Malware served from NY Times Website

I've gotten two calls from clients (OK, one was a client, the other my mother-in-law) saying they visited the NYTimes website and were attacked by malware.

This is true, they were. My MIL said she was trying to read Maureen Dowd and got hit with a rogue anti-spyware application.

Read more 1 Comment

Don’t Overlook Scheduled Tasks / AT when cleaning malware…

One of our clients picked up some sort of infection over the weekend. The sucker was persistent, and after running the usual battery of utilities -- RootkitRevealer, SDFix, ComboFix, Stinger running inside a WinXP PE shell -- we got rid of the thing.

When I checked the post-infection System Event Viewer log, however, I got an interesting message:

Event Type:Error
Event Source:Schedule
Event Category:None
Event ID:7901
Date:1/31/2009
Time:9:00:00 PM
User:N/A
Computer:XXX03
Description:
The At46.job command failed to start due to the following error:
The system cannot find the file specified.

How To Clean Up After a SQL Injection Attack

NEW AND IMPROVED UPDATE: Cleaning Up After a SQL Injection Attack, Part 2

[UPDATE: Added code to deal with replacing text in the ntext fields of SQL Server 2000.]

One of our clients got hit with a web attack a week or so ago. We're still not quite sure how this particular attack was carried out -- we're thinking an unpatched web server at the hosting facility -- but it did cause me to look at the log file of the web site to see who might have been able to overwrite index.

Read more 6 Comments