Below is the javascript code of an “injection” that inserts itself into the index file of a website. It is designed to go undetected by only redirecting seldomly and randomly. It is placed at the bottom of the source code, with a significant gap in whitespace after the end of the regular source code (115 lines in all cases). In most of the cases that I have come across, it redirects to a “spyware” or “virus” site. It also goes undetected by antivirus programs (Trend Micro, Panda, Avast). It works with Mozilla (2.0.0.11) and IE7 (haven’t tested it in others). I’ll look into it further once I decode the script itself.
One of the sites it redirects to is: http://e.pepato.org/e/adsr.php?t=0
It infects each individual .php file and does not re-infect after the initial infection. I have created new sites and cleaned infected .php files and it has disappeared completely. It injects this code into .php (and .html) files about 115 lines below the end line. It ONLY infects index.php/html files in the root directory of the website. If you name your file: index2.php – it will not be infected. The “modified date” time stamps DO change with the infection. There was a spread of 1 minute for hundreds of .php files. If you need a quick way to search all index.php/html files on a server, download notepad++ and use the “search in directory” feature for certain strings of text. Alternatively, once you find the time stamp of infection, search for files modified at that time.
As most of you know, Windows is a hotbed of viruses (not virii), worms, and malware. I’ve had the pleasure of finding a new worm that attacks the TCP/IP service: tcpsrv.exe in the C:\Windows\System32\ folder. This file is needed for Active Directory and the Workstation Driver (ie. Client for Microsoft Networks). With this file removed, you cannot remote into your server, run active directory and as a result Exchange Server. You can, however, serve web pages just fine with IIS.
I have three Antivirus “managers” on my internal and external network. Panda Enterprise, Trend Micro ServerProtect and Avast Antivirus for Server 2003. My favorite is Avast because it is easy to use and “cheap.” The TCP/IP worm was not detected by Panda or Trend Micro. Avast only knew it was malicious and recommended to quarantine or delete it upon restart. If you delete it upon restart or even quarantine, your server will no doubt be crippled. You will not be able to log into your server through RDP (Remote Desktop).
When you try to login through RDP (Remote Desktop) you type your username and password and an error pops up: “Cannot log on. The Workstation driver is not installed.” “Workstation Driver” is the common name for Client for Microsoft Networks found in your network adapter properties. So how do you fix your server if you cannot log into it? Well, it takes some telnet and some creative FTP in the Windows directory, which I will explain in a different post. For now, you’ll need physical access to your server or someone with physical access that can follow instructions.
You can login to your server at the physical workstation no problem because only the RDP login utilizes the TCP/IP Service, unlike the regular workstation login. Because the TCP/IP service is missing or corrupted, the following services (all found in services.msc at the run command) will not work:
Workstation (or client for Microsoft networks)
Server
TCP/IP Service
RPC Locator
Netlogon
The RPC Locator and Net Logon depend on the Workstation service. All of these services should be set to Startup Type: Automatic and should be started on any machine. The Server service is what controls the domain controller or lets your computer know WHAT it is. If you try to access Active Directory an error saying “the domain could not be found” or “the computer is not part of a domain.” This is important for active directory and Exchange Server. Server requires TCP/IP service to run. Steps:
1. Locate a fresh copy of tcpsrv.exe in a backup or i386 folder of the install disc. For Windows 2003 SP2 the latest revision is 2006. Put it into the System32 directory and manually restart all the above services. If this works, fantastic, it was easy contained worm. If not, read on.
2. If the above did not work you’ll need to go into the network adapter properties and delete “Client for Microsoft Networks.” You will need to restart after you have done this. Once restarted, re-install Client for Microsoft Networks. You will need your Windows 2003 CD. Restart again.
3. Verify that the startup type for the RPC Locator service is set to Automatic and start the service. Do the same for the Net Logon service but do not start it yet. Start Registry Editor (Regedt32.exe) and then click the DependOnService value under the key in the registry:
4. On the Edit menu, click Multi String, type LanmanServer on a line by itself, and then click OK. In the Services tool, start the Netlogon service. If you cannot start it, continue with the steps below. If it does start, then start the Server service and verify Active Directory Users and Computers opens and you can see the available users/computers.
5. If the above still didn’t work, you may also have a corrupt TCP/IP stack and corrupt Winsock2. You’ll need to restart your computer in “Directory Services Restore Mode” by pressing F8 after the BIOS information has displayed. Once you have logged in, open regedit32.exe and find and delete the following registry keys:
6. Locate the Nettcpip.inf file in your Windows\inf directory and open it in notepad. Find [MS_TCPIP.PrimaryInstall] and edit Characteristics = 0xa0 to 0x80.
