Warning, new nasty worm on the loose, be very careful

Hi folks 

Raise the alarm, it seems a nasty new worm is on the loose. Sadly too late for me, my SQL database has been infected twice in the past ten days, and even if I have some backup I lost some data :-(

 I identified the culprit as Jpdog.3322 and it comes as a javascript code. Now it’s really serious thing, last week when I google it, I had 6 pages of results, now today more than 11000 results and going on strongly. If you search for it, you will see that nobody has really offered so far a remedy to eradicate this stuff. Most of the results I can find here are lots and lots of website affected. I have no clue how to escalate the issue to Microsoft. I tried with Symantec and Avast but so far no reply. Our databases were damaged, the worm has modified the content of most of the text fields, making the data totally useless. I was thinking first of a flaw in IE, but for this project, my users are requested to use Firefox only.  I then thought about SQL injection, but this is quite unlikely regarding the way that the data is managed. The SQL Server 2005 software runs with Windows 2008 Server. 

The origin of this is not clear but it looks all back to China.

 

Thanks for the help if you have any clue. I will surely secure more my database, not sure if I can get rid of sa login at all? My users are logged under another account anyway but be very careful.

 It looks innocent at first but it could make your data totally obsolete, or even worst, spread around without your knowledge. Great now I am stuck with a big issue just before Christmas, not cool :-(  

UPDATE: I am now using URLScan Filter from Microsoft which should be part of the default IIS in my opinion

Check here for this tool

  

 

13 Comments

  • Hey

    Check through your IIS log files and search for any clues. A while ago I was dealing with an attack similar to the one you describe. After searching through the server's IIS log files I found a strange looking Hex string that was passed to the server side script as a querystring parameter. Once decoded the string was actually a query that iterated through each table in the database searching for text fields. Any text fields found were injected with malicious content. The system was an old asp site and did not have any safeguards against SQL injection attacks.

    Hope this helps.

  • last i saw this worm it was a SQL injection attack, and it did append the data to every text field in the database.

  • do you think this is something that Server.HTMLEncode() might get rid of?

  • Rohalnd I checked the logs didn't find anything. How it is possible to enter an hex querystring? It's surely from an outside attack no?

    Darren I agree it's surely some SQL injection attack, but I believe this time it's going directly tothe SQL Server boc itself exploiting some flaw. Only one of my database has been attacked so far, so I don't really know what to do

    James I use server.htmlencode too but nothing has really been blocked. It's really difficult to control everything single query from a portal site!

  • By the way I forgot that I am using on this project only stored procedures and a bit of Linq to SQL, no built queries at all.

    Now also look at Google search for Jpdog, you will see that a number of genuines websites have been infested. Last week it was only a handful of them, today it's really alrming!

  • I think it's a SQL injection as well. I've seen several attacks like this, attempts i.e. On my sites I email myself whenever a funky URL causes some problems, so I get to see these often. I would search for every possible way it could've got in, maybe you missed a spot. Even if it's a stored procedure, it can still run dynamic queries. You can also try a security audit company. They usually bombard your site with exploits -- maybe they'll be able to find something. Good luck.

  • Yep, sounds like sql injection to me. Are all of your stored procedures using parameters? Any dynamic sql within the stored procedures? Have you checked the transaction logs from your sql server to see if they point to how the update occurred?

  • if you cast the hex back to nvarchar in sql query analyzer you will see that its an injection attack that requests table structure metadata from your database.

    sounds like you are not checking your query strings for dangerous characters and not escaping the single quotes etc...

  • One guess -- it might be a cookie/referrer injection attack. I thought we had our site pretty well locked down for regular sql insertion attacks (i.e., through common webform fields and URL strings), but fell victim to this. Double-check that you are filtering cookie values and/or useragent values, if you are storing them in a database. EVEN if you do your own writing of those values (because they can be changed manually mid-stream.)

  • We're experiencing this issue on our databases as well. Eek.

  • My company has been hit, too. If anyone discovers what the vulnerability was or any more information, please pass it on.

  • very very interesting, waiting for more info how it manages to spread so fast.

  • We got the same attack. Luckily, only one table used for logging was infected. Yesterday afternoon(Dec 18th, 2008), I clean up the table and logging seems ok (not script injection). However, this morning, every records before 04.00 am was infected.

    Now, I'm not sure if the virus/worm is still inside the server or something used SQL injection during that time

Comments have been disabled for this content.