You had WHO call you?

In Canada we don’t get the FBI, NSA, CIA, Homeland Security, State Police, Local Cops or a myriad of odd agencies with dubious jurisdictions wanting to know much of anything regarding your computer server.  In Canada you get one of two agencies 95% of the time, RCMP or CSIS, neither is good but both are better than the US alternatives that are often more interested in their goals than preserving your data.

What has been getting the attention lately has been around for over a year now and courtesy of the PRC (Peoples Republic of China).  Few will come right out and say it but state based espionage is the bread and butter of China’s financial machine.. what you can’t develop, you steal.

The target of choice right now is Microsoft Small Business Server 2003.  It’s a good OS and system but if compromised it can be difficult to detect, but here is something you can look for:

C:\Inetpub\wwwroot\iisstart.htm
Examine the file with Notepad and at the very top do you see any ‘funny’ code?  Something like this:

<!–czozNjM=–!>
<html>
<head>
<meta http-equiv=”Content-Type”
content=”text/html;
etc…

That code at the top.. that’s the signature that not all is right in your system.  Who, what, how and all the rest I’m researching but your machine, though not compromised, is quite possibly working for the bad guys.

I’ll add a comment when I have a name and process for removing this beasty.