This morning while traveling into the city, Airbag was hacked by something called NeverEverNoSanity WebWorm generation 17. I'll explain what this is but first it's time to eat a little crow. With all the hoopla in response to my last post I assumed that some avid fan had launched an attack. I was wrong — my bad. With all that has happened in the last five days, I think paranoia is setting in.
As for the generation 17 worm, it rewrote every PHP file on this site to display "This site is defaced!!!" in crappy red type on a black background. At least they could have used some CSS to make it look cool.
Thankfully with the help of some very intelligent friends, we tracked the culprit to a worm that uses Google to find it's next victim.
A representative for Google said the company is looking into the issue but had no immediate comment. It seems to have taken some action already, though. Earlier Tuesday, searching for "NeverEverNoSanity" returned some 38,000 results--most of them presumably pages defaced by the worm.
More information was found on Symatec site giving more detail into what is affected by the virus.
.ASP .HTM .JSP .PHP .PHTM .SHTM
The worm uses the Google search engine to find potential new infection targets. Google has now implemented blocking Perl.Santy search requests, which is expected to greatly reduce the worm's ability to propagate and lower the risk of further infections.
The solution, apparently, is to reinstall PHP on the server or you can hack an existing build with a solution by Help Net Security. I could not for the life of me tell you how to go about doing all of this but hopefully armed with this knowledge you can avoid being attacked yourself.
Now if you will all excuse me I have to try and put all of this site back together while also finishing up some work and shopping before Christmas gets here.
PS — Since we're patching holes, if you use Movable Type you might want to upgrade.
Join the fray by reading through and commenting at the end.
I was wondering what had hit you - this is the first I've seen it.
Glad to see your page back up, as it's one of my must-reads.
I was at first amused because of your Bronze post - and thought it was a pretty extreme statement of yours to deface your own site like this.
screenshot
Was going to write about it myself - But quickly realised this perhaps was a malicious attack and not some quirky statement on your part. I hope you don't mind the screenshot.
Those bastard hackers.
I'm a little confused. Are you running phpBB on your site somewhere or was it on another site on the same server as Airbag?
If you're not running phpBB on your virtual host, it means that the exploit is damn severe.
Aparenty there is another site on the same server that has a phpBB. I'm not a big fan of web-based bulletin boards, it was a lot more fun back in the dial-up days of logging into an actual BBS.
I don't think Google is doing anything about this, although they obviously have the power to stop this worm dead in it's tracks.
As you pointed out, the worm uses Google to search for sites using outdated phpBB software.
As quoted above, early Tuesday searching on "NeverEverNoSanity" returned 38,000 results. This is not searching on Google, this is using MSN's beta search engine
Searching on Google yesterday returned zero results because they have lag time on getting data available.
Didn't even notice your site went down because I only come by when the RSS tells me to. Glad to see it had no effect in the long term.
Google won't do anything about it, because they don't have to. Site owners -could- tell Google to go to hell, but they won't... at least if they want Google to index them. People searching for stuff generally don't care--they want to find stuff, and Google is the best engine out there.
It seems to me the easiest thing to do to discourage this sort of exploit in the future is to stop putting the version number of the software you're using on the site's pages. Every site that has text saying "Powered by PhpBB 2.0.x" or "Powered by Movable Type 2.6.3" or whatnot is basically advertising to potential hackers, "Here is the software I'm using, go ahead and exploit it!"
At the very least, I hope this encourages people running PhpBB sites to move to the much more elegant PunBB.
And, Greg, your host isn't setup running suexec? That alone would have prevented this. If another account on your server is hacked, it shouldn't affect you at all.
Suexec? d00d, This site is hosted on a Windows box.
Have to agree with you on PunBB Matt :)
Sorry to hear Greg. Not something you want to deal with right before Christmas. If I knew a nugget about PHP I'd help. Seeing has I don't. I can only throw in the white towel at the worm and hope it won't come attackin'.
Google is doing something about this.
Eep... that's just plain evil. Thanks for piquing the awareness, though... it got me off my duff, updating all sorts of web apps to the latest versions... if not for this, then for the next hackerboy who decides they want to be "1337."
That was a nasty and despicable act committed against you. Hope those evil-doers are brought to justice.
Is nothing sacred?
I have to agree with PunBB I run it on one of my sites and find it to be quite fast/good (that said, my database is currently quite small).
Reading in the developer's forums for PunBB shows that they are keeping up on trying to avoid potential security issues. I guess time will really tell on that one.
My site got hacked as well, I was online when it happened and it was like watching your house burn down with no water in sight.
I replaced all the damaged files with a daily back-up only to find that quite a few of the files in the back-up were corrupt, including four main files from a re-design I was just about to release.
Why would anyone create such a stupid virus? It has no real target other than those it finds. I simply cannot fathom the need for some idiot to use google (which shouldn't have this data freely available, nor should it be able to get it in the first place) to do this sort of bullshit. I also cannot understand why someone would waste their time on such ignorance. I can see the need for this to be used against someone who actually does stupid shit like this in the first place.
I'm sorry Greg. You seem like a nice guy and you don't deserve this sort of thing. I do have one thing to suggest though I don't know if it'll have problems or be difficult to implement with Moveable Type (and it's already too late, but it can help against future attacks): If you edit your Apache configuration — well for those of you who have Apache — you can edit your config file and set it to parse files with different extensions, other than .php, with PHP. Then all you have to do is save the files with a unique extension and Apache will make it work. Since it's server side you won't need to worry about the extension being misread by browsers since the header will still be a mime type of text/html. I'm sure you can do this with IIS as well but I don't know how. Anyway, this should work since the virus only changes files with certain extensions.
This is one of the reasons why I don't use blogging systems that I didn't create. While mine may not be as secure (or it may be, who knows) it is more secure in the fact that it's not known about except by me. If this were to happen to me it'd be no big deal as long as my databases were intact. I hope that's the same in your case. I'm not sure about Moveable Type though as I haven't used it or looked into it before.
same thing happened to Lockload.com
Nice to see your site is up again :)
I think someone at your hosting company should be getting coal this Christmas. That sucks big time, Greg. My hosting company, Dreamhost , addressed this problem with phpBB but I haven't heard of anybody on the network getting hit with the attack. On a UNIX-based system the access permissions should be airtight, so the virus can't get outside of the account serving up the old version of phpBB. Maybe it's a different story with Windows server though. Probably is, knowing Microsoft's track record with this kind of stuff.
Could've been worse; your pages could have been littered with stuff like "1 0wn3d j00 6r36!! n00bs! 1 4m teh 31337 h4x0r!!!" [shudders]