PHP Worms: Santy / Perl.PhpInclude – ModSecurity

    Harry Fuecks

    Looks like someone’s finally got nasty, in writing code which targets potential mistakes people often make with PHP. Although you may be on holiday, recommend giving these some thought at least and, if in doubt, do what Christian as done and take it offline until you’ve got time to deal with it.


    Hopefully you’ve already picked this up but if you’re using phpBB, you should to upgrade to 2.0.11 (see the announcement).

    The reason? The Santy Worm. This one even made the BBC’s website (ironically, probably the first time for PHP or a PHP app).

    There’s been some confusion surrounding Santy, such as this announcement, which suggests the worm exploits a vulnerability in PHP itself. Derick cleared this up here – phpBB was also exposed to a problem with PHP’s unserialize() function (fixed in the latest PHP release) but this was not what the worm uses. Ilia discusses the unserialize() vulns here.

    The most considered and up-to-date information I’ve found so far is available here. There’s now more than one version of the worm out there and the latest, Santy.e, also being called the Perl.PhpInclude.Worm (it’s apparently not related to Santy).


    The Perl.PhpInclude.Worm seems to exploit a common potential vulnerability / mistake, which I described (last April 1st) here. Make sure you read this: 4. Remote Files and take this very seriously.

    Should be possible to knock up a shell script to scan a filesystem for code that could potentially contain such issues, grepping for include statements (and similar) which contain PHP variables. Out of time for today but will try tomorrow (unless someone gets there first).


    Been pondering a blog / discussion on ModSecurity for a while now. This makes me think it’s time to get a move on. I owe it’s author Ivan some emails – ModSecurity came up at OSCOM.4. This is just some quick notes…

    First I highly recommend that both web hosting companies and developers of projects like phpBB that look at ModSecurity. Ivan has already blogged what may a filter for Santy here.

    Some key things about ModSecurity (referring here to the C version, not the Java version);

    – It’s an Apache module

    – It filters incoming requests first, before Apache does anything else with them (such as hand off to PHP)

    – It’s rules-based and rules can contain regular expressions (among other things)

    – You can have it perform very fine grained filtering (e.g. filtering a single GET variable called ‘highlight’)

    – Configuration can be made in httpd.conf and .htaccess files

    – It can work in something like a “permit all / deny some” or “deny all / permit some” modes, similar to other Apache rules

    – It really is the simplest thing you can possibly do

    – There’s a tutorial by Ivan on O’Reilly here

    Potentially hosts can use ModSecurity to screen all requests for likely exploits such as Javascript XSS and things like the Santy worm (permit all / deny some) . Developers like the phpBB team could also publish “valid request signatures” for their applications – everything they regard as valid input (deny all / permit some).