[Full-Disclosure] Fwd: Alert: IIS compromised to place footer JavaScript on each page

From: B3r3n (B3r3n_at_argosnet.com)
Date: 06/25/04

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Evidence of a ISC being hacked?"
    To: full-disclosure@lists.netsys.com
    Date: Fri, 25 Jun 2004 19:50:08 +0200


    >There have been several reports of IIS servers being compromised in a
    >similar fashion. The result is that each has a document footer specified
    >which is JavaScript which causes the viewing browser to load a page from
    >a malicious website. The loaded page installs a trojan via one of
    >several attack methods attempted. According to Computer Associates, at
    >least one of those methods remains unpatched. The malicious web page the
    >client was being sent is no longer available.
    >At this point it does not look like this is a widespread issue, but I'd
    >like to see what you have seen.
    >1. There is so far no reasonable explanation as to how the IIS servers
    >are being compromised. The JavaScript which loads the attacking page
    >checks first to see if the browser is viewing via HTTPS, and if so, then
    >checks to see if there is a cookie on the client machine which starts
    >with "trk716". If there isn't such a cookie, then the JavaScript
    >executes causing the malicious page to be delivered to the victim. The
    >cookie expires in 10 minutes.
    >- Check your IIS Servers and verify whether the "Enable Document Footer"
    >option has been enabled (inspect the Documents tab in IIS Manager for
    >each site, or inspect the metabase for the EnableDocFooter is set to
    >- If Document Footers are enabled and they shouldn't be, check which
    >files are being specified as the footer document. If you have been
    >attacked you will find files named similar to "iis7#.dll" in the
    >\inetsrv directory. There may be one for each of your virtual
    >- ftpcmd.txt, agent.exe, and ads.vbs have also been found on compromised
    >machines. ftpcmd gets the agent.exe, which is subsequently executed
    >resulting in the metabase being modified by executing the ads.vbs with
    >appropriate parameters.
    >Questions for those of you who have been compromised:
    >a) Do you have an SSL certificate on any site on the compromised box?
    >There has been some speculation that this may have something to do with
    >the attack.
    >b) Were all of the sites on the compromised machine modified to include
    >a document footer? If not, is there anything unique about the ones that
    >were modified?
    >c) If you had more than one machine compromised, did you have any
    >similarly exposed IIS servers that weren't compromised? There is
    >speculation that the attack is specific to IIS 5.0.
    >d) Had you applied MS04-011 but not yet had the machine rebooted? A
    >couple of the reports from compromised machines indicated they had
    >applied the patch but not yet rebooted the machine. Try to be sure
    >whether the machine was rebooted before indicating it was "fully
    >patched." Please provide the details of the compromised box, its OS
    >version, SP level, patches applied, plus any other components which may
    >have been installed (e.g. Cold Fusion, etc...)
    >e) Can you send me a copy of the agent.exe, or whatever name it may be?
    >If so, please rename the extension to .ts and send it to
    >f) What directory did you find the ftpcmd.txt and/or agent.exe in?
    >g) Check your logs for anything dated similar to the datetime of
    >ftpcmd.txt, let me know if you find anything suspicious.
    >2. The attack against the clients has been specified as being;
    >Microsoft - Download.Ject
    >Symantec - JS.Scob.Trojan
    >FSecure - Scob
    >Computer Associates - JS.Toofer
    >CA provides the most information so far, indicating that the trojan are
    >polymorphic variants of Win32.Webber. They claim the malicious web page
    >exploits the Modal Dialog Zone Bypass discovered earlier in June. They
    >also claim it is exploiting the vulnerability fixed by MS04-013 (MHTML).
    >a) If you got a copy of the attacking page, can you send it to me?
    >b) What site served up the document footer that caused you to be sent
    >the malicious page?
    >Russ - NTBugtraq Editor
    >NTBugtraq Editor's Note:
    >Want to reply to the person who sent this message? This list is configured
    >such that just hitting reply is going to result in the message coming to
    >the list, not to the individual who sent the message. This was done to
    >help reduce the number of Out of Office messages posters received. So if
    >you want to send a reply just to the poster, you'll have to copy their
    >email address out of the message and place it in your TO: field.

    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Evidence of a ISC being hacked?"