A new worm has been detected that uses Google to find vulnerable phpBB forums. The worm - named Net-Worm.Perl.Santy.a - queries Google to find sites using outdated versions of the phpBB forum software which can be exploited.
"This is a little hint of what's coming in 2005," cautions Timothy Keanini, chief technology officer for nCircle Network Security Inc., a network security company. "All the technology that makes us more efficient makes the bad guys more efficient, too."
Santy.a asks Google to return a list of sites using older versions of the phpBB software. It then connects to those sites and exploits a vulnerability to access the server running the bulletin-board software. The worm then overwrites .htm, .php, .asp, .shtm, .jsp, and .phtm files with text that reads, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation." Keanini notes that hackers have been gathering this sort of intelligence by doing manual searches for some time now. This worm, he says, may be one of the first that automates this process.
phpBB boards running version 2.0.11 aren't vulnerable but older versions are. This fix was released mid-November.