[clue-tech] php
Jeff Falgout
jfalgout at ogov.net
Tue Dec 21 20:59:31 MST 2004
Mike Staver wrote:
> Sigh. I've been hit by a worm that takes advantage of the fact that
> Whitebox Linux does not have an updated php package available.
>
> NeverEverNoSanity WebWorm generation 9
>
> Every php file on my webserver has now been replaced by:
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML><HEAD>
> <TITLE>This site is defaced!!!</TITLE>
> </HEAD><BODY bgcolor="#000000" text="#FF0000">
> <H1>This site is defaced!!!</H1>
> <HR>
> <ADDRESS><b>NeverEverNoSanity WebWorm generation 9.</b></ADDRESS>
> </BODY></HTML>
>
> I can't find any info on this worm, so I shut down apache on my server
> until I can find an updated php rpm. I ran the latest chkrootkit, but
> it didn't find anything - but then again, this worm appears to be very
> new since Google doesn't contain any search results for it yet.
Looks like this worm went national today on slashdot:
http://it.slashdot.org/it/04/12/21/2135235.shtml?tid=220&tid=217&tid=169
Jeff
More information about the clue-tech
mailing list