[LINK] Mass Infection of IIS/ASP Sites plants malware on thousands of webpages

Kim Holburn kim at holburn.net
Thu Jun 10 12:58:47 AEST 2010 

Most websites run linux or BSD or some variant of *nix.  Perhaps when  
Microsoft has a larger share of the website market its webserver  
software will somehow be more secure.

http://isc.sans.edu/diary.html?storyid=8935

> Mass Infection of IIS/ASP Sites
> Published: 2010-06-09,
> Last Updated: 2010-06-09 19:01:51 UTC
> by Deborah Hale (Version: 1)
> Sucuri.net has released a report about a large number of sites that  
> have been hacked and contain a malware script.  A quick Google today  
> indicates that
> there are currently 111,000 sites still infected.  It appears that  
> this  is only impacting websites hosted on Windows servers.  The  
> situation is being investigated.
>
> For those who are hosting there websites on Windows IIS/ASP you may  
> find more information here.
>
>  http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html
>
> http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-mass-iisasp-infection.html
>

>  Update: Paul  at Sophos logs has released some additional  
> information regarding this exploit and Infection. Thanks Paul.
>
>  http://www.sophos.com/blogs/sophoslabs/?p=9941
>


http://www.theregister.co.uk/2010/06/09/mass_webpage_attack/

> Mass hack plants malware on thousands of webpages
>
> By Dan Goodin in San Francisco
>
> Posted in Enterprise Security, 9th June 2010 19:04 GMT
>
>
>
> More than 100,000 webpages, some belonging to newspapers, police  
> departments, and other large organizations, have been hit by an  
> attack over the past few days that redirected visitors to a website  
> that attempted to install malware on their machines.
>
> The mass compromise appears to have affected sites running a banner- 
> ads module on top of Microsoft's Internet Information Services using  
> ASP.net, said David Dede, head of malware research at Sucuri, a  
> website monitoring firm. Intljobs.org, The Wall Street Journal's  
> wsj.com, and tomtom.com.tw have all been hacked, in addition to The  
> Jerusalem Post and the police department website for the UK county  
> of Strathclyde, as El Reg has reported previously here and here.
>
> Google searches on Tuesday indicated more than 100,000 pages were  
> infected, Dede said, but that number had shrunk to about 7,750 at  
> time of writing.
>
....

-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list