n.uc8010.com real exploit hack via SQL Injection

January 7, 2008

[DISCLAIMER: The Author accepts no responisbility for the use/misuse of this information – it was written to help fix the damage cause by the hacking robot with ip:, it may come in various forms. This document describes the form of hack that I investigated]
    n.uc8010.com Real Exploit Hack – how it happened and how to fix it
      Thousands of sites have been hacked already and many people are wondering what the n.uc8010 script hack does and how they were infected.  basically every peice of text in your database now has a javascript tag appended on it that instructs the browser to executed the script at n.uc8010.
        What does the script do? is it dangerous? (VERY LIKELY!)
          The script tag points to a script sitting on a hacking server that contained amongst other aribitrary files (to throw off the investigator) a malicious javascript script that takes advantage of a flaw in the way Real Player is able to import media files with information embedded in them.
            This attack has been called EXPL_REALPLAY.H or RealPlayer Exploit and
            probably many other names.
            If the correct payload is inserted into the Real Player these insructions
            can actually execute on the clients computer – it is still uncertain as to
            what is possible here and what these instructions do.
            Basically in the script a big block of unknown instructions that is used in the buffer overflow that is run on the clients computer if he has a vulnerable version of Real Player. Since these are machine instructions its extreemly difficult to determine what it actually does.
            For more information about Real Player Exploit:
            http://www.symantec.com/enterprise/security_response/ (next line)
            The script also puts a cookie on your computer “Lin”, it knows then that your computer has run the infection attempt and also someone else might look for this cookie to see if you are vulnerable.
              How did the script get into your database? 
                The sites are was hacked by hacking robot by means of a SQL Injection attack, which executes an iterative SQL loop which finds every normal table in the database by means of looking in the sysobjects table and then appends every text column with the harmful script.
                  Its possible that only Microsoft SQL Server database were hacked with this particular version of the robot since the script relies on the sysobjects table that this database contains.
                    How to fix things?
                    0. Take any infected pages of your site offline immediately
                    1. Find out where and when the hack happened .
                    2. Find all pages on your site that are vulnerable to SQL Injection and fix them, only one vulnerable page is needed to corrupt your data.
                    3. Rollback your database to prior to the hack.
                    4. Anyone who has the vulnerable version Real Player on their computer should install the Real Player patch to stop their Real Player getting exploited and make sure they got a good virus checker – eg. AVG or any other good brand.
                      I considered making a page that used the viruses logic to look for those users with vulnerable versions of real player and then alert the browser to go to the page that has the Real Player patch as well as reccommend that user has a virus checker running as he will likely be infected. Let me know if you would like to try this.
                        The above points in more detail:
                        0.  Anyone browsing your webpage ie your clients will download the script. If they have a vulnerable version of Real Player this could be harmful.
                        All your data is corrupted and your site is no longer functioning properly so it looks quite unprofessional.
                        1. You can find the point of attack by the first incidence of the
                        command in your HTTP logs open each day’s logs up and Search with Ctrl-F
                        until you find each one.
                        [If you are running IIS you can find your HTTP logs by opening up IIS 
                        IIS->Your_Web_Site(right click properties)->Web site(Panel)->~Active log format->Properties. 
                        Its usually is D:\logs\…]  
                        This will also show you which page was vulnerable altho you could have many others that will need to be fixed, its just this is the one the robot used.
                        2. Any pages where you simply take the url parameters in particular as well as form input and paste them into a SQL query that you construct will be vulnerable.  Read up on how to make your queries safe from SQL Injection. The general method is to replace harmful characters for example the semicolon and single quote and others. Although the best method is to use type safe stored procedures.
                        3. Rollback your database prior to this.

                        Rolling back your database without fixing all your SQL Injection vulnerable pages would mean you could be hacked any time, so fix the pages first and then rollback.

                          Please comment with any additional information or questions
                            “Repay no one evil for evil.
                            Have regard for good things in the sight of all men.
                            If it is possible as much as it depends on you live peaceably with all men, do not avenge yourselves, but rather give place to wrath; for it is written,
                            “Vengeance is mine, I will repay” says the LORD.
                            Therefore “If your enemy is hungry, feed him; If he is thirsty, give him a drink; For in doing so you will heap coals of fire on his head”
                            Do not be overcome by evil but overcome evil with good.”
                            – (Romans 12:17-21 – Paul, The Bible, NKJV)
                            – (Proverbs 25:21 – Solomon, The Bible, NKJV)