Page 2 of 9 FirstFirst 123456 ... LastLast
Results 11 to 20 of 89

Thread: Thousands of sites infected - archive

  1. #11
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Full court press by RBN and Chinese hacks

    Have a look...

    Malicious site: MSNBC Sports compromised
    1- http://www.websense.com/securitylabs...hp?AlertID=848
    March 18, 2008

    Spammers using Google ads to redirect users to Malware:
    2- http://preview.tinyurl.com/2opnkh
    March 17, 2008 (McAfee Avert Labs)

    IFRAME redirects...
    3- http://www.networkworld.com/news/200...ve-iframe.html
    March 16, 2008 - "...Danchev* listed more than 20 sites that together account for more than 401,000 IFRAME-injected pages... he had identified more than 100 bogus .info domains that were acting as the second-stage redirectors. Trace it back far enough, and the path leads to the Russian Business Network (RBN)..."
    * http://ddanchev.blogspot.com/2008/03...-injected.html
    March 12, 2008

    Shadowserver report: I/P in China serving malicious javascript...
    4- http://www.shadowserver.org/wiki/pmw....20080313#toc1
    March 13, 2008 - ...in conjunction/coordination with:
    4A- http://www.us-cert.gov/current/#sear...ection_attacks
    updated March 14, 2008
    4B- http://www.us-cert.gov/current/#webs...xploitation_of
    updated March 14, 2008

    (Multiple sites) ...getting RBN-ed
    5- http://ddanchev.blogspot.com/2008/03...ng-rbn-ed.html
    March 10, 2008 - "...The attack is still ongoing, this time successfully injecting a multitude of new domains into Wired Magazine, and History.com's search engines, which are again caching anything submitted, particularly not validated input to have the malicious parties in the face of the RBN introducing a new malware..."
    Example: http://ca.com/us/securityadvisor/pes...x?id=453119651

    More to come...

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation SQL-injection attacks...

    FYI...

    - http://www.symantec.com/avcenter/thr...earnabout.html
    (03.20.2008) - "...DeepSight Threat Analyst Team is currently monitoring a number of ongoing mass SQL-injection attacks that are manipulating victim servers to host malicious content to browsing clients.
    - A number of these attacks are currently being carried out. One attack involves a failure to sanitize cached search results, allowing malicious HTML to be injected into search result pages. This has affected a number of high-profile sites and has been thoroughly documented by the researcher who originally discovered the attacks: ( http://ddanchev.blogspot.com/2008/03...-injected.html )
    - Another attack is currently targeting servers running vulnerable ASP scripts that can be exploited through SQL injection to host malicious HTML code. The injected code references a malicious script... which in turn injects an IFRAME into the page to redirect users to a site that tries to exploit various known and patched vulnerabilities. This attack is believed to have affected over 15,000 pages, but the number of unique servers compromised may be far less.
    - Yet another large-scale attack involving SQL injection is targeting servers running PHPBB. This attack injects HTML code that loads a malicious JavaScript file from 'free.hostpinoy.com'. Reports indicate that this attack is much more prevalent, perhaps because of the ubiquity of PHPBB. Over 150,000 pages may be affected. Note again, however, that the number of unique servers compromised may be far less. In previously observed cases, over 5000 pages have been affected on a single domain. At the time of writing, most of the sites hosting the exploits or malicious JavaScript are down, but they may come back online at any time. Administrators are advised to audit their web services to ensure that no exploitable flaws exist in the publicly exposed scripts and that the latest versions are installed. Network admins are advised to block access to '2117966.net' and 'free.hostpinoy.com' at the gateway.

    Clients are advised to browse using strict security policies. The following list of strategies may prevent or hamper an attack:
    - Run browser software with the least privileges possible.
    - Disable JavaScript, IFRAMEs, and ActiveX controls.
    - Enable OS security mechanisms such as Data Execution Prevention (DEP).
    - Ensure that browsing software is up to date.
    - Filter all web activity through security products such as an Intrusion Prevention system."

