Re: Russian IIS hack? Malicious Javascript code

From: srock (a_at_localhost)
Date: 06/24/04


Date: Thu, 24 Jun 2004 11:49:27 -0400

Yes - please post the contents of the files.

thanks

"dh" <dhahn-google@dhahn.com> wrote in message
news:2ec24459.0406240735.3b9fc83f@posting.google.com...
> As a follow up,
>
> I also found the files ftpcmd.txt, agent.exe and ads.vbs. The ftpcmd
> file looks to have been used to get the agent.exe file which received
> and ran the ads.vbs file. The ads.vbs file created the iis7xx.dll
> files as well as contacting the IIS admin service to turn on the
> DocFooter and point it at one of the .dlls for each web that was on
> the machine.
>
> The server is behind a PIX firewall and only IIS is exposed to the
> world.
>
> I can post the content of the ftpcmd and ads.vbs files if that's
> helpful.
>
> I also had trouble running the task manager - not sure what changed,
> but, later on I was able to start it from the command line.
>
> HTH,
>
> -dh
>
> dhahn-google@dhahn.com (dh) wrote in message
news:<2ec24459.0406231512.3cfab8f2@posting.google.com>...
> > Just found the same thing on a 2000 server. Six dlls we're place in
> > C:\WINNT\SYSTEM32\inetsrv. Each web on the system had the option to
> > append a file to the end of each request turned on and pointed to one
> > of the dlls. Also, all the system logs were filled with blank
> > entries.
> >
> > I won't repost the as it matches the code below.
> >
> > Has anyone found anything further or have any further ideas as how the
> > machine may have been compromised?
> >
> > (I was just brought in when the problem happened, so, I can't speak
> > much to things like updates having been or not been done.)
> >
> > -dh
> >



Relevant Pages

  • Re: Russian IIS hack? Malicious Javascript code
    ... DocFooter and point it at one of the .dlls for each web that was on ... The server is behind a PIX firewall and only IIS is exposed to the ... I can post the content of the ftpcmd and ads.vbs files if that's ... all the system logs were filled with blank ...
    (microsoft.public.inetserver.iis.security)
  • Re: Russian IIS hack? Malicious Javascript code
    ... malicious code so they can be further analyized. ... > files as well as contacting the IIS admin service to turn on the ... > I can post the content of the ftpcmd and ads.vbs files if that's ... >> of the dlls. ...
    (microsoft.public.inetserver.iis.security)