Threat Level: green Handler on Duty: Richard Porter

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free! mass ASP/SQL injection

Published: 2008-03-14
Last Updated: 2008-03-17 14:59:16 UTC
by Kevin Liston (Version: 5)
2 comment(s)


Over 10,000 legitimate websites have been compromised and now have a javascript link that will direct visitors to a malicious website hosted on The malicious website attempts to exploit the vulnerability described in MS06-014 MS07-004, MS06-067, MS06-057and a number of ActiveX vulnerabilities.

Successful exploitation result in the installation of a password-stealing malicious program that attempts to steal the logon credentials from websites and online games.

Recommended immediate action:

Block at your web proxy.

Recommended follow-up action:

Inspect your web proxy logs for visitors to This will indicate who is potentially exposed. Check these systems to verify that their patches are up-to-date. Systems that are successfully compromised will begin sending traffic to
(Source: Search your proxy logs for systems generating those requests and reimage the infected machines.

Protecting Browsers:

A properly-patched system should not be at-risk from this attack.  It is recommended to use a browser that does not support ActiveX.  Use of javascript controls such as NoScript are also effective.

Protecting Webservers:

The CSS Security Team as Microsoft has released details on how the code was injected into the servers.  It's an automated script that exploits poor input-checking code in the ASP page.

A more rigorous description and how to protect your ASP from SQL injection is available here:


Update: Added additional exploit information

Update: Clarify that shadowserver is not the endpoint of the malicious traffic-- they provided that malware analysis (thanks guys)

Update: this was misidentified as an iframe injection when in fact it was a javascript link  on the altered ASP pages. 

Update: MS fills in the blanks on how the code was injected.

Keywords: SQL Injection
2 comment(s)
Diary Archives