[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Malicious code just found on web server

Subject: Malicious code just found on web server
From: mike at rockynet.com (Mike Lewinski)
Date: Mon, 20 Apr 2009 11:23:25 -0600
In-reply-to: <[email protected]>
References: <B4C14CA371FEA842A548BAAB8E49CA6201758B5C16BD@badlands.win.internal> <[email protected]> <[email protected]>

Paul Ferguson wrote:

> Most likely SQL injection. At any given time, there are hundreds of
> thousands of "legitimate" websites out there that are unwittingly harboring
> malicious code.

Most of the MS-SQL injection attacks we see write malicious javascript 
into the DB itself so all query results include it. However, I'm not 
sure how easy it is to leverage to get system access - we've seen a 
number of compromised customer machines and there didn't appear to be 
any further compromise of them beyond the obvious. In the OP's case it 
sounds like static HTML files were altered. My bet is that an ftp or ssh 
account was brute forced.

Mike

Follow-Ups:
- Malicious code just found on web server
  - From: fergdawgster at gmail.com (Paul Ferguson)
- Malicious code just found on web server
  - From: ge at linuxbox.org (Gadi Evron)
- Malicious code just found on web server
  - From: chasjs at warp8.com (Chuck Schick)
- Malicious code just found on web server
  - From: nanog at daork.net (Nathan Ward)

References:
- Malicious code just found on web server
  - From: berg at wins.net (Russell Berg)
- Malicious code just found on web server
  - From: kngspook at gmail.com (Neil)
- Malicious code just found on web server
  - From: fergdawgster at gmail.com (Paul Ferguson)

Prev by Date: Malicious code just found on web server
Next by Date: Malicious code just found on web server
Previous by thread: Malicious code just found on web server
Next by thread: Malicious code just found on web server
Index(es):
- Date
- Thread