Sponsored by..

Tuesday 6 October 2009

htmlads.ru injection attack

Another injection attack following on from this one, htmlads.js looks like it is being injected into IIS 6.0 servers. In this case, the string to look for in your logs in htmlads.js/ads. js which is worth checking for and blocking if you can.

For the records, the domain registration details are:

domain: HTMLADS.RU
nserver: ns1.htmlads.ru.
nserver: ns2.htmlads.ru.
nserver: ns3.htmlads.ru.
nserver: ns4.htmlads.ru.
person: Private person
phone: +7 496 4047474
e-mail: tau@8081.ru
registrar: REGRU-REG-RIPN
created: 2009.10.05
paid-till: 2010.10.05
source: TC-RIPN


proper modulation said...

These guys got me about 2 weeks ago but the site was bannert.ru and not htmlads.ru. I changed the URL of my content manager and changed the login/password for my database and all was well for 2 weeks but today they found a way in today and spammed htmlads.ru all over my site. Just cleaned it up but I think they'll come back again. Do you know how they are getting to the site? I changed the password and URL of my content manager so I'm not sure how they are still getting in.

Conrad Longmore said...

Sadly, no.. but one thing to check is the machines that you access the website from to make sure that they're not compromised.

That having been said, it does look like it might be IIS only. Make sure that you server and all the software is fully patched, also check out these advisories on IIS, which might help.