2117966(dot)net – Mass iframe injection

March 14, 2008 – 9:05 AM

Published: 2008-03-14,
Last Updated: 2008-03-14 15:33:49 UTC
by Kevin Liston (Version: 1)


Over 10,000 legitimate websites have been compromised and now have an iframe that will direct visitors to a malicious website hosted on 2117966(dot)net. The malicious website attempts to exploit the vulnerability described in MS06-014 and a number of ActiveX vulnerabilities.

Successful exploitation result in the installation of a password-stealing malicious program that attempts to steal the logon credentials from websites and online games.

Recommended immediate action:

Block 2117966(dot)net at your web proxy

Recommended follow-up action:

Inspect your web proxy logs for visitors to 2117966(dot)net. This will indicate who is potentially exposed. Check these systems to verify that their patches are up-to-date. Systems that are successfully compromised will begin sending traffic to
(http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313). Search your proxy logs for systems generating those requests and reimage the infected machines.

Protecting Browsers:

A properly-patched system should not be at-risk from this attack.  It is recommened to use a browser that does not support ActiveX.

Protecting Webservers:

Until details become available on how the iframe was injected, we have no recommendations.

Missing information:

We currently do not have details on how the iframes were placed on the websites.  If you are responsible for cleaning-up or investigating one of  the defacements, please contact us if you have information on how the compromise occurred.


You must be logged in to post a comment.