7. Go into the properties of your network adapter and click “Install,” select “Protocol,” “Add” and “Have Disk.” In the “Copy Manufacturer’s Files From” box select C:\Windows\inf and click OK. Select “Internet Protocol (TCP/IP)” and click OK.
8. This allows you to remove the TCP/IP service from a domain controller (which was not possible before). Now in the properties box of the network adapter select “Internet Protocol (TCP/IP)” and click Uninstall. Once it has uninstalled. Restart the computer in Directory Services Mode again. Reinstall the Internet Protocol (TCP/IP) by going into the properties of your network adapter and clicking “Install,” select “Protocol,” “Add” and “Have Disk.” In the “Copy Manufacturer’s Files From” box select C:\Windows\inf and click OK. Select “Internet Protocol (TCP/IP)” and click OK.
9. Restart your computer in normal mode. All services should have started. If not, verify the above services are set to automatic and try to start them manually.
With some of the servers I maintain, prisoner.iana.org shows up as a DNS entry in the system logs. Because of the name, it “looks” suspicious. It is nothing to worry about: there are no hackers, and something isn’t wrong with your system.
IANA was the name of the organization that was responsible for handing out IP address blocks back in the day.
There was a need for a placeholder zone for the three blocks of non-routable addresses, so IANA setup three DNS servers: blackhole-1.iana.org, blackhole-2.iana.org and prisoner.iana.org.
If a system with the address range: 192.168.XXX.XXX tries to register its PTR record without a local DNS server, it will try to register with prisoner.iana.org. Obviously prisoner.iana.org will reject the request. Hence the many instances of this address in the DNS logs / Event Viewer.
Below are the log file formats supported in IIS 6. It is important to choose the right one for your server so that you can make use of the data it collects. I personally use W3C Extended because it provides the most information. The downside is that it produces more disk activity, however if you have a fast file system you may not notice a performance hit. I also like the ODBC logging because I can create a web-based front-end to display and manipulate the data/statistics. I’ve outlined the major components of each log format and the information it collects.
Microsoft IIS Log File Format
-Fixed ASCII text-based format.
-Cannot be customized.
-Records: client IP, username, date, time, service, server name, server IP, time taken, client bytes sent, server bytes sent, service status code, Windows status code, request type, target of operation and script parameters.
NCSA Common Log File Format
-Fixed ASCII text-based format.
-Cannot be customized.
-Records: remote host address, remote log name (blank), username, date, time, GMT offset, request and protocol versions, service status code and bytes sent.
W3C Extended Log File Format
-ASCII text-based format.
-Customizable.
-Records: Date, Time, Client IP Address, User Name, Service Name and Instance Number, Server Name, Server IP Address, Server Port, Method, URI Stem, URI Query, HTTP Status, Win32 Status, Bytes Sent, Bytes Received, Time Taken, Protocol Version, Host, User Agent, Cookie, Referrer and Protocol Substatus.
ODBC Logging Format
-Records to any ODBC-compliant database (SQL Server, Oracle, Access).
-Records: Client Host, User Name, Log Time, Service, Machine, Server IP, Processing Time, Bytes Received, Bytes Sent, Service Status, Win32 Status, Operation, Target, Parameters.
-In order to use this method of logging the administrator needs to configure a database table with the appropriate fields, and then configure a logon/password for use with the ODBC connector. This is viewed as a security risk. Do not use the SQL server username “SA” for logging (even more of a security risk). This method of logging can also slow down the server due to Http.sys cache being disabled.
Do you have IIS logging enabled? Do you ever use it? If you don’t use it, consider turning it off. By looking at the log files, you can see an awful lot of text is recorded with every visitor. Items such as bytes sent, referrers, and domain/host info slows down the server considerably. Reverse DNS requests when logging host info for a visitor will really slow the server. For small sites hosted on powerful servers performance may not be an issue. If you have a site with many visitors and/or databases (forums), logging can cause significant hard disk activity and paging.
To disable logging, go into the IIS Manager -> Right-click on Websites and select Properties-> Uncheck “Enable Logging”
You can also do this for FTP sites as well. To disable it for a specific site, right-click on the site-name and disable logging.
6 Comments
(average: 4.67 out of 5)
Loading ...
Contact
RSS Feed