This site is defaced!!! (NeverEverNoSanity WebWorm)

NeverEverNoSanity Web Worm ...

  • ... has already defaced one or more of my sites

    Votes: 0 0.0%

  • ... has not defaced (any of) my site/s

    Votes: 9 90.0%

  • ... is something I care / know nothing about

    Votes: 1 10.0%
  • Total voters
    10
TMC

TMC

Verified User
Joined
Sep 9, 2004
Messages
48
Location
Where's The ANY Key?
  • Please can someone from JBMC make a formal statement here concerning the 'Never Ever No Sanity' Web Worm?

    A constructively detailed 'How To' for establishing server-wide DA protection against this exploit would also be very much appreciated.

    Depending on the opinion of Forum Admins, once officially answered this thread may be more appropriately located in 'Official Announcements'.

    FYI the hourly spread of this exploit may be viewed here: http://www.google.com/search?hl=en&lr=&q="this+site+is+defaced"
 
This worm is using an exploit that is not related to DirectAdmin. It is a fault of poorly written code of forum script called phpBB. If people do not patch/update their scripts or software the chances are they are getting hacked.
 
Excellent response, rhoekman.

I'd like to add that every server admin should take the time to keep his systems up to date at all times.

This week we've been taking the time to update all the DA servers we manage for clients to make sure they have the latest apache and php:
Code: 
cd /usr/local/directadmin/customapache
rm -f configure.apache_ssl
./build update
./build clean
./build all y
./build zend
That "y" after the "build all" will mean everything gets rebuilt without asking you; we've always considered this a reasonable approach, though you might want to change it to an "n" if you know you have a slow system and don't need to rebuild all the included packages. However, in that case you may need to do a "./build php" after you do the "./build all n".

The "./build zend" will ask some questions so you should stay near your shell window while it's running. Defaults are all okay, but since the httpd restart at the end will fail, you can change it to "No". In any event, be sure to restart apache after you've finished everything.

Jeff
 
  • Much appreciated info, rhoekman & jlasman.

    We're slowly realizing that numerous postings here and on other forums are drawing incorrect parallels between the recent PHP 4 update which contains numerous security-related changes, and the recent phpBB security exploit.

    Such are the tribulations of DA newbies :rolleyes:

    Happy
    Holidays!
 
TMC said:
We're slowly realizing that numerous postings here and on other forums are drawing incorrect parallels between the recent PHP 4 update which contains numerous security-related changes, and the recent phpBB security exploit.
Click to expand...
When we find out about exploits in software we don't have much control over (such as phpBB) and which we certainly don't want to ban from our servers, we scan our shared hosting servers to see if any of our webhosting clients are using them, and if so we notify the client with a link to the danger.

Jeff
 
You must log in or register to reply here.
Back
Top