Results 1 to 7 of 7
  1. #1

    Malicious script injected - via IIS or HTTP

    I've got a case where a malicious javascript tag, linking to a remote URL, is being injected by IIS ASP and ASP.NET pages. The code is absolutely not contained in the source - but it's getting injected somewhere, either by IIS or in the TCP layer.

    The link for the javascript source is going to (various files under that URL)

    I've ran every A/V I can think of, and nothing is finding the issue.

    This is affecting an entire cluster of 9 Win 2003 servers (SP2, fully updated) - and it's been very painstaking to run numerous A/V scans on all of them.

    So what happens, even though I've validated that the source code is clean, is that immediately after the BODY tag.

    IIS or something in the TCP layer is injecting a javascript src="...." reference to this malicious script.

    The malware script code is injected even if I'm "local" and request any page from localhost, so I know it's not something in between the servers and the net.

    I'll happy pay anyone who can help solve this. It's a huge issue for our company, and I am at my wit's end.

    Contact me at, or post ideas here...

    Thanks all.
    Ripside Web Hosting - cPanel or ASP/.NET

  2. #2
    Join Date
    Jun 2002
    Waco, TX
    check via FTP, it is the most common method!

  3. #3
    Generally such code is injected via FTP. Switching to secure FTP (sFTP) may help to prevent this.

    || Web Hosting Blog - Web Hosting security & latest web hosting industry Announcements
    || Web Hosting Discussion - A Web Hosting community

  4. #4
    Join Date
    Apr 2002
    Auckland - New Zealand
    Are the sites all in their own application pool in IIS? If not, create seperate application pools for each site and move the sites into them. At least that may or may not solve some issues.. then you can track further into server or infected sites.

    FTP attack unlikely, as the OP has stated the code is not within the pages, ie it's being injected into the output to browser.

  5. #5
    Join Date
    Oct 2008
    Chicago, IL
    I've seen this with PHP based sites mostly on Linux, and I've been seeing it more and more in ASP.NET/IIS sites in the past few days.

    With PHP sites, the hackers originally used stolen FTP credentials to place a remote control file on the website. Then, they just send the malscript they want injected into various pages to the remote control file and it takes care of the injection. They can also remove it the same way, they send a command string to the remote control file and it removes the infected malscript.

    I think they (the hackers) have developed a way to do this with ASP.NET/IIS based sites now.

    Does the code you're seeing start something like this:

    eval(unescape(“function w%28s

    If not, can you please provide some sort of sample or a download of the malscript?
    Last edited by WeWatch; 11-13-2009 at 08:16 AM.

  6. #6
    Join Date
    Oct 2008
    Chicago, IL
    In the other ASP based websites I've seen this similar issue in, I haven't been able to find the infection. However, they all have this code in a file that I haven't been able to decode:

    <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTEwMTMwMTg4Ng9kFgICAQ9kFjgCAQ8...(lots of other code then ends with) =" />

    The fact that it's hidden is a concern. And the fact that it ends with an "=" tells me that it's something obfuscated. And the fact that it's the same code on all the other sites, that are infectious, tells me this needs to be decoded.

    Any ASP.NET superstars out there?

  7. #7
    This turned out all to be due to another machine on the network that was compromised - and was spoofing the gateway IP address of the network, and intercepting responses from the web servers back to the firewall, injecting a script before passing on the data.

    The way we discovered it was by viewing the ARP details from a network packet sniffer. The ARP for the gateway was changing every few seconds, between the actual gateway (firewall) and the compromised machine.

    Thanks to all those who offered help or advice.
    Ripside Web Hosting - cPanel or ASP/.NET

Similar Threads

  1. Script injected and need help to remove!
    By sameera in forum Employment / Job Offers
    Replies: 5
    Last Post: 11-14-2006, 06:01 AM
  2. Malicious code script on idex page, been injected
    By abeez in forum Hosting Security and Technology
    Replies: 12
    Last Post: 08-13-2006, 10:51 AM
  3. Malicious Script detectiv program
    By horst in forum Hosting Software and Control Panels
    Replies: 0
    Last Post: 11-14-2005, 07:42 PM
  4. Uploader script and malicious codes
    By jay03 in forum Programming Discussion
    Replies: 3
    Last Post: 07-07-2005, 12:14 PM
  5. Malicious Script - Your advice please
    By cweb in forum Running a Web Hosting Business
    Replies: 16
    Last Post: 10-30-2003, 01:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts