Re: Russian IIS hack? Malicious Javascript code

From: ProquestWebGuy (webmaster_at_pbs.proquest.com)
Date: 06/24/04

• Next message: Philip: "How to setup HTTPS"
• Previous message: Patrick: "RE: Russian IIS hack? Malicious Javascript code"
• In reply to: LPD: "Re: Russian IIS hack? Malicious Javascript code"
• Next in thread: Joe: "Re: Russian IIS hack? Malicious Javascript code"
• Reply: Joe: "Re: Russian IIS hack? Malicious Javascript code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 24 Jun 2004 11:13:12 -0700

I know you are all running IIS 5. What other technologies are you
using? ASP, coldfusion, java, Etc... I am running 50 + webserver and
have checked several of them. i see no signs of "infection". I am
just wondering if this is a flaw in IIS or if they are getting in
using another technology weakness.

Bill

mcnutt@lcti.net (LPD) wrote in message news:<e98ace9e.0406232353.2fe49ee1@posting.google.com>...
> Oca Hoeflein <Oca Hoeflein@discussions.microsoft.com> wrote in message news:<F5E81692-8CC7-471B-9751-3A9C69ECB013@microsoft.com>...
> > I successfully removed some malicious code from my IIS 5.0 server that may not have had all it's patches updated, but I cannot find any information on this malicious code that redirected on a random basis the users of my websites to a russian website that appeared to be down. to a domain called balamut.com
> > with an IP address of 217.107.218.147 which RDNS to
> > unassigned.m10-msk-ru.e-neverland.net
> >
> > The javascript code lived in some fake dll files in the inetsrv folder.
> > One fake .dll file was created for each web on my server and in the IIS metabase the defaultdocfooter was set to each of the dll files and enabledocfooter was set to true.
> >
> > the offending code was embedded in every file that the website delivered and pages that had embedded .js files the javascript for those pages would not function.
> >
> > I have posted the offending code, mabye someone can identify this?
> >
> > As proof check out a google search for one of the function in the code okx12()
> >
> > you'll see the first link it returns is an RTF if you view the html version you'll see this code appended to the bottom of the page.
> >
> >
>
> I got hit too. Server was fully patched, sitting behind a checkpoint
> firewall, running the latest version of NAV corporate with up to date
> virus defs. Noticed it right away because it broke OWA and I get
> calls from customers within 60 seconds if OWA has a problem.

---

• Next message: Philip: "How to setup HTTPS"
• Previous message: Patrick: "RE: Russian IIS hack? Malicious Javascript code"
• In reply to: LPD: "Re: Russian IIS hack? Malicious Javascript code"
• Next in thread: Joe: "Re: Russian IIS hack? Malicious Javascript code"
• Reply: Joe: "Re: Russian IIS hack? Malicious Javascript code"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)