I got an email from a reader who noticed some very odd errors happening in his web site's global error handler. Fortunately she was using ELMAH for error handling, which as you may know, is a JOY.
She was seeing:
Access to the path 'C:\Windows\security\database\secedit.sdb' is denied
Well, that's enough to make your heart skip a beat.
She looked around and found a file simply named "list.aspx" that she didn't recognize. The weird part was that this file was in the /uploads folder. That's where users can upload files with her particular CMS.
The list.aspx even has authors listed. Perhaps for their LinkedIn page?
Thanks Snailsor,FuYu,BloodSword,Cnqing,
Code by Bin
Make in China
I won't list the full list.aspx here, but rather call out some highlights of this clear malware.
It had a LOT of spaces in the opening of the file.
Meaning, they were assuming you wouldn't scroll down. Seriously. Oddly, though, it was spaces, not carriage returns. Note Line 23 never ends. It's SUPER long.
It pointed to a lot of (comparatively) unusual domains
It had links inside to things like
- www.rootkit.net.cn
- r57c99.com
Note that the second one actually serves malware and bad JavaScript, so avoid it.
It's a whole admin console for a bad guy to attack your computer
This file actually has a dropdown with "Please select a database" with values like (this is just a taste):
- Use master dbcc addextendedproc('sp_OACreate','odsole70.dll')
- select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\ias.mdb
- c:\bin.asp' backup database @b to disk=@t WITH DIFFERENTIAL,FORMAT;drop table [bin_cmd];
- Exec master.dbo.xp_cmdshell 'net user'
- EXEC sp_configure 'xp_cmdshell'
They're going for complete control of the system, and this file is just the start.
It serves JavaScript from elsewhere
This bad aspx file also tries to bring in some bad JS from the second domain above.
That JavaScript tries to bring in even worse JavaScript from another location via an indirection. I won't even list these bits for fear that I'll get blocked for serving it!
The root of all of this is: Don't let users upload and execute code.
A fix for arbitrary code execution in user upload folders
What was the fix? Well, certainly not allowing someone to upload a file with a .aspx or .php extension for one, but also to mark the entire uploads folder as not executable! Here is the updated web.config:
I'm not a security expert, but I'd love to hear from YOU, Dear Reader, and some of the crazy stuff you've discovered on systems you manage.
© 2014 Scott Hanselman. All rights reserved.