Google also helped the spread of the Santy worm by preventing its search engine for being used to find websites to attack. They blacklisted a number of keywords which the worm was using to find targets.

so,its only a phpBB thing?

The phpBB vuln seems to have been related to highlighted words passed from searches(?). I presume this diff was the fix.

The include worm is different though and not specifically targetting any application. The version here looks to pull a list of pages with ‘.php’ in the URL from Google and Yahoo modify the GET query string and replace what would become PHP variables with a link to a remote site (which I guess was hacked in advance). One such site I saw in a log seems to have been taken down on the 25th, thereby “neutralizing” worms using it.

Bottom line is if you have code like;

// Validate first!!! include $_GET['page'];

You could be in for trouble (depending on PHP configuration).

This blog suggests that, this time round, there’s no need for panic. At the same time, this is the first serious attempt of this kind. There’s room to be “smarter” as well as target other oft-installed PHP-apps. Expect we’re going to see more of it.

MOTD: Validate all incoming data. Anything you get from the browser cannot be trusted.

why would webhosts not install modsecurity? Overhead?

Think the main thing is ModSecurity is still fairly new – think the awareness isn’t quite there yet. Overhead could be an issue although reading the ModSecurity docs suggests it shouldn’t. It probably (Ivan can no doubt answer that) needs a larger user base before it’s possible to consider performance in detail.

At least this is what I saw in one of the reports somewhere

By having the following in a Server php.ini file:

disable_functions = shell_exec,system,proc_open

all PHP scripts have very good security.

Everytime I see this error showing in the Server Error logs:

PHP Warning: system() has been disabled for security reasons

it gives me a warm feeling knowing Clients scripts are safe and no defacement has been done, regardless of any security weaknesses within an individual script.

Tis only one part of an over-all security strategy for any Server though, and as mod_security becomes more popular, is an excellent security addition.

Now back to our server. What really troubles me is that not only did they gain access to /var/ where they can upload files and execute as user apache, but they also managed to get root access. This is the bit I can’t work out. Do I take it that they managed to run one of the latest known compromises for “root as local user” scripts? I see there is one for SMP kernels on Linux. We were using Mandrake 9.2 with SMP and looking at other sites it seems that there is just such a script for our kernel.
Has anyone else had this? Apart from that no pages defaced etc. But we will need to reinstall the server, change all passwords now, etc. which is a real pain.

It does a trick where it disguises itself to look like an httpd process in the list. this makes it look like it has root and started a server. It uses wget to download some scripts into var which it is allowed to do running as apache. then it runs the script with perl. The quick way top stop it is to rename wget. then upgrade phpbb.