Any way to trace it back to the person who sent the webworm? We are fairly certain we know who did it. It's just proving it..
not too much of a problem. What is the IP address that was connecting?
Once we get some answers, we can start narrowing down the vector of the attack against your site.
That worm hit other websites, too.
I was trying to access one business website and it showed that it had been attacked. The owners took the site down and they still haven't got it back up and running.
Run command netstat -an ?
Reported here? http://www.us-cert.gov/current/current_activity.html
Here is a new one (2 me).. http://www.securityfocus.com/bid/11981
Looks like you're running RedHat Linux (Fedora) with Apache/2.0.50. Might want to reinstall the OS from scratch, apply all the latest patches, and check to make sure all of your apps are up to date before going back online.
Sam Spade for Windows is a freeware network query tool. It may help you in tracking the perp. It's also helpful to track & nail spammers.
Checked Symantec and McAfee and the worm you mentioned is not yet listed there. Try checking them in a few weeks. They are usually pretty good at catching new stuff before it really spreads too far.
Good Luck.
DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > HEADBODY bgcolor="#000000" text="#FF0000"> H1>This site is defaced!!! ADDRESS>NeverEverNoSanity WebWorm generation 13.
Check the html on the same page in your computer publishing program. If it is ok why not try to republish the site. If the file in your computer looks like the html I have posted above your computer has been hacked and not the website, redo the page and try to post it. - Tom
| It is indeed a webworm, targetting the most recent vulnerabilities announced this past Friday in PHP. While I do automatic nightly updates of certain key components of my systems, this update was not yet released from my publisher. I misread their announcement, and so it is entirely my fault. If I had noticed they didn't intend to patch within 24 hours, I'd have hand-patched. The primary purpose of this worm is to set up some sort of spam-gizmo. I have not yet completed analysis of the code, but it is Brazilian in origin and at initial glance seems to be trying to test email addresses for validity, keeping a list of good and bad email addresses. It then reported them back through IRC to someone who I assume is collecting the data in their master database to spam away using other (or possibly the same) drones. Though it would seem the folks who run Windows on their desktops are the most prone to the spam-sleepers. I guess that will teach them to trust Ol' Bill. ;) |
Information is flying across the lists about the worm that hit your site. It appears to be a worm that exploits a vulnerability in phpBB that was identified a month ago:
This bug only exploits a hole in phpBB2 as far as I can tell. It does not
appear to exploit a hole within PHP. In order to protect yourself, you
must upgrade phpBB2 to version 2.0.11.
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
See also:
http://isc.sans.org/
Generation 9 appears to overwrite files with the following extensions:
.htm, .php, .asp, .shtm, .jsp, .phtm
It only displays a defacement message saying
"NeverEverNoSanity WebWorm generation #"
Where # is the generation of the worm.