I've ran every A/V I can think of, and nothing is finding the issue.
This is affecting an entire cluster of 9 Win 2003 servers (SP2, fully updated) - and it's been very painstaking to run numerous A/V scans on all of them.
So what happens, even though I've validated that the source code is clean, is that immediately after the BODY tag.
The malware script code is injected even if I'm "local" and request any page from localhost, so I know it's not something in between the servers and the net.
I'll happy pay anyone who can help solve this. It's a huge issue for our company, and I am at my wit's end.
Are the sites all in their own application pool in IIS? If not, create seperate application pools for each site and move the sites into them. At least that may or may not solve some issues.. then you can track further into server or infected sites.
FTP attack unlikely, as the OP has stated the code is not within the pages, ie it's being injected into the output to browser.
I've seen this with PHP based sites mostly on Linux, and I've been seeing it more and more in ASP.NET/IIS sites in the past few days.
With PHP sites, the hackers originally used stolen FTP credentials to place a remote control file on the website. Then, they just send the malscript they want injected into various pages to the remote control file and it takes care of the injection. They can also remove it the same way, they send a command string to the remote control file and it removes the infected malscript.
I think they (the hackers) have developed a way to do this with ASP.NET/IIS based sites now.
Does the code you're seeing start something like this:
If not, can you please provide some sort of sample or a download of the malscript?
In the other ASP based websites I've seen this similar issue in, I haven't been able to find the infection. However, they all have this code in a file that I haven't been able to decode:
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTEwMTMwMTg4Ng9kFgICAQ9kFjgCAQ8...(lots of other code then ends with) =" />
The fact that it's hidden is a concern. And the fact that it ends with an "=" tells me that it's something obfuscated. And the fact that it's the same code on all the other sites, that are infectious, tells me this needs to be decoded.
This turned out all to be due to another machine on the network that was compromised - and was spoofing the gateway IP address of the network, and intercepting responses from the web servers back to the firewall, injecting a script before passing on the data.
The way we discovered it was by viewing the ARP details from a network packet sniffer. The ARP for the gateway was changing every few seconds, between the actual gateway (firewall) and the compromised machine.