Appears to have originated from SQL injections. http://infosec20.blogspot.com/2008/07/asprox-payload-morphed.html Kind regards, Truman On 13/07/2008, at 10:59 PM, Glen Eustace wrote:
Hi,
We have had only a single site compromised so far but googling around indicates that this particular hack is all over the place.
On the site in question all files .htm, .html and .shtml have had code added before the </body> tag, the code is a <jscript></jscript> that loads fgg.js from http://www.usaadw.com, the script that is loaded then tries to open an iframe but the content gives a 500 server error.
I can not identify the vector used to edit all the files. This is on a linux server running apache 2 but google finds plenty of .asp pages that have been attached as well. The script is also called ngg.js but has almost identical content.
Has anyone else been hit and if so, has the vector been identified ?
Any assistance appreciated.
-- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=- Glen and Rosanne Eustace GodZone Internet Services, a division of AGRE Enterprises Ltd. P.O. Box 8020, Palmerston North, New Zealand 4446. Ph: +64 6 357 8168, Fax +64 6 357 8165, Mob: +64 21 424 015 http://www.godzone.net.nz
"A Ministry specialising in providing low-cost Internet Services to NZ Christian Churches, Ministries and Organisations."
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog