Google users at risk, we are working to help stop its propagation by blocking queries to Google that are generated by the worm," the representative said.


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.