Over the past week we’ve been seeing a lot of infected websites that have an iframe that contains one of these two URLs:
A little searching found that approximately 25,000 web pages have the
nutcountry.ru:8080/index.php iframe and another 516 web pages reference
What’s interesting is that none of the websites listed in the Google search for either of these two iframes, are listed with “this site may harm your computer” label.
We checked the Google Safe Browsing Diagnostic for nutcountry.ru and it shows:
And for parkperson.ru we found this:
Shows that as of 8-04-2010, Google has not found this site to be harmful or suspicious.
We attempted to download the files from parkperson.ru, or watch what infection might occur if visited and found that the domain does not exist and neither does nutcountry.ru.
What does all this mean?
It means, that over 25,000 websites were infected, but with an iframe that is harmless because the URL inside the iframe doesn’t go anywhere.
The other interesting aspect of this infection is that all the web pages appear to be ASP code (.asp or .aspx). Based on the location of the harmless iframes, it appears to be another ASPROX infection.
If it is ASPROX, you’ll probably see the iframe in your SQL database. Based on the location of where the iframe appears in the web pages, it’s not a simple iframe injection. The iframe is actually buried in your SQL database. This will make it more difficult to remove. You should consult the services of a database administrator or a security company that knows SQL (yes we do!).
The next thing will be to determine how the code was inserted. This type of infection is referred to SQL injection. This happens when the input from a form or dynamically generated web page isn’t properly sanitized. If there’s a code plugin you’re using, or utilizing some standard software package in your .ASP code, please check for security updates. If you’ve had a programmer create something for you, contact them and have them check over all the code they created for you. Some where on your site you have a SQL injection vulnerability and it needs to be closed.
As stated, this time, the domains included in the iframe don’t exist. However, the next time, your visitors could get infected and your site could be blacklisted by Google and many other services.
If you need assistance with this, please send me an email at firstname.lastname@example.org.
If you have other information about this infection, please post it as a comment.