2117966(dot)net – Mass iframe injection
March 14, 2008 – 9:05 AMPublished: 2008-03-14,
Last Updated: 2008-03-14 15:33:49 UTC
by Kevin Liston (Version: 1)
Situation:
Over 10,000 legitimate websites have been compromised and now have an iframe that will direct visitors to a malicious website hosted on 2117966(dot)net. The malicious website attempts to exploit the vulnerability described in MS06-014 and a number of ActiveX vulnerabilities.
Successful exploitation result in the installation of a password-stealing malicious program that attempts to steal the logon credentials from websites and online games.
Recommended immediate action:
Block 2117966(dot)net at your web proxy
Recommended follow-up action:
Inspect your web proxy logs for visitors to 2117966(dot)net. This will indicate who is potentially exposed. Check these systems to verify that their patches are up-to-date. Systems that are successfully compromised will begin sending traffic to 61.188.39.175
(http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313). Search your proxy logs for systems generating those requests and reimage the infected machines.
Protecting Browsers:
A properly-patched system should not be at-risk from this attack. It is recommened to use a browser that does not support ActiveX.
Protecting Webservers:
Until details become available on how the iframe was injected, we have no recommendations.
Missing information:
We currently do not have details on how the iframes were placed on the websites. If you are responsible for cleaning-up or investigating one of the defacements, please contact us if you have information on how the compromise occurred.
You must be logged in to post a comment.