    EDIT/ADD: http://www.shadowserver.org/wiki/pmw...endar.20080320
    20 March 2008 - "...In our last post we mentioned the several thousands of websites that were SQL injected to reference malicious JavaScript code on 2117966.net. At the time we were actually just taking an educated guess that this was the result of SQL injection. However, it has since been confirmed... It turns out this is the same IP address that carried out the SQL injection attacks related to the uc8010.com incident*. Not very subtle are they? You might want to keep an eye out for the IP 202.101.162.73"
    * http://isc.sans.org/diary.html?storyid=3823

    (Please do NOT visit any of those IP's in the commentary - they all should be considered dangerous.)

    Last edited by AplusWebMaster; 2008-03-20 at 20:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation 4,500 different domains... 150 new domains each day

    FYI...

    - http://www.sophos.com/security/blog/2008/03/1243.html
    30 March 2008 - "...Our data for all records processed since March 1st 2008 (so approximately 4 weeks worth of data). The data reveals almost 11,000 pages compromised with Troj/Unif-B, split across approximately 4,500 different domains. That is a fair amount of activity, approximately 150 new domains each day (and this is just what we are seeing)... For the 4,500 compromised domains, these targets fall into two categories:
    1. additional attack sites. Some other site which hits the victim with exploits.
    2. redirect or ‘control’ sites. Some other site, controlled by the attacker, which can be used to direct traffic (as discussed previously). Typically, these sites direct victims to one of several other attack sites (though there may be several redirects in use). There a number of prominent attacks visible in the data:
    * ~30% use a renowned attack site for installing various malware including Mal/Dropper-T, Mal/EncPk-CM and Mal/EncPk-CO.
    * Tibs: over 10% are redirect sites under the control of a large and well coordinated group. Numerous domains have been used by this group in recent months to install a variety of Dorf, Tibs and other malware.
    * Zbot: almost 10% load exploits intended to install a member of the Mal/Zbot family.
    * Gpack: approximately 5% point to a single GPack attack site, which installs malware detected as Mal/Emogen-Y.
    ....something recently talked about by Roger Thompson, on the Exploit Prevention Labs blog*... As speculated previously ( http://www.sophos.com/images/sophosl...008/02/map.png ), it is not unlikely that these sites could be used to make money by selling ‘traffic flow’ (attackers essentially paying for victims to be directed to their attack sites for a period of time)..."

    * http://explabs.blogspot.com/2008/03/gpack.html
    March 28, 2008 - "...It's just javascript, and thus far, we've only seen one exploit come out of it ... a mouldy, old MS06-014, although we expect there are more than that... while there is clearly more than one set of Bad Guys involved, most of them seem to being hosted by the same ISP, because the exploit IPs are similar..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation More compromised websites... with trojan

    FYI...

    Election time in Italy, complete with Trojan
    - http://preview.tinyurl.com/52adbn
    April 11, 2008 - "Symantec has been notified that the Web site ladestra.info, a site related to a right-wing Italian political party, has been compromised. The Web site is hosting a malicious iframe that leads to a typical browser exploit using the Neosploit tool, which forces an infected computer to install the newest version of Trojan.Mebroot. Using elections as a channel for spreading malicious code is something we have already seen (for example, Srizbi*) and it’s now election time in Italy as well, with the vote set to happen next Sunday and Monday, April 13th and 14th, 2008. Nonetheless, unless the Mebroot gang is interested in Italian politics, I do not believe the Web site has been compromised for political reasons. We have recently seen the group uploading malicious iframes** on many different Web sites for their purposes, with complete disregard for the content..."
    * http://preview.tinyurl.com/2349ds

    ** http://preview.tinyurl.com/yrxcym

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #15
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Malicious websites/code - UN and UK gov't sites compromised

    FYI...

