Solved

Evil script tags appearing in HTML code from IIS box (www.heiheinn.cn)

Posted on 2008-06-18
4
550 Views
Last Modified: 2012-06-27
Hi chaps,

We've been asked to look at an IIS server which has recently started rendering web pages with "script src = http://www.heiheinn.cn/k.js >< / script " inserted in to the A tags. This results in people being bombarded with a series of popups when they visit the pages being displayed.

The server itself is fairly well secured, with only port 80 and 443 and 21 open to the web and is behind a VPN to which only a few people have access. There's no sign of anything in the ftp logs.

My recommendation so far is to blow the box away and restore from backups. My concern though was heightened when I searched on google for the website of the evil JS code (www.heiheinn.cn) and found loads other links featuring that site but no pages about the problem itself. There's also the risk of restoring from backups only to find that the issue occurred before people noticed and the backups themselves are 'infected'.

The IIS box is a windows 2003 standard machine running MySQL and MS SQL 2005. Until very recently the client was doing plain dumb stuff like setting each site to the use the SA account of MS SQL with a really slack password, so I'm not entirely surprised that someone may have leveraged a way in to IIS and screwed up the links.

Anyone seen this before? I'd like to know more about it before I simply say that we burn the server at sunset, particularly if there is a risk of it coming back (which I'm assuming there is).

Olly

0
Comment
Question by:stonneway
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
alexpercsi earned 250 total points
ID: 21817808
Most likely this site has fallen victim to an SQL Injection attack. The malicious code probably found its way into the database of the site and is served from there. Look at the database content and see if you can find the script (or part of the script) in the tables. If you can determine the time it was added to the database and have regular backups, consider reverting to a version from before the infestation of the database.

Let me know if this helps. There might be other posibilities as well.

Best Regards,
Alex.

P.S. one basic step in preventing SQL injection attacks is to remove all ' characters from user input.
0
 
LVL 1

Author Comment

by:stonneway
ID: 21820325
Thanks Alex,

I'd come to a similar conclusion last night after finding some references to that domain name on a security site article about SQL injection. As usual, trying to explain to the web company in question that their coder should have parsed the user input hasn't gone down well :)

Thanks
Olly
0
 
LVL 7

Expert Comment

by:alexpercsi
ID: 21823958
Then I assume that proposing to secure the site from cross site scripting attacks is out of the question :)
0
 
LVL 1

Author Comment

by:stonneway
ID: 21829332
Well, it seems that this was the cause;

http://www.modsecurity.org/blog/archives/2008/01/sql_injection_a.html

The coders have accepted that they need to include basic SQL parsing and better security on their back end.

Thanks chaps.

Olly
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question