Results 1 to 6 of 6

Thread: Thousands of sites infected...

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Automated SQL injection attacks...

    FYI...

    Automated SQL injection attacks...
    - http://www.darkreading.com/shared/pr...leID=223100129
    Feb. 22, 2010 - "SQL injections top plenty of lists as the most prevalent means of attacking front-end Web applications and back-end databases to compromise data... analysis of the Web Hacking Incidents Database* (WHID) shows SQL injections as the top attack vector, making up 19 percent of all security breaches examined by WHID. Similarly, in the "Breach Report for 2010" (PDF) released by 7Safe* earlier this month, a whopping 60 percent of all breach incidents examined involved SQL injections... criminals are increasingly using automated SQL injection attacks powered by botnets to hit vulnerable systems... the purpose of those attacks is really to inject JavaScript redirectors into Web pages so that legitimate Web pages end up redirecting their users to exploit toolkits..."
    * http://webappsec.pbworks.com/Web-Hac...ident-Database

    ** http://7safe.com/breach_report/Breach_report_2010.pdf

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation WordPress injection attack

    FYI...

    WordPress injection attack
    - http://securitylabs.websense.com/con...logs/3577.aspx
    03.09.2010 - "... Websense... has been monitoring the latest WordPress injection attack for over 2 weeks and has found over 250,000 injections occurring in the past half month. Moreover, over 37,000 URLs in the wild are still being injected according to our observations... the daily stats go up and down a few times and always end up higher, so we believe the hackers are still continuing their attack... WordPress is so widely used all over the world that every version of it is studied and exploited by hackers, even the latest version (2.9.2, released on December 18, 2009)... The ultimate purpose of the attack is all about making money, as Sophos has already investigated*... These attacks probably happened due to SQL injection via some known and unknown WordPress vulnerabilities... Injection is not the only way for hackers to utilize those vulnerabilities; compromising a site is also a good option. It has often been reported that compromised Web sites are used for Blackhat SEO to push rogue AVs. Novirusthanks has a great analysis here**, and more investigation indicates that the compromise behind the attack is connected to WordPress vulnerabilities... WordPress users should be very familiar with the injection or compromise attack since it has been used frequently in the past. Although WordPress has 2-3 releases every year and has 3 releases planned this year as usual, it has proved to be not enough: we still can see many victimized sites with the latest 2.9.2 installation..."

    (More detail and screenshots available at the Websense URL above.)

    * http://www.sophos.com/blogs/sophoslabs/?p=8498

    ** http://blog.novirusthanks.org/2009/1...-seo-strategy/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation 111,000 sites infected ...

    FYI...

    Mass Infection of IIS/ASP Sites
    - http://isc.sans.edu/diary.html?storyid=8935
    Last Updated: 2010-06-09 19:01:51 UTC - "Sucuri.net has released a report about a large number of sites that have been hacked and contain a malware script. A quick Google today indicates that there are currently 111,000 sites still infected. It appears that this is only impacting websites hosted on Windows servers. The situation is being investigated. For those who are hosting there websites on Windows IIS/ASP you may find more information here:
    - http://blog.sucuri.net/2010/06/mass-...robint-us.html
    June 8, 2010 - "... sites have been hacked in the last day with a malware script pointing to
    http ://ww.robint .us/u.js. Not only small sites, but some big ones got hit as well..."

    - http://nsmjunkie.blogspot.com/2010/0...infection.html

    Update: Paul at Sophos logs has released some additional information regarding this exploit and Infection. Thanks Paul.
    - http://www.sophos.com/blogs/sophoslabs/?p=9941

    SQL injection attacks...
    - http://www.theregister.co.uk/2010/06...ebpage_attack/
    9 June 2010 - "... Robint.us has been disabled, thanks to a sinkholing effort carried out by volunteer security outfit Shadowserver Foundation. The action will allow Shadowserver researchers to get a complete list of compromised sites and to gather additional information about how the attack was carried out..."

    Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers
    - http://www.shadowserver.org/wiki/pmw...endar/20100609
    9 June 2010

    - http://blog.scansafe.com/journal/201...njections.html
    June 8, 2010

    Last edited by AplusWebMaster; 2010-06-15 at 15:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Adobe 0-day used - mass injections

    FYI...

