Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

2117966.net-- mass ASP/SQL injection

Published: 2008-03-14
Last Updated: 2008-03-17 14:59:16 UTC
by Kevin Liston (Version: 5)
2 comment(s)

Situation:

Over 10,000 legitimate websites have been compromised and now have a javascript link that will direct visitors to a malicious website hosted on 2117966.net. The malicious website attempts to exploit the vulnerability described in MS06-014 MS07-004, MS06-067, MS06-057and a number of ActiveX vulnerabilities.

Successful exploitation result in the installation of a password-stealing malicious program that attempts to steal the logon credentials from websites and online games.

Recommended immediate action:

Block 2117966.net at your web proxy.

Recommended follow-up action:

Inspect your web proxy logs for visitors to 2117966.net. This will indicate who is potentially exposed. Check these systems to verify that their patches are up-to-date. Systems that are successfully compromised will begin sending traffic to 61.188.39.175
(Source: http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313). Search your proxy logs for systems generating those requests and reimage the infected machines.

Protecting Browsers:

A properly-patched system should not be at-risk from this attack.  It is recommended to use a browser that does not support ActiveX.  Use of javascript controls such as NoScript are also effective.

Protecting Webservers:

The CSS Security Team as Microsoft has released details on how the code was injected into the servers.  It's an automated script that exploits poor input-checking code in the ASP page.

http://blogs.technet.com/neilcar/archive/2008/03/14/anatomy-of-a-sql-injection-incident.aspx

http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx

A more rigorous description and how to protect your ASP from SQL injection is available here:
http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx

 

Update: Added additional exploit information

Update: Clarify that shadowserver is not the endpoint of the malicious traffic-- they provided that malware analysis (thanks guys)

Update: this was misidentified as an iframe injection when in fact it was a javascript link  on the altered ASP pages. 

Update: MS fills in the blanks on how the code was injected.

Keywords: SQL Injection
2 comment(s)
Diary Archives