Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Possible apache2/php 4.3.9 worm
From: Joe Stewart <jstewart () lurhq com>
Date: Tue, 21 Dec 2004 14:27:12 -0500

The search query used by the Santy worm uses the following template 
(parentheses contain substitution choices and are not part of the 
literal template) :
(random choice between "t", "p", and "topic")%3D( random number between 
0 and 30000)%22&btnG=Search

Below are some examples of what an actual Santy search request would 
look like:


If Google were to block this particular pattern of search request it 
would stop the spread of the worm for now.


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]