Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Mass Infection of IIS/ASP Sites - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Mass Infection of IIS/ASP Sites

Sucuri.net has released a report about a large number of sites that have been hacked and contain a malware script.  A quick Google today indicates that
there are currently 111,000 sites still infected.  It appears that this  is only impacting websites hosted on Windows servers.  The situation is being investigated.

For those who are hosting there websites on Windows IIS/ASP you may find more information here.

 http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html

http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-mass-iisasp-infection.html - link removed...it triggers some Anti-virus.

 Update: Paul  at Sophos logs has released some additional information regarding this exploit and Infection. Thanks Paul.

 http://www.sophos.com/blogs/sophoslabs/?p=9941

Deb Hale Long Lines, LLC

Deborah

272 Posts
ISC Handler
This is the same malware as here http://www.sophos.com/blogs/sophoslabs/?p=9941

and yes I am the author :)

Paul Baccas SophosLabs
Anonymous

Posts
Would someone pls clarify:

ww-dot-robint-dot-us -OR- www-dot-robint-dot-us

// BLOCK which? or both?
Jack

160 Posts Posts
Never mind...
- http://www.theregister.co.uk/2010/06/09/mass_webpage_attack/
"... Robint.us has been disabled, thanks to a sinkholing effort carried out by volunteer security outfit Shadowserver Foundation. The action will allow Shadowserver researchers to get a complete list of compromised sites and to gather additional information about how the attack was carried out.."
Jack

160 Posts Posts

Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100609
9 June 2010
.
Jack

160 Posts Posts
Please keep in mind that the IIS/ASP server is still vulnerable to the same type of attack. It's not a problem with IIS or ASP, but with the actual code "in" the ASP page.

In the below example from http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html, the field "utm_content" on the page "page.aspx" is the one that allowed the SQL injection to take place (output of IIS log truncated for readability):
2010-06-07 13:31:15 W3SVC1 webserver 192.168.1.10 GET /page.aspx utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100×200′;dEcLaRe%
Anonymous

Posts
Block Both one redirects to the other.
Deborah

272 Posts Posts
ISC Handler
Adobe 0-day used - mass injections
- http://community.websense.com/blogs/securitylabs/archive/2010/06/11/adobe-0-day-used-in-mass-injections.aspx
11 Jun 2010 05:38 PM - "... we started seeing mass injections... The attack is closely related to the hxxp ://ww.robint .us/[REMOVED].js attack earlier this week... common theme was that all Web sites were running on Microsoft IIS and used ASP.NET. In fact, the majority of sites compromised by the -new- mass injection attack still have the robint.us code present... Adobe released a patch* for this vulnerability yesterday and we advise all users to download it immediately... Once for IE and a second time for all other browsers."
(Screenshots and video available at the Websense URL above.)

Flash v10.1.53.64 update
* Direct download current version - executable Flash Player installer...
For IE: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For Firefox, other browsers: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

.
Jack

160 Posts Posts
I wrote a detailed analysis here, including tools used, attacker group, etc: http://blog.armorize.com/2010/06/recent-evolution-of-mass-sql-injection.html
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!