Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SV: New malware to infect IIS and from there jump to clients

From: Nasir Ghaznavi <nasirghaznavi () gmail com>
Date: Sat, 26 Jun 2004 05:04:49 +0500
As of now the server, which was a russian server has been taken down.

Nasir Ghaznavi

On Fri, 25 Jun 2004 10:36:08 +0100, Duncan Hill
<dhill+fulldisc () cricalix net> wrote:


On Friday 25 June 2004 07:05, Peter Kruse might have typed:


When the javascript runs it will try to redirect you to a remote server
http://217.107.218.147. This is where the MSITS.EXE and the javascripts are
stored. As far as I know they do not reside on the compromised IIS servers,
but simply pulls of the the payload from the remote host. Meanwhile the
host is no longer available.


I've noticed that several ISPs appear to have null-routed that IP.  I can't
get past our ISP's upstream right now - trace just dies.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: