Santy worm affecting all cpanel hosts

***GatorBrent*** · #1 01-24-2005, 02:12 PM

http://forums.cpanel.net/showthread.php?t=34846
http://www.phpbb.com/phpBB/viewtopic.php?t=258892

This internet attack is flooding out apache on many servers and causing problems everywhere on the internet. Bad day for the internet very bad day for us.

Things will get better as ISP's setup filters.

***GatorBrent*** · #2 01-24-2005, 02:37 PM

The worm is written to a file "m1ho2of" on the victim. After the transfer is complete, the worm will use the exploit once again to execute the code using the system default Perl interpreter.

Santy contains also a generation counter that is increased every time the worm is executed, i.e. once per infected host. If the number of generations is higher than three (3), it will execute its payload. The payload attempts to replace all files with the following extensions ".htm", ".php", ".asp", ".shtm", ".jsp" and ".phtm". The result is the these files are replaced with a HTML page that contains the following text:

Dawn · #3 01-24-2005, 02:43 PM

I realize that there is no need to submit a support ticket even though my site is down, but I have no clue what all you have just said means. Will my site still be intact when this is over? I don't run any message board on it.

Thanks
Dawn

netuser · #4 01-24-2005, 02:51 PM

Is there something being done? Or do we just wait until this is blown over somehow?

abstraktMedia · #5 01-24-2005, 02:54 PM

Yeah...we still don't know what this means?is our data going to be fine or will everything be lost...I have one phpBB but I patched it to a latest version just because of Santy a month ago...

britbob · #6 01-24-2005, 03:02 PM

Could this be why Jetta has been slow today? Seems to take some time to open a page, then other times it`s much better.

Is this effecting only phpBB? Some detail in `english` please Brent

jscherbel · #7 01-24-2005, 03:11 PM

To my knowledge, this virus attacks phpBB message boards on a version other than 2.0.11 -- I'm open to being told otherwise.

I know that my site as well as most of my client's sites have upgraded to 2.0.11 yet my account is currently suspended? There goes my customers/users as they get a "suspended" message on my site!

I hope Brent and co. figure things out soon. Good luck!

Jme574 · #8 01-24-2005, 03:17 PM

I still have accounts with 2 other hosing companies as i have not fully transfered all my accounts to my resellers account here with hostgator. both of the other companies are having the same exact problem as we are having here.

just thought that everyone would like to know that so they understand that this is not just a host gator problem. With alot of luck and super support hopefully everything will get back on track soon.

***GatorBrent*** · #9 01-24-2005, 03:54 PM

That is correct it is an Internet problem that pretty much can only wait to be blown over. It is the ISP's job to set up filters to block out the damage from the worm router side.

All the servers are fine they are simply being overloaded by fake traffic that cannot be blocked. You cannot block the entire Internet....

So both the servers are affected and the Internet is slower from everything being overwhelmed.

It has died down significantly already. This morning when I woke every server was having problems as far as downtime. A few servers had to be rebooted and took over 20 minutes to come back online because of the flooding going on.

Think of the Internet as a 6 Lane Hwy a chemical truck flipped over and has leakage. You now have one Highway Lane left open things are not going to move fast and all you can do is wait for them to clean it up.

Dawn · #10 01-24-2005, 04:04 PM

Thank You for explaining

jscherbel · #11 01-24-2005, 05:10 PM

When will you begin replying to "sales" emails regarding my suspended account - which I have to assume is related to this thread as I had no balance due yesterday?

***GatorBrent*** · #12 01-24-2005, 05:29 PM

"This appears to be a new variant of the recent phpbb exploit and tipping point is currently working on a updated vaccine to identify and block this exploit. This should hopefully be put in place shortly. Thanks. "

The data center is waiting on a filter the World’s Most Powerful Intrusion Prevention System. (TippingPoint’s UnityOne)

programmer · #13 01-24-2005, 06:05 PM

Great; hopefully this is taken care of soon.

I've noticed a bigger load on jetta, but nothing major. Right now it is 2.2, but earlier it was 5.4. All is working ok though. Does this have anything to do with that I wonder?

***GatorBrent*** · #14 01-24-2005, 07:20 PM

yes all the servers have extreme loads from this.

egoHavoc · #15 01-24-2005, 09:09 PM

Thank you for the FYI guys.. your always doing a great job (:

***GatorBrent*** · #16 01-24-2005, 10:06 PM

Things are extremely calm at the moment. We have servers with a single site on them that went off-line because of this. The bulk of it should be over, but I guess we'll see tomorrow when Internet traffic is at its peak. I believe it should be okay =)

mikegi · #17 01-24-2005, 11:08 PM

Quote:

Originally Posted by GatorBrent

Things are extremely calm at the moment. We have servers with a single site on them that went off-line because of this. The bulk of it should be over, but I guess we'll see tomorrow when Internet traffic is at its peak. I believe it should be okay =)

Thanks for getting this fixed. I'm thinking that Gitmo is too good for the perp(s) who did this...

abstraktMedia · #18 01-25-2005, 01:44 AM

Yeah Brent...thanx for keeping us updated...you guys are doing a great job...as always...that's why me and my bussiness are with you for almost a year and a half...ok chat support could be better but ther's always something that could be better...also thanx on behalf of my customers...

Amish · #19 01-25-2005, 12:06 PM

The past 4 months or so, have seen a lot of downtime and outages, and whatnot. I jumped to HG because my prior webhost was a pile of horsecrap... Now HG is looking to almost be the same. My website is one of the very few things I still like about the internet, and it sucks when I can't even get to it.

netuser · #20 01-25-2005, 02:36 PM

Yesterday night and this morning, my site loaded up fast. But since then, the site has been pretty slow again. Are the attacks still going on?

Dawn · #21 01-25-2005, 02:43 PM

My site is slow off and on too, and FTP is a nightmare...

ginger · #22 01-25-2005, 03:05 PM

My sites are working, however my outgoing SMTP is not...is this the same problem, or should I submit a ticket?

Dawn · #23 01-25-2005, 03:11 PM

my site just stopped loading again, and so has my CPanel...

dan · #24 01-25-2005, 03:13 PM

Is there anyway to get things like this, where perfomance on our sites is likely to be affected, via an email announcement? I'd venture most of us don't check the forum until we have a problem, where we are already muttering things like 'that @#$@#@# hostgator' under our breath.

If I would have had an email stating this problem was occuring, I would have been muttering 'that #$%$@$ worm, thanks hostgator'.

I would welcome the opportunity to get these 'warnings' in a more proactive manner. Putting it on the forum is good, getting to me is better.

Dan

netuser · #25 01-25-2005, 04:10 PM

I totally agree that keeping customers in the loop is the best way to keep their business. OK, it is not customer service 101, but it is a well-known way for customer satisfaction. If it is not your fault and you are working on the issue, we will understand. Just let us know. It is very frustrating to be kept in the dark. Should we wonder if the problem would be solved in the next minute or never? Are there other hosting companies that are not having this problem?