    Adobe 0-day used - mass injections
    - http://community.websense.com/blogs/...njections.aspx
    11 Jun 2010 05:38 PM - "... we started seeing mass injections... The attack is closely related to the hxxp ://ww.robint .us/[REMOVED].js attack earlier this week... common theme was that all Web sites were running on Microsoft IIS and used ASP.NET. In fact, the majority of sites compromised by the -new- mass injection attack still have the robint.us code present... Adobe released a patch* for this vulnerability yesterday and we advise all users to download it immediately... Once for IE and a second time for all other browsers."

    (Screenshots and video available at the Websense URL above.)

    Flash v10.1.53.64 update
    * http://forums.spybot.info/showpost.p...0&postcount=52

    - http://www.theregister.co.uk/2010/06...ebpage_attack/
    11 June 2010 - "... The latest SQL injection attack pulls down a malicious javascript from 2677.in, which according to anti-virus firm Symantec*, downloads a serious threat dubbed “HTTP Microsoft IE Generic Heap Spray BO.” 2677.in was still active at time of writing..."
    * http://safeweb.norton.com/report/show?name=2677.in

    - http://blog.sucuri.net/2010/06/mass-...nyahoo-js.html
    June 11, 2010

    - http://google.com/safebrowsing/diagnostic?site=2677.in/
    "... The last time Google visited this site was on 2010-06-13, and the last time suspicious content was found on this site was on 2010-06-13. Malicious software includes 8 scripting exploit(s), 1 trojan(s), 1 exploit(s)... this site has hosted malicious software over the past 90 days. It infected 185 domain(s)..."

    - http://ddanchev.blogspot.com/2010/06...d-malware.html
    June 15, 2010 - "... Where's the mass SQL injection attack connection? Within AS42560*... part of the campaign... Detection rate: - urchin.js - Trojan.JS.Redirector.ca (v); JS:Downloader-LP - Result: 4/41 (9.76%)... AS49087, Telos-Solutions-AS..."
    * http://stopbadware.org/reports/asn/42560
    AS 42560 - BA-GLOBALNET-AS GlobalNET Bosnia
    ** http://stopbadware.org/reports/asn/49087
    AS 49087 - TELOS-SOLUTIONS-AS Telos Solutions LTD

    - http://blog.webroot.com/2010/06/14/f...drops-trojans/
    June 14, 2010

    Last edited by AplusWebMaster; 2010-06-15 at 21:01.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Mass infection of websites

    FYI...

    Mass infection of websites
    - http://techblog.avira.com/2010/08/24...f-websites/en/
    August 24, 2010 - "Drive-by-downloads that use exploits to infect the visitor of a website are a very popular distribution method for malware authors. In the last days we detected thousands of websites which are infected with a hidden, invisible iframe. Searching for similar iframe infections shows that Google lists about 47,300 hits. The target server and script this iframe points to are currently offline; the injection scripts of the malware authors may be inactive at present. Some of these infected sites had a more than one iframe injected into them though. They were infected with three or more scripts which all point to Russian servers. This looks like a mass infection of websites which are created with a certain content management system (CMS). Usually, such mass infections are done with so-called SQL injections through security holes in these CMSes. Website administrators should always take care to have the latest version of their CMS and the needed scripting languages like PHP and Perl installed so that such mass SQL injections don’t have a chance. The malware authors didn’t take the effort to properly track their infections, as the observation of multiple injections with the same iframe show..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post Websense in error blaming WordPress

    FYI...

    Websense in error blaming WordPress ...
    - http://www.whitefirdesign.com/news/2...ress-hackings/
    November 15, 2010 - "In Websense’s 2010 Threat Report they listed WordPress Attacks as one of the significant events of the year**... The hacks they refer to were actually hacks that targeted hosting providers that would allow malicious code to be added to websites hosted with the provider whether they were running WordPress, other software, or no software at all. In most of the hacks the malicious code was placed in all files that had a .php extension. WordPress, by the nature of being the most popular web software, was the most of often affected, but all web software that have files with a .php extension were also affected. In other cases the hacks targeted database fields specific to WordPress, but they could have affected any other software that utilized a database if the hacker had chose to target them instead of WordPress. Websense is not alone is making these false claims, other supposed security experts also made similar claims and some hosting provider have attempted to lame blame on WordPress. Network Solutions was the only one to later apologize for blaming WordPress...*"
    * http://blog.networksolutions.com/201...not-the-issue/

    ** http://www.websense.com/content/thre...wordpress.aspx

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •