ASPROX SQL Injection Attacks - Block them using a Cisco router
Posted by: Rich in Config. Guides, Security BulletinHere is an interesting one.
Basically, the ASPROX SQL Injection attack appears to be quite commonplace at the moment, but also quite serious.
To cut it short, there is a 20,000 strong botnet out there trying these attacks against websites which use .asp.
The tool actually uses google to search for these sites and then attempts to exploit them by inserting an HTML iFrame which downloads a malicious Java Script which then installs a Trojan.
Carry on reading to find out how to block this on a Cisco router!
The config is as follows, please bare in mind that you will probably need a reasonably specced router and IOS for this. IP CEF is a pre-requisite. I have tested this on 7200 series, 1700 series and 2600 series so far, leave a comment if you have sucessfully tried this on another router!
Config:
The below access list and route-map is used to take any packets that have been tagged with a DSCP value of 1 and route them to a non-existant interface. You will learn how to tag them below!
access-list 130 permit ip any any dscp 1
route-map ASPROX_POLICY_ROUTE_BITBUCKET permit 10
match ip address 130
set interface Null0
The below class-map basically tells the router that we want to match when a specific string is seen in a URL. In this case, the string is part of the get request that the attack uses. Note the “\” which are needed before any bracket as a delimiter!
class-map match-any ASPROX_CLASS
match protocol http url “*DECLARE%20@S%20VARCHAR\(4000\);SET*”
The Policy-map below basically tags any packet matching the above class-map with a DSCP value of 1.
policy-map ASPROX_POL
class ASPROX_CLASS
set ip dscp 1
The rest of the config attaches both the route map and the Service policy to the interface.
Interface FastEthernet0/0
ip policy route-map ASPROX_POLICY_ROUTE_BITBUCKET
service-policy input ASPROX_POL
To confirm that this is being hit you can do a “show policy-map interface” on the router. You should see the packets incrementing. This of course assumes that you are actually seeing the traffic 
If not, you could craft the URL yourself to confirm. So, taking this site as an example it would be:
www.cisconews.co.uk//?DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST
You should then see the packets increment.
Bare in mind that Microsoft released a tool to audit your source code for these vulnerabilities:
http://support.microsoft.com/kb/954476
Let us know if this was of any use to you in the comments!
Entries (RSS)
July 30th, 2008 at 10:57 pm
This virus took my site offline for 3 weeks and I had to seek an internet security company to fix my site.
It cost me £50 but well worth it after the hastle I have had!!
Hope this helps others:
http://www.firestorm-online.com/trojans/asprox/
August 3rd, 2008 at 11:45 am
[...] - bookmarked by 4 members originally found by nipunthebest on July 17, 2008 ASPROX SQL Injection Attacks - Block them using a Cisco router http://cisconews.co.uk/2008/07/09/asprox-sql-injection-attacks-block-them-using-a-cisco-router/ - [...]
May 1st, 2009 at 2:38 am
You know, the thing about SQL is, that there is virtually nothing that can replace it.
Does anyone know if a substitute exists for sql? I mean besides MS SQL and Oracle and all that jazz. Thanks.