Comments on: Mass infection of IIS/ASP sites – robint.us

By: LizaMoon Mass SQL injection (ur.php) – Updates | Sucuri

LizaMoon Mass SQL injection (ur.php) – Updates | Sucuri — Mon, 04 Apr 2011 14:02:29 +0000

[...] We posted more details on these types of attacks when the first one hit almost a year ago: Mass infection of IIS/ASP sites – robint.us [...]

By: Attacks against IIS/ASP sites – alisa-carter.com | Sucuri

Attacks against IIS/ASP sites – alisa-carter.com | Sucuri — Mon, 21 Mar 2011 20:13:22 +0000

[...] pointing to http://alisa-carter.com/ur.php . It is done using the same SQL injection attack as used in the robint-us mass infection of a few months [...]

By: Hackers compromised thousands of Web sites! | MalwareSurvival

Hackers compromised thousands of Web sites! | MalwareSurvival — Fri, 21 Jan 2011 05:53:07 +0000

[...] Sucuri.net has published the exploit findings on their Research Blog. [...]

By: Attack against IIS/ASP sites – google-stat50.info | Sucuri

Attack against IIS/ASP sites – google-stat50.info | Sucuri — Tue, 28 Sep 2010 16:51:02 +0000

[...] small sites, but some big ones got hit as well. It is the same SQL injection attack as used in the robint-us mass infection of a few months [...]

By: dremeda

dremeda — Mon, 02 Aug 2010 19:17:04 +0000

Thanks for the post. If it makes it easier try using http://sucuri.pastebin.com then post the link here. Cheers. My recent post UFCcom blacklisted by Google indirectly

By: C-Note

C-Note — Mon, 02 Aug 2010 17:25:32 +0000

Ok– so my script is 'too long to post'. Here is the NTEXT part to insert into CantalopeHeads script. I also adjusted the varchar to be nvarchar.

– This is for NTEXT ONLY
DECLARE Col_Cur Cursor
FOR SELECT COLUMN_NAME From INFORMATION_SCHEMA.COLUMNS
WHERE Table_Name = @TableName and DATA_TYPE IN ('ntext')
OPEN Col_Cur
SET @OutStr ='UPDATE ' + @TableName + ' SET ' ;
SET @ColCnt = 0;
FETCH NEXT FROM Col_Cur INTO @ColName;

WHILE @@FETCH_STATUS = 0
BEGIN
SET @OutStr = @OutStr + @ColName + '=CAST(REPLACE(CAST(' + @ColName + ' AS nvarchar(max)),''' + @str + ''','''') AS ntext),' ;
SET @ColCnt = @ColCnt + 1;
FETCH NEXT FROM Col_Cur INTO @ColName;
END
SET @OutStr = LEFT(@OutStr, LEN(@OutStr) – 1) + ';'
IF @ColCnt > 0
BEGIN
PRINT @OutStr ;
END
CLOSE Col_Cur;
DEALLOCATE Col_Cur;

By: C-note

C-note — Mon, 02 Aug 2010 17:18:55 +0000

Thanks to CantalopeHead for the script! I just used it on another malicious injection. I made a few updates to include nvarchar and ntext columns. I'll post separate due to length. Note the ntext fix will only work on SQL 2005 and later (it uses a CAST to leverage the new nvarchar(MAX) data type. When one has time, one should consider changing text fields to nvarchar(MAX) anyway.

Hopefully I'll have some time soon to fix the root cause, but for now, at least I can clean up the damage.

Oh, and to clarify, this generates the UPDATE statements, which you then copy,paste, and run to actually clean the database. When you are pissed about the fact that your db is hacked, you may not realize that at first in your moment of anger

By: This Month in the Threat Webscape – June 2010 | HackerSafe Security Related Blog for all

Thu, 29 Jul 2010 21:28:03 +0000

[...] 100k popular Web sites were compromised last month with a mass injection targeting IIS using ASP.net platform. The attack came from Chinese IP addresses and the injected iFrame led to a [...]

By: This Month in the Threat Webscape – June 2010 : CU*Secure

This Month in the Threat Webscape – June 2010 : CU*Secure — Sun, 11 Jul 2010 10:00:23 +0000

[...] 100k popular Web sites were compromised last month with a mass injection targeting IIS using ASP.net platform. The attack came from Chinese IP addresses and the injected iFrame led to a [...]

By: Adobe 0-day used in mass injections | HackerSafe Security Related Blog for all

Tue, 06 Jul 2010 20:24:13 +0000

[...] related to the hxxp://ww.robint.us/[REMOVED].js attack earlier this week that our friends at Sucuri blogged about, where the common theme was that all Web sites were running on Microsoft IIS and used [...]