[Full-Disclosure] Fwd: Alert: IIS compromised to place footer JavaScript on each page

From: B3r3n (B3r3n_at_argosnet.com)
Date: 06/25/04

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Evidence of a ISC being hacked?"
    To: full-disclosure@lists.netsys.com
    Date: Fri, 25 Jun 2004 19:50:08 +0200
    
    

    FYI

    >There have been several reports of IIS servers being compromised in a
    >similar fashion. The result is that each has a document footer specified
    >which is JavaScript which causes the viewing browser to load a page from
    >a malicious website. The loaded page installs a trojan via one of
    >several attack methods attempted. According to Computer Associates, at
    >least one of those methods remains unpatched. The malicious web page the
    >client was being sent is no longer available.
    >
    >At this point it does not look like this is a widespread issue, but I'd
    >like to see what you have seen.
    >
    >1. There is so far no reasonable explanation as to how the IIS servers
    >are being compromised. The JavaScript which loads the attacking page
    >checks first to see if the browser is viewing via HTTPS, and if so, then
    >checks to see if there is a cookie on the client machine which starts
    >with "trk716". If there isn't such a cookie, then the JavaScript
    >executes causing the malicious page to be delivered to the victim. The
    >cookie expires in 10 minutes.
    >
    >- Check your IIS Servers and verify whether the "Enable Document Footer"
    >option has been enabled (inspect the Documents tab in IIS Manager for
    >each site, or inspect the metabase for the EnableDocFooter is set to
    >true.
    >
    >- If Document Footers are enabled and they shouldn't be, check which
    >files are being specified as the footer document. If you have been
    >attacked you will find files named similar to "iis7#.dll" in the
    >\inetsrv directory. There may be one for each of your virtual
    >directories.
    >
    >- ftpcmd.txt, agent.exe, and ads.vbs have also been found on compromised
    >machines. ftpcmd gets the agent.exe, which is subsequently executed
    >resulting in the metabase being modified by executing the ads.vbs with
    >appropriate parameters.
    >
    >Questions for those of you who have been compromised:
    >
    >a) Do you have an SSL certificate on any site on the compromised box?
    >There has been some speculation that this may have something to do with
    >the attack.
    >
    >b) Were all of the sites on the compromised machine modified to include
    >a document footer? If not, is there anything unique about the ones that
    >were modified?
    >
    >c) If you had more than one machine compromised, did you have any
    >similarly exposed IIS servers that weren't compromised? There is
    >speculation that the attack is specific to IIS 5.0.
    >
    >d) Had you applied MS04-011 but not yet had the machine rebooted? A
    >couple of the reports from compromised machines indicated they had
    >applied the patch but not yet rebooted the machine. Try to be sure
    >whether the machine was rebooted before indicating it was "fully
    >patched." Please provide the details of the compromised box, its OS
    >version, SP level, patches applied, plus any other components which may
    >have been installed (e.g. Cold Fusion, etc...)
    >
    >e) Can you send me a copy of the agent.exe, or whatever name it may be?
    >If so, please rename the extension to .ts and send it to
    >Russ.Cooper@TruSecure.ca
    >
    >f) What directory did you find the ftpcmd.txt and/or agent.exe in?
    >
    >g) Check your logs for anything dated similar to the datetime of
    >ftpcmd.txt, let me know if you find anything suspicious.
    >
    >2. The attack against the clients has been specified as being;
    >
    >Microsoft - Download.Ject
    >http://www.microsoft.com/security/incident/download_ject.mspx
    >Symantec - JS.Scob.Trojan
    >http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.h
    >tml
    >FSecure - Scob
    >http://www.f-secure.com/v-descs/scob.shtml
    >Computer Associates - JS.Toofer
    >http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39438
    >
    >CA provides the most information so far, indicating that the trojan are
    >polymorphic variants of Win32.Webber. They claim the malicious web page
    >exploits the Modal Dialog Zone Bypass discovered earlier in June. They
    >also claim it is exploiting the vulnerability fixed by MS04-013 (MHTML).
    >
    >Questions:
    >
    >a) If you got a copy of the attacking page, can you send it to me?
    >
    >b) What site served up the document footer that caused you to be sent
    >the malicious page?
    >
    >Cheers,
    >Russ - NTBugtraq Editor
    >
    >-----
    >NTBugtraq Editor's Note:
    >
    >Want to reply to the person who sent this message? This list is configured
    >such that just hitting reply is going to result in the message coming to
    >the list, not to the individual who sent the message. This was done to
    >help reduce the number of Out of Office messages posters received. So if
    >you want to send a reply just to the poster, you'll have to copy their
    >email address out of the message and place it in your TO: field.
    >-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Evidence of a ISC being hacked?"

    Relevant Pages

    • FW: Alert: IIS compromised to place footer JavaScript on each page
      ... Subject: Alert: IIS compromised to place footer JavaScript on each page ... attack methods attempted. ... There is so far no reasonable explanation as to how the IIS servers are ... - Check your IIS Servers and verify whether the "Enable Document Footer" ...
      (Security-Basics)
    • Alert: IIS compromised to place footer JavaScript on each page
      ... several attack methods attempted. ... There is so far no reasonable explanation as to how the IIS servers ... The JavaScript which loads the attacking page ... - Check your IIS Servers and verify whether the "Enable Document Footer" ...
      (NT-Bugtraq)
    • Re: [OT] New worm attacks
      ... There have been several reports of IIS servers being compromised in a similar ... - Check your IIS Servers and verify whether the "Enable Document Footer" ... or inspect the metabase for the EnableDocFooter is set to true. ... has been some speculation that this may have something to do with the attack. ...
      (Fedora)
    • Re: Russian IIS hack? Malicious Javascript code
      ... >I'm not so sure it was a hacker alone and that it wasn't a worm. ... >several) of those files as a Document Footer to all documents served ... >by this particular server. ... How about telling us the method of attack? ...
      (microsoft.public.inetserver.iis.security)