Tuesday 23 September 2008

Latest SQL Injection URLS

Cleaning up a site infected with multiple SQL injected URLs

I have just had to clean up an ancient system that had been successfully hacked by automated hack bots. The site was a small news system that was visited rarely and written about 7 years ago. The code was ASP classic and the SQL was all client side and created using string concatenation with poor parameter sanitization and no thought paid at all to SQL injection methods. Luckily the site owner is moving to a new system this week however I still had to clean the database up and the main affected table contained at least 20 different script tags, some appearing over 5 times all referencing dodgy URIs. In fact by the looks of things the majority of the sites traffic over the last month was purely from hack bots which just goes to show that no matter how small a site is if it can be found on the web then a hackbot is going to try its luck. Luckily I managed to remove all traces of the hack using my clean up script and there was no need for a database backup restore.

However I thought it would be helpful to list out all the URI's injected into the system.
As you can see most are Russian with a few Chinese thrown in for good measure so nothing new there. They all caused Googles vulnerable site report to raise a flag and I believe the JS is the standard hack that makes use of the well known Iframe vulnerabilities in old browsers.

http://www0.douhunqn.cn/csrss/w.js
http://www.usaadp.com/ngg.js
http://www.bnsdrv.com/ngg.js
http://www.cdport.eu/ngg.js
http://www.movaddw.com/ngg.js
http://www.lodse.ru/ngg.js
http://www.sdkj.ru/ngg.js
http://www.kc43.ru/ngg.js
http://www.jex5.ru/ngg.js
http://www.bnrc.ru/ngg.js
http://www.bts5.ru/ngg.js
http://www.d5sg.ru/ngg.js
http://www.nemr.ru/ngg.js
http://www.kr92.ru/ngg.js
http://www.bjxt.ru/ngg.js
http://sdo.1000mg.cn/csrss/w.js
http://www.ujnc.ru/js.js
http://www.cnld.ru/js.js
http://www.juc8.ru/js.js
http://www.3njx.ru/js.js
http://www.19ssl.net/script.js
http://www.vtg43.ru/script.js

See my recovering from an SQL injection attack post for more details about clean ups and quick plasters that can be applied to prevent further injections.

7 comments:

Anonymous said...

we got this one:
http://www.bannerdriven.ru/ads.js

Thanks!

Anonymous said...

And today we got this one:
http://www.doublebanner.ru/counter.js

Rob Reid said...

Cheers for these, have you read my article about the 2 stage sql injection hack that revealed:

http://www.adtcp.ru/ads.js

http://blog.strictly-software.com/2009/10/two-stage-sql-injection-attack.html

This method only reveals the URL for the JS exploit script once the 2nd decoded attack string has decoded another encoded string it hopefully managed to insert on its stage one hit.

I get between 30 and 2000 attempts a day on my biggest system (running 200+ sites) and these URLs change almost daily so trying to block by URL or domain is not a fool proof idea as new ones are created all the time.

You can even buy the "application" that manages all your hackbots, scripts and sites online somewhere. I have seen a video example of the app working showing how easy it is to set up and run.

However I may run some sort of auto-decoding process that outputs an up to date list of URLs from the exploits I log to a page somewhere if people would find that useful?

However keep posting the URLs!!

Steve Robbins said...

Its good that you didn't need for database backup restore since your cleanup script is working pretty well.

This is really neat, avoiding the hassles of a backup restore

Anonymous said...

Does your website have a contаct page? I'm having problems locating it but, I'ԁ like to send you
an email. I've got some creative ideas for your blog you might be interested in hearing. Either way, great site and I look forward to seeing it grow over time.
My website :: Highlights

Rob Reid said...

Of course it has an email link your obviously not looking properly or using an automated comment spammer!

Rob Reid said...

Of course it has an email link your obviously not looking properly or using an automated comment spammer!