View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
December 21, 2004

Worm uses Google to hit thousands of PHP sites

A widespread Internet worm has used Google Inc's search engine to locate targets, but security researchers used rival search engine MSN to track its proliferation.

By CBR Staff Writer

The worm, Santy, exploited a vulnerability in phpBB, a bulletin board plug-in for the popular PHP web site scripting environment, to deface at least tens of thousands of web sites, deleting data from servers as it went.

It is believed to be the first major automated threat to use a search engine, Google in this case, to identify potentially vulnerable targets. This tactic has been known about and used by hackers in more targeted attacks for a long time.

The worm searches Google for the term viewtopic.php, the name of the vulnerable component, in URLs, a signature of the presence of phpBB. Google returns about 7.5 million hits for the query allinurl:viewtopic.php.

Once it has found a vulnerable machine, the exploit is executed. On the target server, all files with the extensions .asp, .htm, .jsp, .php, .phtm and .shtm are overwritten with an HTML page announcing This site is defaced!!!

The defacement page also contains the text: NeverEverNoSanity WebWorm generation X, where X is the number of infections that iteration of the worm has so far caused. Google did not return any hits for a query on the defacement text.

The beta version of MSN Search, which one day hopes to rival Google’s dominant position in the search engine marketplace, returned 37,000 hits, suggesting a similar number of infections, at about midnight GMT last night.

This is definitely not as severe as what we saw with Slammer or Code Red, said Oliver Friedrichs, senior manager of Symantec Security Response. He added that there is the potential for variants. MSN could be used to find infected servers, he said.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The fact that Google was used to find potentially vulnerable targets means that there was likely little of the collateral damage, in the form of network bandwidth consumption, than previous scattershot worms have caused.

It also meant that the worm had a single point of failure. Some antivirus experts said that Google had the ability to shut down the worm’s proliferation by blocking the queries it uses to generate its list of targets.

They could stop this Santy outbreak right now simply by stopping responding to the queries the viruses uses, F-Secure’s Mikko Hypponen wrote. This wouldn’t hurt any end users and would in fact take load off from Google servers.

Google announced it had started blocking the worm about four or five hours later. It’s not clear yet if that would have had much of an effect on propagation. Network worms can reach saturation point in less than an hour.

While the worm does not put Google users at risk, we are working to help stop its propagation by blocking queries to Google that are generated by the worm, a Google spokesperson said in a statement.

Having all the iterations of the worm go through Google may prove to be the author’s undoing. Google’s logs presumably now contain data that may prove useful in tracking down the person who released the worm into the wild.

Google could easily find the IP addresses of the first batch of infected machines. While viruses are often seeded through already-compromised machines, law enforcement could conceivably use Google log data as a starting point to track down Santy’s author.

People running phpBB should upgrade their software to version 2.0.11, which fixes the problem. Knowledge of the vulnerability, unrelated to other recent PHP vulnerabilities, has been in the public domain since November 12.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.