R
RellerB
Guest
I currently have a production server setup with a large quantity of domains being hosted. During the past week, the server has been attacked by a virus and a team of administrators have had zero luck tracking it down.
Here are the symptoms:
1) Attacks all domains randomly
2) Occurs on random page loads
3) The virus comes and goes, but has always returned
4) When a page is requested, regardless of domain and page, the requested page is not sent but an html page with infected javascript (the page is designed to redirect the user to some third party site to purchase virus protection). Below is the html page that is sent.
We have scanned and rescanned the server and nothing has come up. At this point my best guess is that someone is able to execute remote code which intercepts the page requests.
How can I track down what the entry point is? Can anyone offer any advanced suggestions where to start?
Thanks!!
Best wishes,
Reller
INFECTED HTML PAGE:
<html><head><script type="text/javascript" language="javascript"> var
nxdxwfc=new Date( ); nxdxwfc.setTime(nxdxwfc.getTime(
)+014*074*074*01750);
document.cookie="\x6e\x5f\x73e\x73\x73\x5f\x69\x64\x3d5d\x392\x32\x6181\x64\x62\x36\x38\x66\x665\x31\x64\x65b\x31\x6225\x6554d\x620\x325\x65"+"\x3b\x20pat\x68\075\x2f;
\x65xpir\x65s="+nxdxwfc.toGMTString( ); </script>
</head><body></body></html>
Here are the symptoms:
1) Attacks all domains randomly
2) Occurs on random page loads
3) The virus comes and goes, but has always returned
4) When a page is requested, regardless of domain and page, the requested page is not sent but an html page with infected javascript (the page is designed to redirect the user to some third party site to purchase virus protection). Below is the html page that is sent.
We have scanned and rescanned the server and nothing has come up. At this point my best guess is that someone is able to execute remote code which intercepts the page requests.
How can I track down what the entry point is? Can anyone offer any advanced suggestions where to start?
Thanks!!
Best wishes,
Reller
INFECTED HTML PAGE:
<html><head><script type="text/javascript" language="javascript"> var
nxdxwfc=new Date( ); nxdxwfc.setTime(nxdxwfc.getTime(
)+014*074*074*01750);
document.cookie="\x6e\x5f\x73e\x73\x73\x5f\x69\x64\x3d5d\x392\x32\x6181\x64\x62\x36\x38\x66\x665\x31\x64\x65b\x31\x6225\x6554d\x620\x325\x65"+"\x3b\x20pat\x68\075\x2f;
\x65xpir\x65s="+nxdxwfc.toGMTString( ); </script>
</head><body></body></html>