ColdFusion Muse

VB Script For Iframe Injection Attack

Posted At : April 23, 2009 1:14 PM | Posted By : Mark Kruger
Related Categories: ColdFusion, Security

Thanks to Nate from CF-Talk I have a copy of the malicious VBS script that is doing the damage. If you are being victimized by this attack and you need to see the script for whatever purpose, let me know and I will make sure you get a copy. I now it goes without saying, but just don't run it :).

Meanwhile there is some consensus, given the root access of this code, that an infected server cannot be trusted even after a thorough cleaning. Dave Watts and Tom Chiverton both gave such advice. While it's not always possible and it's a huge hassle, it might be the best solution to bite the bullet and do it.

Comments (3) |

Print |

del.icio.us |

Digg It!
| Follow @cfwebtools

Related Blog Entries

Cfinclude for Good or Evil (May 14, 2009)
Iframe Injection Follow Up (April 21, 2009)
Iframe Insertion on Index.* Home pages (April 16, 2009)

Comments

[Add Comment] [Subscribe to Comments]

I think there may be something missing from your last sentence... bite the bullet and go ahead and do what? Are you saying do a "thorough cleaning"? If the server cannot be trusted even after a thorough cleaning, is the advice a new server?

I'm glad to say I haven't been bitten by this particular issue, since I'm not using VBS and on Linux, but I'm always curious about serious infections. Steve Gibson has said in the past that once a machine is infected with "sophisticated" code, since even a new harddrive does not save you if the bios is infected, that anything short of a new machine can never be 100% trusted.

What does everyone think of that?

# Posted By Brian W | 5/27/09 1:29 PM

@Brian,

You are correct... that's not very clear. I mean bite the bullet and completley start over - whether that means a new server or whatever. Bios infections are very rare - but what distingishes this infect from others is that it is not really pattern based and does not appear to be automated. Instead, it appears that the individual in question is "matching wits" with an actual hacker who has control of the machine. In that case (and given what the hacker has been able to accomplish is substantial) the user may well need to start with fresh hardware - or at least low level format the drives and flash the bios (which would turn the trick in 99.999 percent of cases).

# Posted By Mark Kruger | 5/27/09 1:50 PM

OMG how the server infected usually? I've just removed iframe infection from the customer's web site and really care of any suspicious code exists in the system. Can you please give me copy of the script? Thank you!

# Posted By Tim | 7/7/09 8:05 AM

[Add Comment]

NAVIGATION

Home
Ask the Muse a Question
Presentations
Web Sockets Resources

Calendar

Sun	Mon	Tue	Wed	Thu	Fri	Sat
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30

Enter your email address to subscribe to this blog.

Recent Comments

Jobs Galore Come One and All
damon baker said: I have seen your blog and saw all the essential things that you have mentioned on the blog. I would ... [More]

Jobs Galore Come One and All
Charlie Arehart said: Thanks for the kind regards, Mark. And as you know, I do love what I do and what YOU guys do. :-) ... [More]

Thinking Inside the Box
This Page Can't Load Google Maps Correctly. said: It is a fantastic post – immense clear and easy to understand. I am also holding out for the sharks ... [More]

Remembering Wil Genovese
Mike Collins said: I met Wil a few times long time ago at CF conferences. We were lucky to have him in the CF community... [More]

Remembering Wil Genovese
Mike Brunt said: I am tremendously sorry the read of this; I respected Wil greatly for his knowledge, skills and dete... [More]

Archives By Subject