Have you seen this?
Steve writes,
"I can't put all the pieces together, but there's a malicious scheme afoot involving SQL insertion attempts and search engine optimization, I think. Seeing logs with an insertion attempt for 0x31303235343830303536 (or "1025480056"), I googled the translated value. There are a ton of hits on "1025480056" which include the SQL insertion attack in the link that Google presents. Is this a magic number for Oracle, mysql or MS SQL? Clearly evil, I'm not sure why, though."
Have you seen this before? Do you have any idea what it is? if so, please leave your comments.
Christopher Carboni - Handler On Duty
Keywords:
10 comment(s)
×
![modal content]()
Diary Archives
Comments
hrbrmstr
Apr 9th 2011
1 decade ago
http://ceh.vn/@4rum/showthread.php?1405-H%C6%B0%E1%BB%9Bng-d%E1%BA%ABn-hack-MYSQL-Injection-trong-PHP-chi-ti%E1%BA%BFt-cho-newbie.
Where it is referenced as the max int value.
It also seems to be used in a hack-tool:
http://www.threatexpert.com/report.aspx?md5=6d56f9bb33a73a128e205cf69b381619
Kender
Apr 9th 2011
1 decade ago
finack
Apr 9th 2011
1 decade ago
adamb
Apr 9th 2011
1 decade ago
Havij: http://www.itsecteam.com/en/projects/project1.htm
SQL injections with Havij user-agent: https://encrypted.google.com/search?hl=en&q=0x31303235343830303536%20havij
finack
Apr 9th 2011
1 decade ago
There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
%System%\MSVBVM60.DLL
Note:
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Are you seeing any reference to %System%\MSVBVM60.DLL?
TechFem50
Apr 9th 2011
1 decade ago
The query itself is pretty standard. All it does is add rows to the query result (not the table) that have that number, so it's easy to tell if the SQLi worked on the page.
adamb
Apr 9th 2011
1 decade ago
This is quite clearly a BCD encoding of the integer 1025480056, for whatever reason. Could that mean the UNIX date for 2002-06-30T23:34:16Z? I don't know of any particular significance of that time or date... The 2002 FIFA World Cup was 12 hours prior, and an air accident (Flight 2937) happened 2 hours prior.
I'm fairly sure it wasn't the malware author's birthday.
Steven Chamberlain
Apr 9th 2011
1 decade ago
if you check your web logs you should see many of these entries with increasing number of 0x31..., first request with one , second with two, etc. we can safely assume that there is a tool behind it, one (havij) has already been mentioned in a previous comment. It is a way for the tool to brute force the number of columns to be used in a sql injection union select exploitation. My guess is that this value does not hold any specific "value" for the rdbms behind the application but may hold some specific for the tool used to perform the sql injection attempts (for example it may be used in parsing/tokenising the results of the union select in the returned page responce.split(0x31..)).
./Z
Zacharias Pigadas
Apr 10th 2011
1 decade ago
Jim
Apr 12th 2011
1 decade ago