[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6.1.1.1.2.20040625194930.01d404b0@213.30.158.180>
From: B3r3n at argosnet.com (B3r3n)
Subject: Fwd: Alert: IIS compromised to place footer JavaScript on each
page
FYI
>There have been several reports of IIS servers being compromised in a
>similar fashion. The result is that each has a document footer specified
>which is JavaScript which causes the viewing browser to load a page from
>a malicious website. The loaded page installs a trojan via one of
>several attack methods attempted. According to Computer Associates, at
>least one of those methods remains unpatched. The malicious web page the
>client was being sent is no longer available.
>
>At this point it does not look like this is a widespread issue, but I'd
>like to see what you have seen.
>
>1. There is so far no reasonable explanation as to how the IIS servers
>are being compromised. The JavaScript which loads the attacking page
>checks first to see if the browser is viewing via HTTPS, and if so, then
>checks to see if there is a cookie on the client machine which starts
>with "trk716". If there isn't such a cookie, then the JavaScript
>executes causing the malicious page to be delivered to the victim. The
>cookie expires in 10 minutes.
>
>- Check your IIS Servers and verify whether the "Enable Document Footer"
>option has been enabled (inspect the Documents tab in IIS Manager for
>each site, or inspect the metabase for the EnableDocFooter is set to
>true.
>
>- If Document Footers are enabled and they shouldn't be, check which
>files are being specified as the footer document. If you have been
>attacked you will find files named similar to "iis7#.dll" in the
>\inetsrv directory. There may be one for each of your virtual
>directories.
>
>- ftpcmd.txt, agent.exe, and ads.vbs have also been found on compromised
>machines. ftpcmd gets the agent.exe, which is subsequently executed
>resulting in the metabase being modified by executing the ads.vbs with
>appropriate parameters.
>
>Questions for those of you who have been compromised:
>
>a) Do you have an SSL certificate on any site on the compromised box?
>There has been some speculation that this may have something to do with
>the attack.
>
>b) Were all of the sites on the compromised machine modified to include
>a document footer? If not, is there anything unique about the ones that
>were modified?
>
>c) If you had more than one machine compromised, did you have any
>similarly exposed IIS servers that weren't compromised? There is
>speculation that the attack is specific to IIS 5.0.
>
>d) Had you applied MS04-011 but not yet had the machine rebooted? A
>couple of the reports from compromised machines indicated they had
>applied the patch but not yet rebooted the machine. Try to be sure
>whether the machine was rebooted before indicating it was "fully
>patched." Please provide the details of the compromised box, its OS
>version, SP level, patches applied, plus any other components which may
>have been installed (e.g. Cold Fusion, etc...)
>
>e) Can you send me a copy of the agent.exe, or whatever name it may be?
>If so, please rename the extension to .ts and send it to
>Russ.Cooper@...Secure.ca
>
>f) What directory did you find the ftpcmd.txt and/or agent.exe in?
>
>g) Check your logs for anything dated similar to the datetime of
>ftpcmd.txt, let me know if you find anything suspicious.
>
>2. The attack against the clients has been specified as being;
>
>Microsoft - Download.Ject
>http://www.microsoft.com/security/incident/download_ject.mspx
>Symantec - JS.Scob.Trojan
>http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.h
>tml
>FSecure - Scob
>http://www.f-secure.com/v-descs/scob.shtml
>Computer Associates - JS.Toofer
>http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39438
>
>CA provides the most information so far, indicating that the trojan are
>polymorphic variants of Win32.Webber. They claim the malicious web page
>exploits the Modal Dialog Zone Bypass discovered earlier in June. They
>also claim it is exploiting the vulnerability fixed by MS04-013 (MHTML).
>
>Questions:
>
>a) If you got a copy of the attacking page, can you send it to me?
>
>b) What site served up the document footer that caused you to be sent
>the malicious page?
>
>Cheers,
>Russ - NTBugtraq Editor
>
>-----
>NTBugtraq Editor's Note:
>
>Want to reply to the person who sent this message? This list is configured
>such that just hitting reply is going to result in the message coming to
>the list, not to the individual who sent the message. This was done to
>help reduce the number of Out of Office messages posters received. So if
>you want to send a reply just to the poster, you'll have to copy their
>email address out of the message and place it in your TO: field.
>-----
Powered by blists - more mailing lists