Mass Infection of IIS/ASP Sites - SANS Internet Storm Center

Mass Infection of IIS/ASP Sites
Sucuri.net has released a report about a large number of sites that have been hacked and contain a malware script. A quick Google today indicates that there are currently 111,000 sites still infected. It appears that this is only impacting websites hosted on Windows servers. The situation is being investigated. For those who are hosting there websites on Windows IIS/ASP you may find more information here. http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-mass-iisasp-infection.html - link removed...it triggers some Anti-virus. Update: Paul at Sophos logs has released some additional information regarding this exploit and Infection. Thanks Paul. http://www.sophos.com/blogs/sophoslabs/?p=9941 Deb Hale Long Lines, LLC	Deborah 278 Posts ISC Handler
Subscribe	Jun 12th 2010 9 years ago
This is the same malware as here http://www.sophos.com/blogs/sophoslabs/?p=9941 and yes I am the author :) Paul Baccas SophosLabs	Anonymous
Quote	Jun 9th 2010 9 years ago
Would someone pls clarify: ww-dot-robint-dot-us -OR- www-dot-robint-dot-us // BLOCK which? or both?	Jack 160 Posts
Quote	Jun 9th 2010 9 years ago
Never mind... - http://www.theregister.co.uk/2010/06/09/mass_webpage_attack/ "... Robint.us has been disabled, thanks to a sinkholing effort carried out by volunteer security outfit Shadowserver Foundation. The action will allow Shadowserver researchers to get a complete list of compromised sites and to gather additional information about how the attack was carried out.."	Jack 160 Posts
Quote	Jun 9th 2010 9 years ago
Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers - http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100609 9 June 2010 .	Jack 160 Posts
Quote	Jun 9th 2010 9 years ago
Please keep in mind that the IIS/ASP server is still vulnerable to the same type of attack. It's not a problem with IIS or ASP, but with the actual code "in" the ASP page. In the below example from http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html, the field "utm_content" on the page "page.aspx" is the one that allowed the SQL injection to take place (output of IIS log truncated for readability): 2010-06-07 13:31:15 W3SVC1 webserver 192.168.1.10 GET /page.aspx utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100×200′;dEcLaRe%	Jack 1 Posts
Quote	Jun 9th 2010 9 years ago
Block Both one redirects to the other.	Deborah 278 Posts ISC Handler
Quote	Jun 9th 2010 9 years ago
Adobe 0-day used - mass injections - http://community.websense.com/blogs/securitylabs/archive/2010/06/11/adobe-0-day-used-in-mass-injections.aspx 11 Jun 2010 05:38 PM - "... we started seeing mass injections... The attack is closely related to the hxxp ://ww.robint .us/[REMOVED].js attack earlier this week... common theme was that all Web sites were running on Microsoft IIS and used ASP.NET. In fact, the majority of sites compromised by the -new- mass injection attack still have the robint.us code present... Adobe released a patch* for this vulnerability yesterday and we advise all users to download it immediately... Once for IE and a second time for all other browsers." (Screenshots and video available at the Websense URL above.) Flash v10.1.53.64 update * Direct download current version - executable Flash Player installer... For IE: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe For Firefox, other browsers: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe .	Jack 160 Posts
Quote	Jun 12th 2010 9 years ago
I wrote a detailed analysis here, including tools used, attacker group, etc: http://blog.armorize.com/2010/06/recent-evolution-of-mass-sql-injection.html	Jack 1 Posts
Quote	Jun 14th 2010 9 years ago