And embedded in his code is one of the "other" ways of executing SQL - using sp_executeSQL .... His script is better than mine I think.
Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 2:37 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... Just an FYI... Our DBA (Ryan Cooper) took this same route and this is what he came up with. Thought I'd share this with the group on his behalf. He notes that you need to run this on each of your databases: -- start CREATE TABLE [dbo].[Infected]( [TableName] [varchar](255) NULL, [ColumnName] [varchar](4000) NULL ); DECLARE @T nvarchar(255) DECLARE @C nvarchar(4000) DECLARE @SQL nvarchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name, b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) open Table_Cursor fetch next from Table_Cursor into @T,@C while @@fetch_status = 0 begin set @SQL = 'DECLARE @V varchar(4000); SET @V = NULL; SELECT TOP 1 @V = ' + @C + ' FROM ' + @T + ' WHERE '[EMAIL PROTECTED]' LIKE ''%</title><script src="http://1.verynx.cn/w.js";>%''; IF (@V IS NOT NULL) BEGIN INSERT INTO dbo.Infected (tableName, ColumnName) VALUES ('''[EMAIL PROTECTED]''','''[EMAIL PROTECTED]''') END' PRINT @SQL EXECUTE sp_executesql @SQL fetch next from Table_Cursor into @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor -- end -----Original Message----- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 1:49 PM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... The hacker's hope is that you will be outputting one of those varchar fields into a webpage without escaping HTML characters. The extra text being inserted into the database fields will include a malicious JavaScript file from another server into the webpage. I haven't looked at the JS to see what it does, but it probably tries to load some Trojan via an active X applet or something. To clean your database, I would recommend reverse-engineering the attack to loop over your database columns and remove the text they placed in there. In the mean time, shut your site down so you don't infect your customers. ~Brad ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309379 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
