| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200412211427.13092.jstewart@lurhq.com> From: jstewart at lurhq.com (Joe Stewart) Subject: Re: Possible apache2/php 4.3.9 worm The search query used by the Santy worm uses the following template (parentheses contain substitution choices and are not part of the literal template) : http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&q=allinurl%3A+%22viewtopic.php%22+%22 (random choice between "t", "p", and "topic")%3D( random number between 0 and 30000)%22&btnG=Search Below are some examples of what an actual Santy search request would look like: http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&q=allinurl%3A+%22viewtopic.php%22+%22topic%3D27516%22&btnG=Search http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&q=allinurl%3A+%22viewtopic.php%22+%22t%3D2580%22&btnG=Search http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&q=allinurl%3A+%22viewtopic.php%22+%22p%3D6653%22&btnG=Search If Google were to block this particular pattern of search request it would stop the spread of the worm for now. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/
Powered by blists - more mailing lists