Hit with "Anti-Santy Worm"

I noticed a process running today and it seems that it is an "anti-santy worm" (the files it created in /var/tmp -- /tmp wouldn't work for it since I had set it to noexec, I forgot about /var/tmp ). Anyone see this yet? I think it spreads the same way as the standard Santy worm (I guess one of my users has a non-secured version of phpBB).

It created seventy something copies of itself the first being aws.txt, the rest numerically titled aws.txt.1 through aws.txt.78 . I'm hoping for some advice. First, can the Santy or Anti-Santy Worms compromise any part of the server other than defacing phpBB sites? I presume since it was running as nobody it couldn't compromise the server, but I'd like to confirm that.

If anyone wants to examine the ASW script, I've attached it (it is a perl script). It was also "kind" enough to keep a log of the sites it visited. *sigh*

 

 

 

 

Top