Santy PHP Worm Variant With 50 Exploits Discovered
A new version of the santy worm was discovered late New Year’s eve 2004. This version of the worm now contains fifty exploits targeting a myriad of different PHP applications.
The initial posting on full disclosure by Peter Dudikoff [here] supplied links to the source code of both the worm [here] and the IRC bot [here]. When Peter visited the channel that the compromised hosts connect to there appeared over 60 hosts already present.
The worm still uses Google (Brazil) for propagation so we at vdot wonder how long it will survive before Google block this one as well. Once infected the host connects to the IRC server and waits for commands to be issued, these commands wil run as the web server process (typically httpd or nobody).
Update: So we decided to take a look, we popped on the IRC server. As of 1st Jan 2005 11:18 GMT there are approximately sixty hosts present with a majority coming from six hosting providers. If anyone knows any security contacts at any of the following they might want to give them a heads up:
- dedicated.abac.net
- servernode.net
- marsaldesign.com
- hro.nl
- frantzen.be
- bestvalueservers.com
- hqsvr01.net
