We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

View Complete Thread
  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 18, 2008 10:25 AM|onionlips|LINK

    We have been hit by this as well. Lucky backup ran last night just prior to the attack.

    Our initial investigations are pointing at an attack through IIS using ASP in an overload. 

    whois lookup showing nihaorr1 registered via Chinese registrar xinnet.com

    I used the safety of a VM to look under the hood at the operations of the 1.js file.

    It writes several iframes to that seem to come up as page not found (Chinese language pack) 

    A look at the script is bit confusing and garbled (of course) but consistent reference is made to "cuteqq" as a variable and variable prefix. It creates an executable I have yet to determine its intent or impact.

    Googling "cuteqq" pulls up all sorts of harmful flagged pages.  Anyone have any insight on that?