Tough problem -- SpyKids

Trailerisf

One of our clients got hacked. Whenever you type in the company website you get the SpyKids hacked index page.
The site is hosted on an outside webserver and is completely normal to anyone outside the domain.
(INTERNALLY) If you type www.mycompany.com/index.htm the page comes up fine but www.mycompany.com is their hacked page.

There is a mix of 2000 and 2003 boxes. ISA firewall and dns, dhcp etc etc....

We have looked at the dns and the www record points to our webhost. Tried dumping the cache. Even set up a pc with static address pointing to the ISP dns servers and no luck.

We have looked at the ISA box and even tried to forward the HTTP to the .index.htm to make it work... But no luck.

Anyone know if there is an AD policy that can be configured to force HTTP redirection?

Any ideas on solutions (even stupid ones) will help me with other things to look into.

Sie

Does sound like a DNS issue.

Have you checked the local hosts files? Ran spyware and adware tools on the clients?

Is there any additional services etc that are running on the system that shouldnt be?

Has it been tested with both IE and Firefox?
(This would identify a DNS or IE issue)

Does this happen with all clients or just some?

I assume the page is fine when accessed from a client outside the network?

Trailerisf

Sie wrote:

Does sound like a DNS issue.

#1:Have you checked the local hosts files? Ran spyware and adware tools on the clients?

#2:Is there any additional services etc that are running on the system that shouldnt be?

#3:Has it been tested with both IE and Firefox?
(This would identify a DNS or IE issue)

#4:Does this happen with all clients or just some?

#5:I assume the page is fine when accessed from a client outside the network?

#1:Host files are untouched... Spyware adware and every Virus program I could find.

#2: Nope and we even check the boxes that are running iis

#3: Yes, affects both browsers

#4: All clients and servers

#5: Yes

When a client is set up with a static IP and ISP dns settings problem still persists...

I've already tried all those but thanks for the brain cells you threw at the issue Anyone else have any suggestions??

(50 desktops and servers in the network all affected)

Sie

Hmm....

Maybe a fault on the webserver end?

You have any access to the server itself?

Just browsing and came accross -

http://www.sophos.com/virusinfo/analyses/trojsowna.html

Sound similar??

However this doesnt explain why its ok to outside domain however.

Maybe you access a different index.* file inside domain than outside?

Sorry thats about the extent of my knowledge. As you can see im still studying!!

RTmarc

It sounds to me as if your outside webserver was hacked and they possibly changed the page code? As far as HTTP redirection, there is no policy that I can think of that would do this. This type of action would normally be done by a simple HTML command. If you have access to the outside webserver you might want to change the IIS settings to display index.htm. I'd remote into the webserver and check the code at this point. I skimmed over the responses but it sounds like you've covered the bases.

Trailerisf

Webserver is fine.. And yes I can access it because we are the webhost for them.

index.htm is a default webpage already so changing it won't help. As I said before site works fine for the rest of the world.

That virus link you sent is what they did a year ago. I downloaded and ran the trial version of Sophos a couple days ago and ran it. No Luck.

Their mission is to deface as many sites as they can. I went onto their IRC channel and spoke with them. A couple of them are extremely gifted and the rest are just script kiddies. They are using PHP injections on machines with old updates. But this is totally different.

Danman32

If you have to specify the file index.htm then it sounds like the list of default webpages was changed. Note if there's a change in extension to the default list: index.htm versus index.html.

DNS/hosts problems can easily be checked, just try pinging the URL and see if you get the correct IP. If you do, probably not a DNS/hosts hack.

Of course the problem could be in the browsers if it only shows up in-house. Try it with firefox on one machine.

Trailerisf

Cleared the url cache on the ISA box and works...

darwinism

They are from Brazil, last year the hacked a gazillion phpnuke sites. I had a few ISP's contact me to clean them up last year. Annoying little bastards.

Trailerisf

Only annoying if you don't udpate the servers...