Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: 2117966.net-- mass iframe injection - SANS Internet Storm Center

SANS Site Network

Current Site

SANS Internet Storm Center

Other SANS Sites Help

Graduate Degree Programs

Security Training

Security Certification

Security Awareness Training

Penetration Testing

Industrial Control Systems

Cyber Defense Foundations

DFIR

Software Security

Government OnSite Training

SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Log In or Sign Up for Free!

2117966.net-- mass iframe injection
Situation: Over 10,000 legitimate websites have been compromised and now have an iframe that will direct visitors to a malicious website hosted on 2117966.net. The malicious website attempts to exploit the vulnerability described in MS06-014 and a number of ActiveX vulnerabilities. Successful exploitation result in the installation of a password-stealing malicious program that attempts to steal the logon credentials from websites and online games. Recommended immediate action: Block 2117966.net at your web proxy Recommended follow-up action: Inspect your web proxy logs for visitors to 2117966.net. This will indicate who is potentially exposed. Check these systems to verify that their patches are up-to-date. Systems that are successfully compromised will begin sending traffic to 61.188.39.175 (http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313). Search your proxy logs for systems generating those requests and reimage the infected machines. Protecting Browsers: A properly-patched system should not be at-risk from this attack. It is recommened to use a browser that does not support ActiveX. Protecting Webservers: Until details become available on how the iframe was injected, we have no recommendations. Missing information: We currently do not have details on how the iframes were placed on the websites. If you are responsible for cleaning-up or investigating one of the defacements, please contact us if you have information on how the compromise occurred.	Kevin Liston 292 Posts ISC Handler Mar 14th 2008
Thread locked Subscribe	Mar 14th 2008 1 decade ago
I see that various security researchers are debating the possibility of attackers using the caching feature of websites search software to add IFrame code to the saved search results on the sites. Anyone come across this ? On the assumption that this is a possible attack vector, wouldn't an immediate response advice be to disable site search caching on your website search software pending further investigation ?	Karl 14 Posts
Quote	Mar 14th 2008 1 decade ago
You might want to mention, parenthetically, that MS06-014 should _not_ be confused with MS08-014, which was just announced earlier this week. Some folks might mis-read the first paragraph and get spun up over nothing.	Anonymous
Quote	Mar 14th 2008 1 decade ago

Sign Up for Free or Log In to start participating in the conversation!