The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hit By Anti-Santy Worm

Discussion in 'General Discussion' started by tbutler, Dec 30, 2004.

  1. tbutler

    tbutler Member

    Joined:
    Feb 11, 2004
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    I noticed a process running today and it seems that it is an "anti-santy worm" (the files it created in /var/tmp -- /tmp wouldn't work for it since I had set it to noexec, I forgot about /var/tmp ). Anyone see this yet? I think it spreads the same way as the standard Santy worm (I guess one of my users has a non-secured version of phpBB).

    It created seventy something copies of itself the first being aws.txt, the rest numerically titled aws.txt.1 through aws.txt.78 . I'm hoping for some advice. First, can the Santy or Anti-Santy Worms compromise any part of the server other than defacing phpBB sites? I presume since it was running as nobody it couldn't compromise the server, but I'd like to confirm that.

    If anyone wants to examine the ASW script, I've attached it (it is a perl script). It was also "kind" enough to keep a log of the sites it visited. *sigh*
     

    Attached Files:

    • asw.txt
      File size:
      3.3 KB
      Views:
      94
  2. cretu

    cretu Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    Hello,

    I have been also hit and files keep filling up the /tmp partitions. Is there any preventions known at this time?

    Cretu
     
  3. fwwebs

    fwwebs Well-Known Member

    Joined:
    Feb 16, 2004
    Messages:
    329
    Likes Received:
    0
    Trophy Points:
    16
  4. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
  5. bullethost696

    bullethost696 Well-Known Member

    Joined:
    Nov 23, 2003
    Messages:
    133
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England, UK
    consult the people who have those boards as they will whipe out any addons
     
  6. cretu

    cretu Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    Thank you for great solution.

    Will this actually stop attack from and to the server by this worm? I can still see "asw" file (single) re-appering inside /tmp.

    Thanks for attention!

    Cretu
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    In addition to the things mentioned (upgrade PHP and all your phpBB installations) installing mod_security with appropiate filters will stop it (do a search on the forums as these have already been posted).
     
Loading...

Share This Page