Skip to content

What the hack is this nihaorr1.com/1.js? – updated Apr.19

2008/04/19


Found anything special in the following Google search results?
    
Yes, except the 3rd link that points to the IIS.net forum, all other destinations in the search results have been compromised.  The codes between <script src= … and … </script> were planted into the contents of those websites by some kind of malicious hacking mechanism without webmasters’ awareness.  Do NOT click on any of those links!!!

This thread in IIS.net forum, Anyone know about www.nihaorr1.com/1.js? tells part of the story by a few people talking about their findings.  Basically, once the website is juggled, when the visitor clicks on the link that have hacking code implanted, the browser will be redirected to http://www.nihaorr1.com website and 1.js from that website will be executed.  Most web visitors would not notice anything except something like "Page cannot be found" shown in the brower, which doesn’t mean anything harmful.  But actually, the codes have already be running on their PCs.  So far, I saw there were test.exe, 1.js, Yahoo.php pulled from that website to the clients.  Those files are executable, if you have antivirus software installed with up-to-date antivirus definition, they will be quarantined; if you don’t have, I don’t know …

Webmasters, especially those run IIS, use ASP codes and have SQL database in the backend, check your servers, codes and databases.  Thousands of websites have been compromised as shown in Google search results.  There is no official information yet, but I personally quite agree to rwmorey, eftennis and davcox’s comments in http://forums.iis.net/p/1148917/1867622.aspx.  I will also add some new findings in the new few days. [Apr.18]

There are 2 more domains that could contain the same malicious code: aspder.com, 414151.com.  From somewhere some hackers are trying to plant the code in your web server or SQL database, so your visitor will be redirect to those sites and probably get infected.

Here is more details found in the Malware Domain Blocklist:

The IP address 60.172.219.4 contains

414151..com and a new domain, aspder..com

Source: http://www.robtex.com/ip/60.172.219.4.html

aspder..com resolves, and there are iframes popping up in google:

http://www.google.com/search?q=aspder.com

Needless to say, block this IP and domain. If anyone can download and analyze the iframe, we would appreciate more information. Thanks.

UPDATE: it’s a sql injection attack, see these links for more detail:

http://www.webhostingtalk.com/showthread.php?t=686032
http://www.webhostingtalk.com/showthread.php?p=5062187

These posts also mention twww..nihaorr1..com/1.js

Also in those threads in Web Hosting Talk (two links above), there are more details about how the hackers plant the code in you web servers and SQL servers.  The following is copied from that site:

Here is a link to shed light on the problem and how to mitigate it –

http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx

Many high profile sites got hit by the injection of early april and also one in early march. Sites like usatoday-dot-com, forbes-dot-com, walmart-dot-com, and on and on. Several thousand sites got hit.

Here are some more links about it –

http://myitforum.com/cs2/blogs/cmosby/archive/2008/04/04/nmidahena-sans-internet-storm-center.aspx

http://isc.sans.org/diary.html?storyid=4210

http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html

Block the following on your proxy servers, home routers and other Internet gateway device, so your user will not get infected when the website they visit is compromised.  Besides the web and SQL servers, these are how you control the controllable as a server/network administrator.

IPs
60.172.219.4
24.28.193.9
219.153.46.28

Domains
aspder.com
*.aspder.com
nihaorr1.com
*.nihaorr1.com
414151.com
*.414151.com

Microsoft also published a security advisory 951306, not sure if it’s relevant, need to test and prove.  [Apr.19]

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: