Injection hack - Please help!

A number of our online forms with client side JS validation appear to have
been the subject of a 'injection' hack but I am novice of the reperucussions
or exact meaning of what is going on here.

Somebody appears to be cycling through all our online forms and and
inserting strange code. Some of these forms are connected to our database.

Could anybody tell me how serious this is and what I can do to deal with
present threat. I am not sure what to do here.....

Here is what we are getting:



Source:
[url=http://www.imq.cn]ÊÓƵÁÄÌìÊÒ[/url]¡¢[url=http://www.koo t.cn]Ó¢ÓïÅàѵ[/url]¡¢[url=http://www.kood.cn]·§ÃÅ[/url]¡¢[ur l=http://www.bomm.cn]´¥ÃþÆÁ±¨¼Û[/url]¡¢[url=http://www.seegl e.com]ÊÓƵ»áÒéÈí¼þϵͳ[/url]

IDStatus: ADVERTISER







//------------- Personal Details ------------//



Email Address: abc@hotmail.com

First Name: adname

Last Name: adname

Country: 020-78907890

Cell:

Zip:

State:

Country:







//------------- Service ------------//



Service Details:
[url=http://www.imq.cn]ÊÓƵÁÄÌìÊÒ[/url]¡¢[url=http://www.koo t.cn]Ó¢ÓïÅàѵ[/url]¡¢[url=http://www.kood.cn]·§ÃÅ[/url]¡¢[ur l=http://www.bomm.cn]´¥ÃþÆÁ±¨¼Û[/url]¡¢[url=http://www.seegl e.com]ÊÓƵ»áÒéÈí¼þϵͳ[/url]

Re: Injection hack - Please help!

The implications are obvious..... you need to re-think your coding (locking
down forms from external abuse is your first step)

As this is a Client-side issue (JS), you'd need to go to a JS newsgroup for
information on how to go about this.

microsoft.public.scripting.jscript
comp.lang.javascript

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

wrote in message
news:uuPBYUcyFHA.2812@TK2MSFTNGP14.phx.gbl...
> A number of our online forms with client side JS validation appear to have
> been the subject of a 'injection' hack but I am novice of the
reperucussions
> or exact meaning of what is going on here.
>
> Somebody appears to be cycling through all our online forms and and
> inserting strange code. Some of these forms are connected to our database.
>
> Could anybody tell me how serious this is and what I can do to deal with
> present threat. I am not sure what to do here.....
>
> Here is what we are getting:
>
>
>
> Source:
>
[url=http://www.imq.cn]ÊÓƵÁÄÌìÊÒ[/url]¡¢[url=http://www.koo t.cn]Ó¢ÓïÅàѵ[/u
rl]¡¢[url=http://www.kood.cn]·§ÃÅ[/url]¡¢[url=http://www.bom m.cn]´¥ÃþÆÁ±¨¼Û[
/url]¡¢[url=http://www.seegle.com]ÊÓƵ»áÒéÈí¼þϵͳ[/url]
>
> IDStatus: ADVERTISER
>
>
>
>
>
>
>
> //------------- Personal Details ------------//
>
>
>
> Email Address: abc@hotmail.com
>
> First Name: adname
>
> Last Name: adname
>
> Country: 020-78907890
>
> Cell:
>
> Zip:
>
> State:
>
> Country:
>
>
>
>
>
>
>
> //------------- Service ------------//
>
>
>
> Service Details:
>
[url=http://www.imq.cn]ÊÓƵÁÄÌìÊÒ[/url]¡¢[url=http://www.koo t.cn]Ó¢ÓïÅàѵ[/u
rl]¡¢[url=http://www.kood.cn]·§ÃÅ[/url]¡¢[url=http://www.bom m.cn]´¥ÃþÆÁ±¨¼Û[
/url]¡¢[url=http://www.seegle.com]ÊÓƵ»áÒéÈí¼þϵͳ[/url]
>
>

Re: Injection hack - Please help!

jason@catamaranco.com wrote:
> A number of our online forms with client side JS validation appear to

Validation needs to be done at the server, even if it was "already done" in
the client, as you have just discovered.

If this is a SQL Injection* attack (I'm not sure that it is) then you need
to rethink your use of dynamic sql and use parameters instead**.


Bob Barrows

* http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection. pdf
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf

** Using Command object:
http://groups-beta.google.com/group/microsoft.public.inetser ver.asp.db/msg/72e36562fee7804e

SQL Server Stored Procedures:
http://tinyurl.com/jyy0

Access Saved Queries:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1& selm=eHYxOyvaDHA.4020%40tk2msftngp13.phx.gbl

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1& selm=ukS%246S%247CHA.2464%40TK2MSFTNGP11.phx.gbl

http://www.google.com/groups?selm=eETTdnvFDHA.1660%40TK2MSFT NGP10.phx.gbl&oe=UTF-8&output=gplain

http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&sel m=e6lLVvOcDHA.1204%40TK2MSFTNGP12.phx.gbl



--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Re: Injection hack - Please help!

Ok, I most do use parametized procedure calls.

Thanks.

"Bob Barrows [MVP]" wrote in message
news:%23hYQAedyFHA.1032@TK2MSFTNGP12.phx.gbl...
> jason@catamaranco.com wrote:
>> A number of our online forms with client side JS validation appear to
>
> Validation needs to be done at the server, even if it was "already done"
> in
> the client, as you have just discovered.
>
> If this is a SQL Injection* attack (I'm not sure that it is) then you need
> to rethink your use of dynamic sql and use parameters instead**.
>
>
> Bob Barrows
>
> * http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
> http://www.nextgenss.com/papers/advanced_sql_injection.pdf
> http://www.nextgenss.com/papers/more_advanced_sql_injection. pdf
> http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
>
> ** Using Command object:
> http://groups-beta.google.com/group/microsoft.public.inetser ver.asp.db/msg/72e36562fee7804e
>
> SQL Server Stored Procedures:
> http://tinyurl.com/jyy0
>
> Access Saved Queries:
> http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1& selm=eHYxOyvaDHA.4020%40tk2msftngp13.phx.gbl
>
> http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1& selm=ukS%246S%247CHA.2464%40TK2MSFTNGP11.phx.gbl
>
> http://www.google.com/groups?selm=eETTdnvFDHA.1660%40TK2MSFT NGP10.phx.gbl&oe=UTF-8&output=gplain
>
> http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&sel m=e6lLVvOcDHA.1204%40TK2MSFTNGP12.phx.gbl
>
>
>
> --
> Microsoft MVP -- ASP/ASP.NET
> Please reply to the newsgroup. The email account listed in my From
> header is my spam trap, so I don't check it very often. You will get a
> quicker response by posting to the newsgroup.
>
>

Re: Injection hack - Please help!

Ok, I was also concerned with implications for existing sql server database.

Will try that group.

Danke

"Steven Burn" wrote in message
news:uO94KUdyFHA.3860@TK2MSFTNGP09.phx.gbl...
> The implications are obvious..... you need to re-think your coding
> (locking
> down forms from external abuse is your first step)
>
> As this is a Client-side issue (JS), you'd need to go to a JS newsgroup
> for
> information on how to go about this.
>
> microsoft.public.scripting.jscript
> comp.lang.javascript
>

Re: Injection hack - Please help!

In that case, you may be facing a cross-site scripting (XSS) hack. Google
should get you some info about this.

Again, the solution is to validate server-side. Never depend on client-side
validation. Use client-side validation to improve the user "experience". Use
server-side validation to lock down your application.

Bob Barrows
jason@catamaranco.com wrote:
> Ok, I most do use parametized procedure calls.
>
> Thanks.
>
> "Bob Barrows [MVP]" wrote in message
> news:%23hYQAedyFHA.1032@TK2MSFTNGP12.phx.gbl...
>> jason@catamaranco.com wrote:
>>> A number of our online forms with client side JS validation appear
>>> to
>>
>> Validation needs to be done at the server, even if it was "already
>> done" in
>> the client, as you have just discovered.
>>
>> If this is a SQL Injection* attack (I'm not sure that it is) then
>> you need to rethink your use of dynamic sql and use parameters
>> instead**.
>>

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Re: Injection hack - Please help!

It's not a hack at all. It's a spamming robot filling in ad links as
form entries. You should be stripping the HTML from the input on the
server, as well as the extended character set if you don't want to
allow those into your data. You may want to record IP addresses of
anyone entering data as a means to track this and if needed, pursue
litigation.

Jeff

On Wed, 5 Oct 2005 11:54:30 -0400, wrote:

>A number of our online forms with client side JS validation appear to have
>been the subject of a 'injection' hack but I am novice of the reperucussions
>or exact meaning of what is going on here.
>
>Somebody appears to be cycling through all our online forms and and
>inserting strange code. Some of these forms are connected to our database.
>
>Could anybody tell me how serious this is and what I can do to deal with
>present threat. I am not sure what to do here.....
>
>Here is what we are getting:
>
>
>
>Source:
>[url=http://www.imq.cn]ÊÓƵÁÄÌìÊÒ[/url]¡¢[url=http://www.ko ot.cn]Ó¢ÓïÅàѵ[/url]¡¢[url=http://www.kood.cn]·§ÃÅ[/url]¡¢[u rl=http://www.bomm.cn]´¥ÃþÆÁ±¨¼Û[/url]¡¢[url=http://www.seeg le.com]ÊÓƵ»áÒéÈí¼þϵͳ[/url]
>
>IDStatus: ADVERTISER
>
>
>
>
>
>
>
>//------------- Personal Details ------------//
>
>
>
>Email Address: abc@hotmail.com
>
>First Name: adname
>
>Last Name: adname
>
>Country: 020-78907890
>
>Cell:
>
>Zip:
>
>State:
>
>Country:
>
>
>
>
>
>
>
>//------------- Service ------------//
>
>
>
>Service Details:
>[url=http://www.imq.cn]ÊÓƵÁÄÌìÊÒ[/url]¡¢[url=http://www.ko ot.cn]Ó¢ÓïÅàѵ[/url]¡¢[url=http://www.kood.cn]·§ÃÅ[/url]¡¢[u rl=http://www.bomm.cn]´¥ÃþÆÁ±¨¼Û[/url]¡¢[url=http://www.seeg le.com]ÊÓƵ»áÒéÈí¼þϵͳ[/url]
>