View Full Version : Thousands of sites infected...
Automated SQL injection attacks...
WordPress injection attack
03.09.2010 - "... Websense... has been monitoring the latest WordPress injection attack for over 2 weeks and has found over 250,000 injections occurring in the past half month. Moreover, over 37,000 URLs in the wild are still being injected according to our observations... the daily stats go up and down a few times and always end up higher, so we believe the hackers are still continuing their attack... WordPress is so widely used all over the world that every version of it is studied and exploited by hackers, even the latest version (2.9.2, released on December 18, 2009)... The ultimate purpose of the attack is all about making money, as Sophos has already investigated*... These attacks probably happened due to SQL injection via some known and unknown WordPress vulnerabilities... Injection is not the only way for hackers to utilize those vulnerabilities; compromising a site is also a good option. It has often been reported that compromised Web sites are used for Blackhat SEO to push rogue AVs. Novirusthanks has a great analysis here**, and more investigation indicates that the compromise behind the attack is connected to WordPress vulnerabilities... WordPress users should be very familiar with the injection or compromise attack since it has been used frequently in the past. Although WordPress has 2-3 releases every year and has 3 releases planned this year as usual, it has proved to be not enough: we still can see many victimized sites with the latest 2.9.2 installation..."
(More detail and screenshots available at the Websense URL above.)
Mass Infection of IIS/ASP Sites
Last Updated: 2010-06-09 19:01:51 UTC - "Sucuri.net has released a report about a large number of sites that have been hacked and contain a malware script. A quick Google today indicates that there are currently 111,000 sites still infected. It appears that this is only impacting websites hosted on Windows servers. The situation is being investigated. For those who are hosting there websites on Windows IIS/ASP you may find more information here:
June 8, 2010 - "... sites have been hacked in the last day with a malware script pointing to
http ://ww.robint .us/u.js. Not only small sites, but some big ones got hit as well..."
Update: Paul at Sophos logs has released some additional information regarding this exploit and Infection. Thanks Paul.
SQL injection attacks...
9 June 2010 - "... Robint.us has been disabled, thanks to a sinkholing effort carried out by volunteer security outfit Shadowserver Foundation. The action will allow Shadowserver researchers to get a complete list of compromised sites and to gather additional information about how the attack was carried out..."
Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers
9 June 2010
June 8, 2010
Adobe 0-day used - mass injections
11 Jun 2010 05:38 PM - "... we started seeing mass injections... The attack is closely related to the hxxp ://ww.robint .us/[REMOVED].js attack earlier this week... common theme was that all Web sites were running on Microsoft IIS and used ASP.NET. In fact, the majority of sites compromised by the -new- mass injection attack still have the robint.us code present... Adobe released a patch* for this vulnerability yesterday and we advise all users to download it immediately... Once for IE and a second time for all other browsers."
(Screenshots and video available at the Websense URL above.)
Flash v10.1.53.64 update
June 11, 2010
"... The last time Google visited this site was on 2010-06-13, and the last time suspicious content was found on this site was on 2010-06-13. Malicious software includes 8 scripting exploit(s), 1 trojan(s), 1 exploit(s)... this site has hosted malicious software over the past 90 days. It infected 185 domain(s)..."
June 15, 2010 - "... Where's the mass SQL injection attack connection? Within AS42560*... part of the campaign... Detection rate: - urchin.js - Trojan.JS.Redirector.ca (v); JS:Downloader-LP - Result: 4/41 (9.76%)... AS49087, Telos-Solutions-AS..."
AS 42560 - BA-GLOBALNET-AS GlobalNET Bosnia
AS 49087 - TELOS-SOLUTIONS-AS Telos Solutions LTD
June 14, 2010
Mass infection of websites
August 24, 2010 - "Drive-by-downloads that use exploits to infect the visitor of a website are a very popular distribution method for malware authors. In the last days we detected thousands of websites which are infected with a hidden, invisible iframe. Searching for similar iframe infections shows that Google lists about 47,300 hits. The target server and script this iframe points to are currently offline; the injection scripts of the malware authors may be inactive at present. Some of these infected sites had a more than one iframe injected into them though. They were infected with three or more scripts which all point to Russian servers. This looks like a mass infection of websites which are created with a certain content management system (CMS). Usually, such mass infections are done with so-called SQL injections through security holes in these CMSes. Website administrators should always take care to have the latest version of their CMS and the needed scripting languages like PHP and Perl installed so that such mass SQL injections donít have a chance. The malware authors didnít take the effort to properly track their infections, as the observation of multiple injections with the same iframe show..."
Websense in error blaming WordPress ...
November 15, 2010 - "In Websenseís 2010 Threat Report they listed WordPress Attacks as one of the significant events of the year**... The hacks they refer to were actually hacks that targeted hosting providers that would allow malicious code to be added to websites hosted with the provider whether they were running WordPress, other software, or no software at all. In most of the hacks the malicious code was placed in all files that had a .php extension. WordPress, by the nature of being the most popular web software, was the most of often affected, but all web software that have files with a .php extension were also affected. In other cases the hacks targeted database fields specific to WordPress, but they could have affected any other software that utilized a database if the hacker had chose to target them instead of WordPress. Websense is not alone is making these false claims, other supposed security experts also made similar claims and some hosting provider have attempted to lame blame on WordPress. Network Solutions was the only one to later apologize for blaming WordPress...*"