Re: IIS compromised to place footer JavaScript on each page
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 06/25/04
- Previous message: Russ: "Alert: IIS compromised to place footer JavaScript on each page"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Jun 2004 15:27:32 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
So after reading Symantec's write-up on the JavaScript on IIS servers I noticed they said it would not fire if the client was viewing an HTTPS page.
http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.html
I had already examined the code, and stared at it again, and still thought it fired only if the URL began with HTTPS.
Flat out, I'm wrong and they are right. I've been sick all week and I'll use that as my excuse...;-]
This makes it very interesting. Why would the attacker want to avoid sending the JavaScript if the page is being viewed via SSL? The only thing I can figure is they were trying to avoid warnings that might appear if it was an SSL site?
Also, what's all this about SSL being involved?? Most of the sites I've seen that have the JavaScript on them do not appear to have any SSL pages. I received one report of an infected server from someone who had both http and https being served, so still nothing conclusive.
Cheers,
Russ - NTBugtraq Editor
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----
- Previous message: Russ: "Alert: IIS compromised to place footer JavaScript on each page"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
