Network administrators had to deal with an unfriendly visitor during the 2004 holiday season: the Santy worm. Written in Perl, this malware targeted servers that hosted online bulletin boards running on the free phpBB software.
The worm was one of the first to spread via search engine — in this case, Google. Santy used Google to find sites containing the file viewtopic.php, then exploited the file using a PHP vulnerability. Santy attacked sites via SQL injection, scanning directories and overwriting files with the extensions .htm, .php, .asp, .shtm, .jsp and .phtm with the words “This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation.”
By Dec. 21, 2004, nearly 40,000 sites had been affected based on the number of search engine results for the defacement language.
The worm was one of the first to spread via search engine. Santy used Google to find sites containing the file viewtopic.php, then exploited the file using a PHP vulnerability
Anti-Santy makes an appearance
As is often the case, a software update issued before the appearance of Santy resolved the PHP vulnerability — but, if you hadn’t bothered to update your software, the fix did you no good. Google became involved in Anti-Santy efforts by blocking search requests for viewtopic.php at the urging of Internet security firms. (At that point, Santy started targeting Yahoo and America Online.)
Interestingly, one proposed solution for Santy used the same methodology as the worm itself. The Anti-Santy-Worm searched the Internet for sites running phpBB and infected them in an attempt to install a patch and deface such sites with another message. This time, the message read “viewtopic.php secured by Anti-Santy-Worm V4. Your site is a bit safer, but upgrade to >= 2.0.11.” At least the Anti-Santy’s intentions were good, despite the fact that it mimicked the same tactics as its namesake.
Photo: Kira auf der Heide / Unsplash