DiscusWare has received sporadic reports from customers who have gone to their Discus boards only to find a message like the following:

This site is defaced!!!
NeverEverNoSanity WebWorm generation XX

We have investigated the problem and discovered that this issue has been happening to other sites, most of which do not use Discus. It appears that this worm, named Net-Worm.Perl.Santy.a, is exploiting recently-discovered security holes in the program "phpBB" to gain access to servers. This malicious code appears to overwrite every *.html and *.php file that was created by the web server. This, unfortunately, puts at risk all Discus topic and message files, if you (or anyone else on your shared server) is running a vulnerable version of "phpBB."

There are recently discovered vulnerabilities in the "phpBB" discussion software that may be responsible for allowing the intrusion. Here is are relevant security advisories about the worm and its impact:

• http://www.kaspersky.com/news?id=156681162
• http://www.f-secure.com/v-descs/santy_a.shtml
• CERT TA04-356A

This is classified as a "worm" because once installed on a website, the malicious program does a Google search to look for vulnerable phpBB installations, so that it can exploit them as well. The "generation XX" indicates how many times the worm that damaged YOUR website had previously run on other websites. Soon after the worm was discovered, Google blocked queries that the worm used to spread itself, effectively halting the spread of the generation "A" of the worm.

Because the primary storage of message files is in the *.html files, the only way to recover your existing topic and message files is to restore from a backup. This is most easily accomplished in the Backup Manager interface of your administration program. Note that any activity since the time you last backed up your discussion board will be lost.

1. Log into the administration program of your Discus Professional discussion board as the board administrator (typically "admin") and click the Backup Manager link in the left frame.

2. Click the "Open" icon next to the most recent backup that you have created through the Backup Manager interface.

3. Check the box to confirm that you wish to restore the entire backup, and click the button. Wait for the gauge to complete and to be returned to the Backup Manager main page.

If you do not have a recent backup, you may wish to inquire with your web host to see whether they have created a backup of your site. Most web hosts back up their customer sites as a part of the standard service they provide.

1. Ask your web host if they have a backup of the affected files. These include all of the *.html files under the "messages" directory, and in Discus Professional, if you are using read-restricted topics, the *.html files under your "secure" directory as well. Request that the web host restore these files.

2. Log into the administration program of your Discus board as the board administrator (typically "admin") and click the Data Recovery link in the left frame. In the following order, run these Data Recovery operations to synchronize the administration data files, which are not believed to be affected, with the message files that were restored.

   • Click the "Tree" tab, make sure "All Topics" is chosen for "Topic to Reindex:" and click the button.

   • Click the "Search" tab, make sure that "All Topics" is chosen for "Rebuild Search Index for Topic:" and click the button.

   • Click the "Other" tab and click on the "Clean/Repair Logs" button.

   • If you have Discus Freeware or you are using Discus Professional without the MySQL database option, click the "Other" tab and click on the "Maintain Mini-logs" button. Note that this button will not be present on this page if you don't need to do this step (i.e., if you are using Discus Professional + MySQL).

   • Click "Appearance Manager" in the left menu, click "Regeneration" tab in the right frame, ensure that "All Topics" is selected in the "Regenerate:" box and click the button.

Since the cause of the problem is a security vulnerability in another piece of software, in an ideal world we would advise you to ensure that everyone running phpBB on your shared server is current on their patches. However, this advice is not practical, since you have no control over them. (Speaking of that, is YOUR Discus board running the latest version???).

Here are some practical suggestions to prevent this specific issue from occurring:

1. Follow our tips for running Discus on a shared server. Ideally your web host will set you up with software such as CGIWrap or suEXEC so that the files written by Discus will be owned by YOU and not the web server. This will prevent your data from ever being compromised even if someone else on your shared server has their data compromised.

2. Switch to a dedicated server and do not run phpBB there. Since this particular problem is an exploit in "phpBB," ensuring that phpBB is not installed on your system will prevent this particular worm from infesting your system.

Here are some general suggestions for preventing this sort of attack in the future, or for minimizing its potential impact.

1. Make regular backups of your discussion board. The Backup Manager functionality of Discus Professional is one convenient way to make complete backups of your system that can be easily restored. Visit this interface regularly. Or, consult with DiscusWare to automate the backup of your discussion board via our remote backup service - have the peace of mind that even if you forget to make a backup, it's still taken care of.

2. If you are on a shared server, review this document. Emphasize to your web host that someone else's site on your shared server has cost you time and effort, and in the worst case, caused irrecoverable data loss.

3. Make sure you are current on your Discus updates. Although there has NEVER been a reported security vulnerability in any DiscusWare product that could cause data loss or spread a worm, keeping current on the updates is necessary to ensure smooth operation and receive efficient support. Visit your Version Manager to make sure your Discus version is up-to-date.

For those customers whose systems have been affected by this issue but who do not have the time or the technical knowledge to resolve the problem, DiscusWare offers professional services that may be of assistance. Customers affected by this issue will be given priority in scheduling. Among our available services to help are:

• Consulting (let us fix the problem for you)
• Support contracts (for ongoing support, including "emergency" support)
• Remote backup (we back up your data automatically)

DiscusWare has long held the belief that secure programming practices and thorough testing are the most important concepts in software development. As such, we retain complete control over the development of our products, and test things thoroughly before release. We are proud of our excellent track record with regard to security, and will work hard to continue to live up to our hard-earned reputation in this area.