[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200406251036.08700.dhill+fulldisc@cricalix.net>
From: dhill+fulldisc at cricalix.net (Duncan Hill)
Subject: SV: New malware to infect IIS and from there jump to clients
On Friday 25 June 2004 07:05, Peter Kruse might have typed:
> When the javascript runs it will try to redirect you to a remote server
> http://217.107.218.147. This is where the MSITS.EXE and the javascripts are
> stored. As far as I know they do not reside on the compromised IIS servers,
> but simply pulls of the the payload from the remote host. Meanwhile the
> host is no longer available.
I've noticed that several ISPs appear to have null-routed that IP. I can't
get past our ISP's upstream right now - trace just dies.
Powered by blists - more mailing lists