Half-Million IIS Servers Hit in Cyber Attack

A massive cyberattack is targeting vulnerable Internet Information
Server-based Web pages by redirecting visitors to the site toward one hosting
malicious code, and it’s growing rapidly.

When Panda Security first noted the infestation, it put the number of
infected IIS servers at 282,000. Not even a day later and security firm F-Secure
wrote its own blog entry,
putting the infestation at over 500,000.

The worst part of it all is that these infestations are not in seamy Web
sites, they are taking place in legitimate Web pages. An IFRAME (define)
redirects the user to another page, where identity-stealing malware is
downloaded onto their computer. So even users who think they are staying clean
are not safe.

“In the old days, you used to think if you went to the dark side of the
Internet you had a chance of being infected. Now you don’t need to go to the bad
neighborhoods to get attacked. You can be walking down the good side of the
Internet and be infected,” said Ryan Sherstobitoff, chief corporate evangelist
at Panda Security.

The vulnerability in IIS, developed by Microsoft (NASDAQ: MSFT), allows
hackers to inject SQL code to manipulate legitimate Web pages. This code adds an
IFRAME to redirect the user to a malicious Website that scans their computer for
vulnerabilities and then downloads and installs malware that can get passed the
user’s defenses.

The problem only affects IIS, not Apache or other Web servers. Microsoft
reportedly knows of the issue, said Sherstobitoff. The company has not responded
to a query InternetNews.com on when a fix can be expected as of press
time.

Sherstobitoff said the U.S. is being hardest hit, with government and public
utility sites particularly popular. “They love anything that brings in victims,”
he said.

Panda and F-Secure both identified a malicious piece of code being hidden in
Web pages that does the redirect. Site admins should look for this hidden in
their Web pages:

<script src=”http://www.nihaorr1.com/1.js”>

If that appears anywhere in the page, then you have a problem, as some people have
noticed
. Securing the server, updating all of the patches and proper
configuration should help protect it until Microsoft comes out with a fix of its
own, said Sherstobitoff.

Article courtesy of InternetNews.com

Latest Articles

Follow Us On Social Media

Explore More