On Fri, 25 Jun 2004 14:47:25 -0400, "Mark Haney" <mark.haney@xxxxxxxxxxxxxxxxxxx> wrote: >On Fri, 25 Jun 2004 14:31:45 -0400, Edward Croft <ecroft@xxxxxxxxxxxxxxx> >wrote: > >Okay, being the total skeptic I am, do you have any links to provide >additional info on this? >From the NTBUGTRAQ mailing list: There have been several reports of IIS servers being compromised in a similar fashion. The result is that each has a document footer specified which is JavaScript which causes the viewing browser to load a page from a malicious website. The loaded page installs a trojan via one of several attack methods attempted. According to Computer Associates, at least one of those methods remains unpatched. The malicious web page the client was being sent is no longer available. At this point it does not look like this is a widespread issue, but I'd like to see what you have seen. 1. There is so far no reasonable explanation as to how the IIS servers are being compromised. The JavaScript which loads the attacking page checks first to see if the browser is viewing via HTTPS, and if so, then checks to see if there is a cookie on the client machine which starts with "trk716". If there isn't such a cookie, then the JavaScript executes causing the malicious page to be delivered to the victim. The cookie expires in 10 minutes. - Check your IIS Servers and verify whether the "Enable Document Footer" option has been enabled (inspect the Documents tab in IIS Manager for each site, or inspect the metabase for the EnableDocFooter is set to true. - If Document Footers are enabled and they shouldn't be, check which files are being specified as the footer document. If you have been attacked you will find files named similar to "iis7#.dll" in the \inetsrv directory. There may be one for each of your virtual directories. - ftpcmd.txt, agent.exe, and ads.vbs have also been found on compromised machines. ftpcmd gets the agent.exe, which is subsequently executed resulting in the metabase being modified by executing the ads.vbs with appropriate parameters. Questions for those of you who have been compromised: a) Do you have an SSL certificate on any site on the compromised box? There has been some speculation that this may have something to do with the attack. b) Were all of the sites on the compromised machine modified to include a document footer? If not, is there anything unique about the ones that were modified? c) If you had more than one machine compromised, did you have any similarly exposed IIS servers that weren't compromised? There is speculation that the attack is specific to IIS 5.0. d) Had you applied MS04-011 but not yet had the machine rebooted? A couple of the reports from compromised machines indicated they had applied the patch but not yet rebooted the machine. Try to be sure whether the machine was rebooted before indicating it was "fully patched." Please provide the details of the compromised box, its OS version, SP level, patches applied, plus any other components which may have been installed (e.g. Cold Fusion, etc...) e) Can you send me a copy of the agent.exe, or whatever name it may be? If so, please rename the extension to .ts and send it to Russ.Cooper@xxxxxxxxxxxx f) What directory did you find the ftpcmd.txt and/or agent.exe in? g) Check your logs for anything dated similar to the datetime of ftpcmd.txt, let me know if you find anything suspicious. 2. The attack against the clients has been specified as being; Microsoft - Download.Ject http://www.microsoft.com/security/incident/download_ject.mspx Symantec - JS.Scob.Trojan http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.h tml FSecure - Scob http://www.f-secure.com/v-descs/scob.shtml Computer Associates - JS.Toofer http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39438 CA provides the most information so far, indicating that the trojan are polymorphic variants of Win32.Webber. They claim the malicious web page exploits the Modal Dialog Zone Bypass discovered earlier in June. They also claim it is exploiting the vulnerability fixed by MS04-013 (MHTML). Questions: a) If you got a copy of the attacking page, can you send it to me? b) What site served up the document footer that caused you to be sent the malicious page? Cheers, Russ - NTBugtraq Editor -- Steve
