This paper was written to partially fulfill the requirements for the GIAC Certified Incident Handler certification. It is about the Santy worm found in the wild around December 21st, 2004. This early and evil 'Santa Claus' present caused some serious havoc for administrators of phpBB bulletin board software around Christmas 2004 defacing almost 40 thousand phpBB sites in a short period. It is one of the first worms that efficiently use search engines such as Google1 to find their potential targets. Therefore an analysis of the techniques used and a description of the incident handling process seemed useful to me. I hope it is useful to the security community as well.
