[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Re: Possible apache2/php 4.3.9 worm
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] Re: Possible apache2/php 4.3.9 worm
- From: Joe Stewart <jstewart@xxxxxxxxx>
- Date: Tue, 21 Dec 2004 14:27:12 -0500
The search query used by the Santy worm uses the following template
(parentheses contain substitution choices and are not part of the
literal template) :
http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&q=allinurl%3A+%22viewtopic.php%22+%22
(random choice between "t", "p", and "topic")%3D( random number between
0 and 30000)%22&btnG=Search
Below are some examples of what an actual Santy search request would
look like:
http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&q=allinurl%3A+%22viewtopic.php%22+%22topic%3D27516%22&btnG=Search
http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&q=allinurl%3A+%22viewtopic.php%22+%22t%3D2580%22&btnG=Search
http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&q=allinurl%3A+%22viewtopic.php%22+%22p%3D6653%22&btnG=Search
If Google were to block this particular pattern of search request it
would stop the spread of the worm for now.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html