tag:blogger.com,1999:blog-8539880144347728238.post9143230724205909839..comments2009-03-24T04:43:28.511-04:00CGhttp://www.blogger.com/profile/11061967917509053185noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-8539880144347728238.post-2930057772241940012008-09-06T08:26:00.000-04:002008-09-06T08:26:00.000-04:00I noticed the exact same string on my web site's logs. I was actually looking at the logs at the time it happened with the "tail -f". I dropped the GET into the burp suite's decode tab and saw the .cn urls. Dropped those urls into Serversniff.net's File-Info tool and checked out each of the subsequently linked files one at a time just like you did. The thing that was my saving grace was a properly configured mod_security suite along with the excellent .htaccess file done by Ronald of 0x000000.comMubixhttp://www.blogger.com/profile/08706151795678283675noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-73140202719312650052008-09-02T11:54:00.000-04:002008-09-02T11:54:00.000-04:00This was the same injection string that was used on the three sites that I did the I.R. for. <BR/><BR/>The Asprox/Danmec bot was the source of the SQLi. I needed to use the same SQLi vector to clean the database. The #$%# database admin was MIA and none of the clients had access to the database. At least they eventually fixed the code in their sites.<BR/><BR/>I'm not sure if this one is Asprox/Danmec though. The .js does not look to be one of the current ones in use by the bot. This looks to be linked to a Chinese malware site. <BR/><BR/>/deandeanhttp://www.blogger.com/profile/13744345182407258839noreply@blogger.com