|
Sucuri.net has released a report about a large number of sites that have been hacked and contain a malware script. A quick Google today indicates that http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-mass-iisasp-infection.html - link removed...it triggers some Anti-virus. Update: Paul at Sophos logs has released some additional information regarding this exploit and Infection. Thanks Paul. http://www.sophos.com/blogs/sophoslabs/?p=9941 Deb Hale Long Lines, LLC |
Deborah 272 Posts ISC Handler |
| Reply Subscribe |
Jun 12th 2010 7 years ago |
|
This is the same malware as here http://www.sophos.com/blogs/sophoslabs/?p=9941
and yes I am the author :) Paul Baccas SophosLabs |
Anonymous Posts |
| Reply Quote |
Jun 9th 2010 7 years ago |
|
Would someone pls clarify:
ww-dot-robint-dot-us -OR- www-dot-robint-dot-us // BLOCK which? or both? |
Jack 160 Posts Posts |
| Reply Quote |
Jun 9th 2010 7 years ago |
|
Never mind...
- http://www.theregister.co.uk/2010/06/09/mass_webpage_attack/ "... Robint.us has been disabled, thanks to a sinkholing effort carried out by volunteer security outfit Shadowserver Foundation. The action will allow Shadowserver researchers to get a complete list of compromised sites and to gather additional information about how the attack was carried out.." |
Jack 160 Posts Posts |
| Reply Quote |
Jun 9th 2010 7 years ago |
|
Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers - http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100609 9 June 2010 . |
Jack 160 Posts Posts |
| Reply Quote |
Jun 9th 2010 7 years ago |
|
Please keep in mind that the IIS/ASP server is still vulnerable to the same type of attack. It's not a problem with IIS or ASP, but with the actual code "in" the ASP page.
In the below example from http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html, the field "utm_content" on the page "page.aspx" is the one that allowed the SQL injection to take place (output of IIS log truncated for readability): 2010-06-07 13:31:15 W3SVC1 webserver 192.168.1.10 GET /page.aspx utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100×200′;dEcLaRe% |
Anonymous Posts |
| Reply Quote |
Jun 9th 2010 7 years ago |
|
Block Both one redirects to the other.
|
Deborah 272 Posts Posts ISC Handler |
| Reply Quote |
Jun 9th 2010 7 years ago |
|
Adobe 0-day used - mass injections
- http://community.websense.com/blogs/securitylabs/archive/2010/06/11/adobe-0-day-used-in-mass-injections.aspx 11 Jun 2010 05:38 PM - "... we started seeing mass injections... The attack is closely related to the hxxp ://ww.robint .us/[REMOVED].js attack earlier this week... common theme was that all Web sites were running on Microsoft IIS and used ASP.NET. In fact, the majority of sites compromised by the -new- mass injection attack still have the robint.us code present... Adobe released a patch* for this vulnerability yesterday and we advise all users to download it immediately... Once for IE and a second time for all other browsers." (Screenshots and video available at the Websense URL above.) Flash v10.1.53.64 update * Direct download current version - executable Flash Player installer... For IE: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe For Firefox, other browsers: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe . |
Jack 160 Posts Posts |
| Reply Quote |
Jun 12th 2010 7 years ago |
|
I wrote a detailed analysis here, including tools used, attacker group, etc: http://blog.armorize.com/2010/06/recent-evolution-of-mass-sql-injection.html
|
Anonymous Posts |
| Reply Quote |
Jun 14th 2010 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!
