RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

Mon, 21 Jul 2008 12:37:32 -0700 

Just an FYI...

Our DBA (Ryan Cooper) took this same route and this is what he came up with.
Thought I'd share this with the group on his behalf. He notes that you need
to run this on each of your databases:

-- start
CREATE TABLE [dbo].[Infected](
        [TableName] [varchar](255) NULL,
        [ColumnName] [varchar](4000) NULL
);

DECLARE @T nvarchar(255)
DECLARE @C nvarchar(4000)
DECLARE @SQL nvarchar(4000)

DECLARE Table_Cursor CURSOR FOR 
select a.name, 
b.name 
from sysobjects a,syscolumns b 
where a.id=b.id 
and a.xtype='u' 
and (b.xtype=99 
or b.xtype=35 
or b.xtype=231 
or b.xtype=167)  
open Table_Cursor
fetch next from Table_Cursor into @T,@C
while @@fetch_status = 0
        begin
                set @SQL = 'DECLARE @V varchar(4000); SET @V = NULL; SELECT
TOP 1 @V = ' + @C + ' FROM ' + @T + ' WHERE '[EMAIL PROTECTED]' LIKE 
''%</title><script
src="http://1.verynx.cn/w.js";>%''; IF (@V IS NOT NULL) BEGIN INSERT INTO
dbo.Infected (tableName, ColumnName) VALUES ('''[EMAIL PROTECTED]''','''[EMAIL 
PROTECTED]''') END'
                PRINT @SQL
                EXECUTE sp_executesql @SQL
                fetch next from Table_Cursor into @T,@C
        END

CLOSE Table_Cursor
DEALLOCATE Table_Cursor
-- end

-----Original Message-----
From: Brad Wood [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 21, 2008 1:49 PM
To: CF-Talk
Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head...

The hacker's hope is that you will be outputting one of those varchar fields
into a webpage without escaping HTML characters.  The extra text being
inserted into the database fields will include a malicious JavaScript file
from another server into the webpage.  I haven't looked at the JS to see
what it does, but it probably tries to load some Trojan via an active X
applet or something.

To clean your database, I would recommend reverse-engineering the attack to
loop over your database columns and remove the text they placed in there.
In the mean time, shut your site down so you don't infect your customers.

~Brad



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309374
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Reply via email to