Note: Since the publication of this article, Google did indeed put a block on the phpBB worm request. The badguys simply resorted to using other engines to do this sort of thing. phpBB worm traffic has drastically decreased since the few big waves. -Bob
The folks over at phpBB seem to be downplaying the seriousness of this worm. “Just upgrade and you’ll be fine,” they keep saying in their forums, and they don’t even feature the worm prominently on their website.
Perhaps they are worried about market share, or perhaps they really don’t comprehend the seriousness of this worm. My IDS logs tell another story. Yesterday was the biggest surge of fresh infections since the worm came out. Every few days it gains momentum. At one point yesterday I saw 761 hosts attempt to infect hosts on my network within 30 minutes.
Some say it’s lax administrators who can be blamed, and they should have upgraded their phpBB software. How so, when there’s no real mechanism for them to be notified that their script has become vulnerable? If phpBB is not featuring the bug prominently in big red letters, the community at large is not going to respond. It’s going to be left to individual administrators, one by one, as they are hit with this worm.
Also, a number of administrators have upgraded their phpBB installations AFTER infection, and failed to remove the worm infection from their server. The worm continues to search and infect other hosts, unbeknownst to the site owner. Many website owners are insufficiently trained/experienced to identify and remove Linux process which may be hidden, running from /tmp, etc. For that matter, so are a number of hosting companies.
Others are blaming google, and their inurl search functionality. Is there a legitimate use for this search functionality? Can google block the crafted requests that this worm is looking for? Can and should Google disable this inurl search functionality altogether? I have seen three uses for it in the past month, none of which I would call productive and legitimate. (1) to search for insecure webcams; (2) the crafted search this phpBB worm is using to distribute itself to new hosts; and (3) some Brazilian hackers are using google.com.br to search for vulnerable Comersus Backoffice applications. An unnamed sports equipment company got hit by these clowns, who obtained and fraudulently used credit card information.
Maybe it’s time for Google to suspend the inurl search entirely, since it seems more useful to the badguys and data miners than to legitimate searches.