    - http://securitylabs.websense.com/con...erts/3070.aspx
    04.22.2008 - "...malicious JavaScript injection that compromised thousands of domains at the start of this month, just 2-3 weeks ago. The attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack. We have no doubt that the two attacks are related... In the last few hours we have seen the number of compromised sites increase by a factor of ten. This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on hxxp ://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing. There are further similarities too between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. An analysis of that tool can be found in the ISC diary entry here*... It appears that same tool was used to orchestrate this attack too. When we first started tracking the use of this domain, the malicious JavaScript was still making use of hxxp ://www.nmida[removed].com/... Sites of varying content have been infected including UK government sites, and a United Nations website as can be seen by the Google search... The number of sites affected is in the hundreds of thousands..."
    * http://isc.sans.org/diary.html?n&storyid=4294
    Last Updated: 2008-04-16 19:14:00 UTC

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #16
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Hundreds of thousands of SQL injections

    FYI...

    Hundreds of thousands of SQL injections
    - http://isc.sans.org/diary.html?storyid=4331
    Last Updated: 2008-04-24 19:36:50 UTC - "UPDATE.
    It is recommend that you block access to hxxp :/www .nihaorr1.com and the IP it resolves to 219DOT153DOT46DOT28 at the edge or border of your network.
    1.js is the file they are currently injecting. That could change and has been injected into thousands of legitimate websites. Visitors to this website are “treated” to 8 different exploits for many windows based applications including AIM, RealPlayer, and iTunes. DO NOT visit sites that link to this site as you are very likely to get infected. Trendmicro named the malware toj_agent.KAQ it watches for passwords and passes them back to contoller’s ip.
    The crew over at shadowserver has published additional information related to SQL injected sites. They included the botnet controllers IP address 61.188.39.214 and a content based snort signature for the bot control traffic that is not ip dependent. The bot controller is alive and communicating on port 2034 with some infected clients at this time.
    http://www.shadowserver.org/wiki/pmw...endar.20080424
    http://www.shadowserver.org/wiki/pmw...endar.20080313
    They have hit city websites, commercial sites and even government websites. This type of injection pretty much null and voids the concept of “trusted website”. or "safe sites".
    The register covered it stating their search returned 173k injected results:
    http://www.theregister.co.uk/2008/04...ss_web_attack/
    The number I received doing the same search was 226k. Those are not all unique websites. Many sites got hit more then one time.
    Lou a self described “accidental techie” has been discussing it as they have been reinjecting this into his database/website “every other day”. http://www.experts-exchange.com/Data..._23337211.html
    Websense has good information on it here:
    http://securitylabs.websense.com/con...erts/3070.aspx
    We covered the injection tool, the methods to prevent injections and other details here:
    http://isc.sans.org/diary.html?storyid=4139
    http://isc.sans.org/diary.html?storyid=4294 ..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #17
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI... (DO NOT visit the the sites mentioned in the commentary as you are very likely to get infected - BLOCK them, but don't go there.)

    - http://www.f-secure.com/weblog/archives/00001427.html
    April 24, 2008 - "...As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it's crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera. Unless that data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls... It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code. So far three different domains have been used to host the malicious content — nmidahena .com, aspder .com and nihaorr1 .com. There's a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you're a firewall administrator we recommend you to block access to them.
    So what should you do?
    - First of all, search your website logs for the code above and see if you've been hit. If so, clean up your database to prevent your website visitors from becoming infected.
    - Second, make sure that all the data you pass to your database is sanitized and that no code elements can be stored there.
    - Third, block access to the sites above.
    - Fourth, make sure the software you use is patched...
    - Fifth, keep your antivirus solution up-to-date."

    (Note: per http://www.shadowserver.org/wiki/pmw...endar.20080424 : "...nmidahena.com... domain has since been killed off and looks like our attacker has moved on to some new ones... it most likely won't take too long for others to catch on and possibly conducting even more nefarious activities. If your site has fallen victim to one of these attacks, it's not just important you remove the offending injections, but it's even more important you fix the SQL injection attack vector. If you do not, your website will continue to be vulnerable to similar or worse attacks.")

    (...where the other factors enter in)
    - http://preview.tinyurl.com/6c8bet - 04/24/2008 (Networkworld) - "... SQL injection attacks on Microsoft Internet Information Servers are leaving Web pages with malicious -iFrames- in them... Web pages are infected with the iFrame code by looking for a specific code string in the source code of the Web page associated to an iFrame tag..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #18
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    For clarification:

    (Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.)

