- http://isc.sans.org/...date=2004-06-24
Updated June 25th 2004 01:27 UTC
"RFI - Russian IIS Hacks?
UPDATE (2100 UTC) - Thanks to everybody who generously provided updates to us today. We still do not know how the IIS servers are originally infected with the JavaScript or the modification to the configuration files. Any additional theories or ideas are welcome.
The reason for the attack seems to point back to the spamming community. There is quite a bit of evidence that what we are seeing is yet another technique for spreading and installing "spamware" (software that assists in either creating, relaying, proxying, or otherwise participating in the sending of spam.) We don't see any evidence that this attack is related to the construction of a DDoS network or other type of typical zombie-based attack group. However, we continue to monitor and will provide updates if anything further develops...
[original diary entry follows]
A reader pointed us to an IIS discussion group (microsoft.public.inetserver.iis.security ***) where several IIS administrators discovered some strange .dll files on their web servers in the past 24 hours. According to the discussion on that list, they are all 1kb .dll files. They were deposited in the \winnt\system32\inetsrv directory with names like iis7xy.dll where x is a random number that appears to be between 1-3 and y is a random character or number...
The Storm Center would like to know if others are seeing this phenomena and if there are any ideas about it origin or intent (other than being an attempt to download malware - that's obvious.) The IP address in the JavaScript points to a Russian site, and at the time of this writing it is still active. A note of caution - that site will attempt to insert malicious code onto a visiting machine. Use extreme caution if you decide to visit it."
Also (may be related) >>> Corporate Web servers infecting visitors' PCs
- http://news.com.com/...g=st.util.print
June 24, 2004, 6:35 PM PDT
"...The Internet Storm Center, which monitors Net threats, confirmed that the list of infected sites included some large Web properties. "We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site. The group also pointed out that the malicious program uploaded to a victim's computer is not currently detected as a virus by most antivirus software. With no patch from Microsoft, that leaves Internet Explorer users vulnerable. A representative of the software giant was not immediately available for comment on when a patch might be available..."
***
- http://www.microsoft...y&lang=en&cr=US
Edited by apluswebmaster, 25 June 2004 - 03:22 AM.