List of malicious domains inserted through SQL injection

Published: 2008-05-20
Last Updated: 2008-05-20 16:55:25 UTC
by Raul Siles (Version: 3)
0 comment(s)

One of the main attack vectors we have seen during the last years are "silent" Web defacements, typically in the form of redirections to malicious JavaScript code that are inserted inside the contents of Web pages using iframes, images, or other HTML tags. As lots of Web servers get their contents (or part of them) directly from a database, SQL injection vulnerabilities are widely exploited to insert the malicious references. You can find some of the previous related ISC diary entries here (by using Google).

Unfortunately, there is no silver bullet method to identify if a Web site (Web server or database) has been infected with new HTML tags, due to the fact that complex Web environments typically contain hundreds of scripts, redirections and references. One way of checking if a Web site is vulnerable and has been compromised is by searching for the specific malicious domains hosting the JavaScript and pointed out by the inserted references. We always try to emphasize these malicious domains in the diary entries so that you can search for or even block them.

Mike Johnson from Shadowserver has published a list of domains used in past and recent massive SQL injections that insert malicious javascript into websites. The list is just focused on mass SQL injection attacks, and do not replace other  generic malware lists such as www.malwaredomainlist.com or malwaredomains.com. Mike's plans to maintain this list as we come across new domains over time. The list also contains an estimated number of current number of infected Web sites based on Google stats. This is a great initiative and a very useful resource, and I encourage you to check if you can find references to any of these domains in:

  • Your Web server contents (static contents and database), meaning the server has been compromissed and you need to clean it up and fix the vulnerability originally used by the attackers to insert the redirection tags.
  • Your network traffic, meaning your clients are accessing compromissed Web servers and are being redirected to the malicious domains. These domains are typically trying to exploit client-based vulnerable software, so if your clients are not throughly updated, there is a higher chance that some of them have being compromised.

If you know about any other similar resource, or additional domains hosting (or that have hosted in the past) malicious code used in SQL injection attacks, please contact us.

UPDATE: We have been notified by one of our readers, thanks Steve, about some security filtering solutions, in this case based on ClamAV, blocking some of the aforementioned malicious domains.

There is another simple method based on Google you can use to check if your domain has been compromised and malicious Javascript references have been inserted on your Web contents. Simply search by any of the domains in the list adding the Google's "site:" directive specifying your own domain. You can automate the process to go through all the domains in the list, but remember to follow Google's API rules for multiple searches. For example, search by:

www.nihaorr1.com site:yourdomain.com

This method also can help you to get an estimation (based on Google's stats) on the number of times the malicious JavaScript reference has been included in your Web contents.

--
Raul Siles
www.raulsiles.com

0 comment(s)

Java 6 Update 6 has been released

Published: 2008-05-20
Last Updated: 2008-05-20 16:38:26 UTC
by Raul Siles (Version: 2)
4 comment(s)

Sun has released Java 6 Update 6 including 13 bug fixes. At first glance going through the Release Notes, only one of them seems to be security related, but as always, it is recommended to update to the latest version (after appropriate testing).

You can check your current Java version here. Thanks Roseman for the heads up!

The update is still in the process of showing up through the standard Sun update mechanism. I have tested and run "C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe" and still says I have the latest Java version.

IMPORTANT: Remeber, as always, to manually uninstall any previous Java versions.

--
Raul Siles
www.raulsiles.com

 

Keywords: java
4 comment(s)

Podcast Episode Four has been released

Published: 2008-05-20
Last Updated: 2008-05-20 15:17:36 UTC
by Joel Esler (Version: 1)
0 comment(s)

Morning everyone,

Just a quick note to let everyone know that we put out Podcast Episode 4 this morning.  Just a few announcements at the beginning, and then I put the audio for May's Monthly "Reboot Wednesday" Podcast that we do through SANS on after that.  We'll be recording Episode five next week.  We'll let you know when it's out!

iTunes users, go here to subscribe.

Non-iTunes users, go here to download.

Thanks!

--

Joel Esler

http://www.joelesler.net

Keywords: podcast
0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives