IIS 5 & IIS 6
Anyone know about www.nihaorr1.com/1.js?
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 18, 2008 10:25 AM|onionlips|LINK
We have been hit by this as well. Lucky backup ran last night just prior to the attack.
Our initial investigations are pointing at an attack through IIS using ASP in an overload.
whois lookup showing nihaorr1 registered via Chinese registrar xinnet.com
I used the safety of a VM to look under the hood at the operations of the 1.js file.
It writes several iframes to that seem to come up as page not found (Chinese language pack)
A look at the script is bit confusing and garbled (of course) but consistent reference is made to "cuteqq" as a variable and variable prefix. It creates an executable I have yet to determine its intent or impact.
Googling "cuteqq" pulls up all sorts of harmful flagged pages. Anyone have any insight on that?