Any Check for 'Santy' Here?

Message to Goose Egg:


Saw your post on the ICRT Forum yesterday. Thanks for the comment, about the question of FM 100’s performance on air and for recommending Oriented.

Were you aware that the ICRT Forum has been shut down until the 31st of DEC? The reason given was that they had to do a check (can view the actual message when one logs in to the page).

As there is a ‘Santy Worm’ making rounds through Google Search on Bulletin Boards (forums) using the phpBB format and defacing them - It could be because of this that the ICRT Forum is temporarily shut down.

I’d noticed that Forumosa is using the phpBB and am wondering if you have heard of such.

Thank you for reading my message.


We’re immune to Sanity here.

But good point, there’s been a few rumours lately of nasty things happening to PHP boards, do we have protection ?

Well, I made a post about it on the Feedback forum warning before it had become as widespread, but got nothing. I’m pretty sure one of the reasons for the Tuesday downtime was a PHP upgrade, which would render Forumosa immune to NeverEverNoSanity, so we should be fine. FYI, that worm is what took Tealit out last night.

Thank you for the update and the warning. I have heard about the worm. We recently upgraded the modules, and did a server reboot just last Tue. We feel secure, but will be backing up anyway

I was not aware of the temporary shutdown of the ICRT Forum. I do not think they are using phpBB, but a variant called newBB?

Btw, welcome to

Glad to join Forumosa and thank you for the quick reply, Goose Egg! :slight_smile:

From the analysis I’ve read, the current worm relies on the site’s forums starting from the web root, or in other words it only tries to break into, this particular worm won’t be able to break in here.

To be completely immune to the bug you need to be running phpbb 2.0.11 AND your php needs to be upgraded to either 4.3.10 or 5.0.3. has php updated to 4.3.10, but I can’t tell which phpbb is installed as Gus has removed the version numbers from the usual places.

New headline:

New Variant of Santy Worm Spreads

Early versions of the Santy worm exploited a specific bug in a bulletin-board software package called phpBB, and their attacks could be prevented by applying a patch to the software. However, the security flaw exploited by newer versions of the worm such as Santy.C or Santy.E is more general, and can occur anywhere a site designer has left the door open for the inclusion of arbitrary files into PHP scripts, experts at K-OTik Security in Montpellier, France, warn.

Santy.C and Santy.E behave so differently from Santy.A that the K-OTik is renaming the worm PhpInclude.Worm in its advisories, the company says. The worm doesn’t exploit the vulnerabilities in phpBB targeted by its predecessor, instead aiming for a wider range of common programming errors in PHP Web pages.

It uses search engines including Google, Yahoo, and AOL to identify exploitable Web pages written in PHP which use the functions “include()” and “require()” in an insecure manner, K-OTik says.

Embedded Contents

These functions can be used to embed the contents of a file within a Web page. If the site designer used them without sufficient checking of the parameters passed to the function, then an attacker could exploit them to incorporate an arbitrary file in the Web page, rather than the limited range presumably intended by the site designer. From there, depending on the configuration of the Web server, the attacker could move on to take control of the entire machine, K-OTik warns.

To prevent these attacks, it may be necessary to recode the site to use the include() and require() functions in a safe manner.

Eliminating the security flaws exploited by the newer versions of Santy involves no new tricks, and is simply a matter of applying long-known sound programming principles. K-OTik pointed site designers to this guide to secure programming (in French) in PHP, written in 2001.

Full article can be found in today’s Yahoo News.