More Webserver / IE Exploits Jul 19 2004 09:10PM
Hubbard, Dan (dhubbard websense com) (1 replies)
We have discovered more than 300 websites that include malicious code
that will attempt to run a program on your machine without end-user
intervention. Similar to the recent Scob attack, a dual-pronged approach
of exploiting vulnerable servers and clients is being used.

There is no commonality on the web server side with the exception of 164
sites that are all hosted by the same hosting facility in Florida.

Details on the hosting facility in Florida:

The site that includes the exploit code is:

And the counter is located at:

We were not able to download and research the code as it was unavailable
at the time of this report.

Detailed infected URLS:

The IP address is owned by an ISP in Florida who has been notified.

All of the sites we are also hosted by the same ISP in Florida but
appear to be on a different machine with the IP address. All sites are


The exploits are utilizing IE vulnerabilities like the following: (a
variety of uses with .CHM).


Server-side Vulnerability exploited:

It is not clear how the server(s) were compromised, but the hosting
facility has been contacted and we are waiting to hear from them to get

The webserver that was infected most was running, Apache/1.3.26 (Unix)
mod_mhp mod_mhp_log mod_virtcgi frontPage/5.0 mod_status_mhp.

The other 140 servers that are using the CHM exploit are a variety of
Web Servers including Apache and IIS. Also, many are running PHP.
Although evidence shows that most have been exploited, some also appear
to be knowingly using this vulnerability to install spyware and other
tools on your machine without your knowledge (10 sites using

Details on WebServers:

Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.3.4
mod_auth_pam_external/0.1 FrontPage/ mod_perl/1.25
Apache/1.3.22 (Unix) PHP/4.1.1 mod_perl/1.26 rus/PL30.9
Apache/1.3.26 (Unix)
Apache/1.3.26 (Unix) mod_mhp mod_mhp_log mod_virtcgi frontPage/5.0
Apache/1.3.26 (Unix) PHP/4.1.2
Apache/1.3.26 (Unix) PHP/4.3.4 FrontPage/
Apache/1.3.27 OpenSSL/0.9.6 (Unix) FrontPage/ PHP/4.3.4
Apache/1.3.27 (Unix) FrontPage/
Apache/1.3.27 (Unix) PHP/3.0.18
Apache/1.3.27 (Unix) PHP/4.2.3 mod_ssl/2.8.12 OpenSSL/0.9.7-beta3
Apache/1.3.27 (Unix) PHP/4.3.2
Apache/1.3.27 (Unix) PHP/4.3.4
Apache/1.3.27 (Unix) (Red-Hat/Linux) FrontPage/
mod_python/2.7.8 Python/1.5.2 mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3
4.3.6 mod_perl/1.26 mod_webapp/1.2.0-dev
Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_perl/1.26 PHP/4.3.3
FrontPage/5.0.2 mod_ssl/2.8.12 OpenSSL/0.9.6b
Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b
DAV/1.0.2 PHP/4.3.3 mod_perl/1.26
Apache/1.3.28 (Unix)
Apache/1.3.28 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
mod_bwlimited/1.4 PHP/4.3.2 FrontPage/ mod_ssl/2.8.15 Open
Apache/1.3.28 (Unix) PHP/4.3.3
Apache1.3.29 - ProXad [Jun 9 2004 15:20:12]
Apache/1.3.29 (Unix) FrontPage/
Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
mod_bwlimited/1.4 PHP/4.3.3 FrontPage/ mod_ssl/2.8.16 Open
Apache/1.3.29 (Unix) mod_gzip/ PHP/4.3.8
Apache/1.3.29 (Unix) mod_layout/3.2.1 PHP/4.3.4
Apache/1.3.29 (Unix) mod_watch/2.3
Apache/1.3.29 (Unix) PHP/4.3.2-RC
Apache/1.3.29 (Unix) PHP/4.3.4
Apache/1.3.29 (Unix) PHP/4.3.5
Apache/1.3.29 (Unix) PHP/4.3.8
Apache/1.3.29 (Unix) (Red-Hat/Linux) PHP/4.3.8
Apache/1.3.31 (Unix)
Apache/1.3.31 (Unix) FrontPage/ PHP/4.3.7
Apache/1.3.31 (Unix) mod_accounting/0.5l mod_ssl/2.8.18 OpenSSL/0.9.7d
Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
mod_bwlimited/1.4 PHP/4.3.3 FrontPage/ mod_ssl/2.8.18 Ope
Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
mod_bwlimited/1.4 PHP/4.3.8 FrontPage/ mod_ssl/2.8.18 Ope
Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_tsunami/2.0
mod_bwprotect/0.2 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.4 FrontP
age/ mod_ssl/2.8.18 OpenSSL/0.9.7d
Apache/1.3.31 (Unix) mod_python/2.7.10 Python/2.2.2 mod_webapp/1.2.0-dev
mod_perl/1.29 mod_throttle/3.1.2 PHP/4.3.4 FrontPage/5.0.2.
2510 mod_ssl/2.8.18 OpenSSL/0.9.7d
Apache/2.0.39 (Unix) mod_perl/1.99_07-dev Perl/v5.6.1 Apache/2.0.40 (Red
Hat Linux)
Apache/2.0.47 (Unix) PHP/4.3.3
Apache/2.0.47 (Unix) PHP/4.3.4
Apache/2.0.49 (Fedora)
Apache/2.0.49 (Unix) PHP/4.3.5
Apache-AdvancedExtranetServer/1.3.26 (Mandrake Linux/6mdk) PHP/4.2.3
sxnet/1.2.4 mod_ssl/2.8.10 OpenSSL/0.9.6g Microsoft-IIS/5.0
Microsoft-IIS/6.0 SHS
Squeegit/1.2.5 (3_sir)
.V15 Apache/1.3.26 (Unix) mod_fs 6.005

Dan Hubbard
Security & Technology Research
Websense, Inc.

[ reply ]
Re: More Webserver / IE Exploits Jul 20 2004 05:15PM
Benjamin Franz (snowhare nihongo org)


Privacy Statement
Copyright 2010, SecurityFocus