Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Possible apache2/php 4.3.9 worm
From: Joe Stewart <jstewart () lurhq com>
Date: Tue, 21 Dec 2004 14:27:12 -0500

The search query used by the Santy worm uses the following template 
(parentheses contain substitution choices and are not part of the 
literal template) :
 
http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&q=allinurl%3A+%22viewtopic.php%22+%22
(random choice between "t", "p", and "topic")%3D( random number between 
0 and 30000)%22&btnG=Search

Below are some examples of what an actual Santy search request would 
look like:

http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&q=allinurl%3A+%22viewtopic.php%22+%22topic%3D27516%22&btnG=Search
http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&q=allinurl%3A+%22viewtopic.php%22+%22t%3D2580%22&btnG=Search
http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&q=allinurl%3A+%22viewtopic.php%22+%22p%3D6653%22&btnG=Search

If Google were to block this particular pattern of search request it 
would stop the spread of the worm for now.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault