Laut blog.sucuri.net wurden Tausende Seiten die mit IIS/ASP gehostet sind mit einem Iframe infiziert, welches ein JavaScript File einbindet. Nachprüfen kann man das Ganze, wenn man bei Google mal nach “robint.us/u.js” sucht. Windows hat diese Lücken bereits publiziert und es stehen auch Updates zur Verfügung.
Laut einem “whois robint.us” war es wieder mal ein Chinese. Wer auch sonst…:
Domain Name: ROBINT.US
Domain ID: D26804515-US
Sponsoring Registrar: ACRC DOMAINS
Sponsoring Registrar IANA ID: 999999
Registrar URL (registration services): www.acrdomainss.com
Domain Status: clientDeleteProhibited
Domain Status: clientRenewProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Registrant ID: CR43833760
Registrant Name: li tao
Registrant Address1: he nan zhou zhou
Registrant City: zhou zhou
Registrant State/Province: he nan
Registrant Postal Code: 450001
Registrant Country: China
Registrant Country Code: CN
Registrant Phone Number: +371.61616556
Registrant Email: netadmin888888@gmail.com
Registrant Application Purpose: P3
Registrant Nexus Category: C11
Administrative Contact ID: CR43833765
Administrative Contact Name: li tao
Administrative Contact Address1: he nan zhou zhou
Administrative Contact City: zhou zhou
Administrative Contact State/Province: he nan
Administrative Contact Postal Code: 450001
Administrative Contact Country: China
Administrative Contact Country Code: CN
Administrative Contact Phone Number: +371.61616556
Administrative Contact Email: netadmin888888@gmail.com
Administrative Application Purpose: P3
Administrative Nexus Category: C11
Billing Contact ID: CR43833768
Billing Contact Name: li tao
Billing Contact Address1: he nan zhou zhou
Billing Contact City: zhou zhou
Billing Contact State/Province: he nan
Billing Contact Postal Code: 450001
Billing Contact Country: China
Billing Contact Country Code: CN
Billing Contact Phone Number: +371.61616556
Billing Contact Email: netadmin888888@gmail.com
Billing Application Purpose: P3
Billing Nexus Category: C11
Technical Contact ID: CR43833762
Technical Contact Name: li tao
Technical Contact Address1: he nan zhou zhou
Technical Contact City: zhou zhou
Technical Contact State/Province: he nan
Technical Contact Postal Code: 450001
Technical Contact Country: China
Technical Contact Country Code: CN
Technical Contact Phone Number: +371.61616556
Technical Contact Email: netadmin888888@gmail.com
Technical Application Purpose: P3
Technical Nexus Category: C11
Name Server: SINKHOLE-00.SHADOWSERVER.ORG
Name Server: SINKHOLE-01.SHADOWSERVER.ORG
Name Server: SINKHOLE-02.SHADOWSERVER.ORG
Name Server: SINKHOLE-04.SHADOWSERVER.ORG
Name Server: SINKHOLE-03.SHADOWSERVER.ORG
Created by Registrar: GODADDY.COM, INC.
Last Updated by Registrar: AHANACEK
Last Transferred Date: Tue Jun 08 05:08:38 GMT 2010
Domain Registration Date: Sun Mar 14 05:28:08 GMT 2010
Domain Expiration Date: Sun Mar 13 23:59:59 GMT 2011
Domain Last Updated Date: Tue Jun 08 05:10:09 GMT 2010
Also liebe Windows Admins: Auf ans updaten und flicken. Have Phun. 
Update: Auf der Seite wird mittlerweile ein Fix für WordPress Users angeboten. Scheinbar waren viele Seiten von GoDaddy und anderen infiziert, welche IIS Hosting an Kunden verkaufen: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-the-latest-wordpress-hack.html
Related posts:
Tags: ASP, IIS, Injections, Robint.us, XSS