    >>> http://www.f-secure.com/weblog/archives/00001427.html
    April 24, 2008 - "...So far three different domains have been used to host the malicious content
    — nmidahena .com*, aspder .com and nihaorr1 .com.
    There's a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you're a firewall administrator we recommend you to block access to them..."

    4.26.2008 - NOW
    - http://centralops.net/co/DomainDossier.aspx
    aspder .com ***
    aliases
    addresses 60.172.219.4
    country: CN
    -------------------
    nihaorr1 .com ***
    aliases
    addresses 219.153.46.28
    country: CN
    -------------------
    nmidahena .com *
    Could not find an IP address for this domain name.
    ....................
    * (Note: per http://www.shadowserver.org/wiki/pmw...endar.20080424 : "...nmidahena.com... domain has since been killed off and looks like our attacker has moved on to some new ones...)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #19
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation SQL Injection Worm on the Loose

    FYI...

    - http://isc.sans.org/diary.html?storyid=4393
    Last Updated: 2008-05-07 05:12:53 UTC - "A loyal ISC reader... wrote in to point us at what looks to be a SQL Injection worm that is on the loose. From a quick google search it shows that there are about 4,000 websites infected and that this worm started at least mid-April if not earlier. Right now we can't speak intelligently to how they are getting into databases, but what they are doing is putting in some scripts and iframes to take over visitors to the websites. It looks like the infection of user machines is by Real Player vulnerabilities that seem more or less detected pretty well. The details, the script source that is injected into webpages is hxxp ://winzipices .cn /#.js (where # is 1-5). This, in turn, points to a cooresponding asp page on the same server. (i.e. hxxp :// winzipices .cn/#.asp). This in turn points back to the exploits. Either from the cnzz .com domain or the 51 .la domain. The cnzz .com (hxxp ://s141 .cnzz .com) domain looks like it could be set up for single flux, but it's the same pool of IP address all the time right now. hxxp ://www .51 .la just points to 51la .ajiang .net which has a short TTL, but only one IP is serving it.
    Fair warning, if you google this hostnames, you will find exploited sites that will try and reach out and "touch" you... even if you are looking at the "cached" page. Proceed at your own risk.
    UPDATE: We're also see this website serving up some attacks in connection with this SQL Worm
    (hxxp ://bbs .jueduizuan .com)"

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #20
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation New SQL Injection Attacks and New Malware: winzipices .cn

    FYI...

    - http://www.shadowserver.org/wiki/pmw...endar.20080507
    7 May 2008
    "Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

    As predicted, the attacks against ASP and ASP.NET pages via SQL injection have continued. This time the domain name "winzipices.cn" is in the spotlight. It has managed to find itself in the source of over 4,000 pages according to Google. ISC has also has a short diary today mentioning this attack here. It turns out this is also something we have been taking a look at now for a few days. With that being said, we would like to share some information that can help protect end users and organizations. It would appear that our attackers in this instance are taking advantage of the same issues we have discussed in some of our recent postings. However, we do know that the malware and malicious file trail here are different than the last few attacks. If your websites has been hacked or you are visiting a hacked website, you will find something like this in your HTML source in the page you visit:
    "<script src=hxxp ://winzipices .cn/ 5.js></script>"
    It appears that 1.js, 2.js, 3.js, and 4.js are also present. Each of these files in turn have hidden iframes...
    Malware Binaries:
    File MD5: 8ca53bf2b7d8107d106da2da0f8ca700 (test.exe)
    File Size: 28301 bytes
    File MD5: 5c9322a95aaafbfabfaf225277867f5b (1.exe)
    File Size: 38400 bytes
    Protection & Detection
    As always we recommend that you block access to the malicious domains and sites. Using a content filter, changing DNS entries, and blocking IP addresses are all valid methods. Of course being up-to-date on your patches can also go a long way. Here's a quick recap of the malicious sites/IP addresses involved in this attack:
    -winzipices.cn [60.191.239.229]
    -61.188.38.158
    -61.134.37.15
    Note that blocking by IP address could potentially block other legitimate pages on the host (not likely in this case). It's also generally only valid or helpful for a short period of time as attackers frequently change both IP addresses and domain names."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •