Mysterious infection of ten thousand web sites explained
In January this year, several thousand legitimate web sites were manipulated in order to make them try to infect visitors to their pages with trojans and other malicious code. Security experts at the Internet Storm Center (ISC) have now worked out how the mass infection was carried out.
iframe that pushes the attacking code on visitors to the web pages affected.
iframe in the tool contains the link that turned up on a great many manipulated web sites in January. The attacks appear to be tailored to Microsoft SQL Server and Internet Information Server. According to the analyses by the ISC, the tool also contacts another server in China before attacking, apparently to trigger a payment procedure.
The ISC warns that the analysis of the tool is continuing and far from complete. Operators of web pages are advised to check the security of their web applications, because the attacks on web servers are still going on. Initial practical help and suggestions to operators for checking the security of their web presence is available in two articles at heise Security: Data salad (searching for vulnerabilities with fuzzing) and Server peace (basic security for PHP software).
- The 10,000 web sites infection mystery solved, ISC blog entry