Security Incidents mailing list archives
Re: Mysterious JavaScript appearance in website database
From: Glenn Gillis <glenn () elaw org test-google-a com>
Date: Tue, 15 Apr 2008 12:20:57 -0700
Bojan Zdrnja wrote, On 4/15/2008 12:26 AM:
Glenn, It's almost certainly an SQL injection attack that inserted the line of code above to all your HTML pages. These have become very common lately. I wrote a diary describing such an attack at http://isc.sans.org/diary.html?storyid=3823 Cheers, Bojan
Thanks, everyone, for your informative replies. I feel a little sheepish for not having heard of the Midhena virus prior to this, but as many of you pointed out, that seems to have been what got us.
I wish I could update our CMS (if the vendor still supported it, instead of having moved on to deploying Plone sites!) I do believe I know the entry point of the SQL injection, however, and have a good backup of the database from just prior to the attack to roll back to.
Thanks again! -- Glenn Gillis ELAW U.S. Information Technology Manager Environmental Law Alliance WorldwideP.S. Sorry for tripping everyone's email anti-virus software by enclosing the text of the .js file in my post! G.
Current thread:
- Mysterious JavaScript appearance in website database Glenn Gillis (Apr 14)
- Re: Mysterious JavaScript appearance in website database Jon Oberheide (Apr 14)
- Re: Mysterious JavaScript appearance in website database Yuli Stremovsky (Apr 15)
- Re: Mysterious JavaScript appearance in website database Bojan Zdrnja (Apr 15)
- Re: Mysterious JavaScript appearance in website database Glenn Gillis (Apr 15)
- Re: Mysterious JavaScript appearance in website database Bob Cunningham (Apr 15)
- Re: Mysterious JavaScript appearance in website database Jon Oberheide (Apr 14)