Re: Russian IIS hack? Malicious Javascript code

From: srock (a_at_localhost)
Date: 06/24/04

Date: Thu, 24 Jun 2004 11:49:27 -0400

Yes - please post the contents of the files.


"dh" <> wrote in message
> As a follow up,
> I also found the files ftpcmd.txt, agent.exe and ads.vbs. The ftpcmd
> file looks to have been used to get the agent.exe file which received
> and ran the ads.vbs file. The ads.vbs file created the iis7xx.dll
> files as well as contacting the IIS admin service to turn on the
> DocFooter and point it at one of the .dlls for each web that was on
> the machine.
> The server is behind a PIX firewall and only IIS is exposed to the
> world.
> I can post the content of the ftpcmd and ads.vbs files if that's
> helpful.
> I also had trouble running the task manager - not sure what changed,
> but, later on I was able to start it from the command line.
> HTH,
> -dh
> (dh) wrote in message
> > Just found the same thing on a 2000 server. Six dlls we're place in
> > C:\WINNT\SYSTEM32\inetsrv. Each web on the system had the option to
> > append a file to the end of each request turned on and pointed to one
> > of the dlls. Also, all the system logs were filled with blank
> > entries.
> >
> > I won't repost the as it matches the code below.
> >
> > Has anyone found anything further or have any further ideas as how the
> > machine may have been compromised?
> >
> > (I was just brought in when the problem happened, so, I can't speak
> > much to things like updates having been or not been done.)
> >
> > -dh
> >