Page 3 of 9 FirstFirst 1234567 ... LastLast
Results 21 to 30 of 89

Thread: Thousands of sites infected - archive

  1. #21
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation SQL injection attacks continue

    (Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.)

    SQL injection continues
    - http://www.f-secure.com/weblog/archives/00001432.html
    May 10, 2008 - "...The attacks have now started again, this time pointing to several different domains. During the last few days we've seen the same type of encoded SQL script as in the previous case being inserted into ASP/ASP.NET pages. The scripts point to the following domains:
    yl18 .net
    www .bluell .cn
    www .kisswow .com .cn
    www .ririwow .cn
    winzipices .cn
    All of the domains above are pointing to IP addresses in China. Just like last time the scripts try to use several exploits to infect the user's computer."

    - http://blog.trendmicro.com/more-than...s-compromised/
    May 10, 2008 - "...some several thousands of Web sites try to recover from being hacked via SQL injection barely two days ago, in comes another massive attack on more than half a million Web sites. Advanced Threats Research Program Manager Ivan Macalintal found the malicious script JS_SMALL.QT injected into various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program... In true ZLOB fashion, this variant poses as a video codec installer... These types of Trojans are known for changing an affected system’s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats..."

    Last edited by AplusWebMaster; 2008-05-10 at 22:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #22
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Mass File Injection Attack

    FYI...

    Mass File Injection Attack
    - http://isc.sans.org/diary.html?storyid=4405
    Last Updated: 2008-05-11 21:48:56 UTC - "We received a report... this afternoon about a couple of URLs containing a malicious JavaScript that pulls down a file associated with Zlob. If you do a google search for these two URLs, you get about 400,000 sites that have a call to this Javascript file included in them now. The major portion of the sites seem to be running phpBB forum software.
    If you have a proxy server that logs outbound web traffic at your site, you might want to look for connection attempts to these two sites. Internal clients that have connected may need some cleanup work. Another preventive step would be to blacklist these two URLs.

    hxxp ://free .hostpinoy .info /f.js
    hxxp ://xprmn4u.info /f .js "

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #23
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry phpBB sites hacked - 500k

    FYI...

    - http://www.techworld.com/security/ne...75&pagtype=all
    13 May 2008- "..."This is an on-going campaign, with new domains [hosting the malware] popping up even this morning," said Paul Ferguson, a network architect with anti-virus vendor Trend Micro. "The domains are changing constantly." According to Ferguson, over half a million legitimate websites have been hacked by today's mass-scale attack, only the latest in a string that goes back to at least January. All of the sites, he confirmed, are running "phpBB", an open-source message forum manager... Visitors to a hacked site are redirected through a series of servers, some clearly compromised themselves, until the last in the chain is reached. That server then pings the PC for any one of several vulnerabilities, including bugs in both Internet Explorer and the RealPlayer media player. If any of the vulnerabilities are present, the PC is exploited and malware is downloaded to it..."
    * http://preview.tinyurl.com/6f2uro
    Apr 07, 2008 - "phpBB 3.0.1 released... critical bugs fixed..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #24
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation SQL Injection Attacks Becoming More Intense

    Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

    SQL Injection Attacks Becoming More Intense
    - http://www.f-secure.com/weblog/archives/00001435.html
    May 13, 2008 - "The mass SQL injection attacks... are increasing in number and we're seeing more domains being injected and used to host the attack files. We believe that there is now more than one group using a set of different automated tools to inject the code. Previously, these attacks have primarily pointed to IP addresses in China and we've seen the following domains being used in addition to the ones we've mentioned previously:
    www .wowgm1 .cn
    www .killwow1 .cn
    www .wowyeye .cn
    vb008 .cn
    9i5t .cn
    computershello .cn
    We've now seen other domains being used as well such as direct84 .com which is inserted by an SQL injection tool (detected as HackTool:W32/Agent.B) distributed to the Asprox botnet. SecureWorks has a nice write-up available*. The direct84 .com domain fast-fluxes to several different IPs in Europe, Israel and North America. The injected link eventually leads to a backdoor detected as Backdoor:W32/Agent.DAS. This is a good time to again mention that it's not a vulnerability in Microsoft IIS or Microsoft SQL that is used to make this happen. If you are an administrator of a website that is using ASP/ASP.NET, you should make sure that you sanitize all inputs before you allow it to access the database. There are many articles on how to do this such as this one**. You could also have a look at URLScan*** which provides an easy way to filter this particular attack based on the length of the QueryString."

    * http://www.secureworks.com/research/.../danmecasprox/
    May 13, 2008 - "...the SQL attack tool does not spread on its own, it relies on the Asprox botnet in order to propagate to new hosts..."

    ** http://msdn.microsoft.com/en-us/library/ms998271.aspx

    *** http://www.microsoft.com/technet/sec...s/urlscan.mspx

    Also see: http://www.shadowserver.org/wiki/pmw...endar.20080513
    May 13, 2008

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #25
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Full list of Injected Sites...

    (Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.)

    Full list of Injected Sites
    - http://www.shadowserver.org/wiki/pmw...endar.20080514
    Posted May 14, 2008, at 07:42 AM - "Below is a list of domains used in the mass SQL injections that insert malicious javascript into websites. We've also included an approximate number of pages infected (according to Google). Note that these numbers decay with time. Some of these domains were injected long ago and have been cleaned. At their height, their numbers may have been larger.

    www .nihaorr1 .com -468,000
    free .hostpinoy .info -444,000
    xprmn4u .info -369,000
    www .nmidahena .com -140,000
    winzipices .cn -75,000

    www .aspder .com -62,000
    www .11910 .net -47,000
    bbs .jueduizuan .com -44,000
    www .bluell .cn -44,000
    www .2117966 .net -39,000

    xvgaoke .cn -33,000
    www .414151 .com -17,000
    yl18 .net -15,000
    www .kisswow .com .cn -13,000
    c .uc8010 .com -9500

    www .ririwow .cn -6000
    www .killwow1 .cn -4000
    www .wowgm1 .cn -3500
    www .wowyeye .cn -2800
    9i5t .cn -2500

    computershello .cn -2300
    b15 .3322 .org -1200
    www .direct84 .com -1100
    smeisp .cn -85
    free .edivid .info -40
    h28 .8800 .org -34

    ucmal .com -30
    usuc .us -13
    www .wowgm2 .cn -8
    www .adword72 .com -2

    => Posted May 14, 2008, at 07:42 AM.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #26
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Mass SQL Injection Attack Targets Chinese Web Sites

    FYI...

    Mass SQL Injection Attack Targets Chinese Web Sites
    - http://preview.tinyurl.com/5tmj3q
    May 19, 2008 3:00 AM PDT (PC World) - "Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites, according to a security company in Taiwan. First detected on May 13, the attack is coming from a server farm inside China, which has made no effort to hide its IP (Internet Protocol) addresses, said Wayne Huang, chief executive officer of Armorize Technologies, in Taipei. "The attack is ongoing,... even if they can't successfully insert malware, they're killing lots of Web sites right now, because they're just brute-forcing every attack surface with SQL injection, and hence causing lots of permanent changes to the victim websites," Huang said... Technical details of the malware, including the specific browser vulnerabilities exploited, were not immediately available..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #27
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation China/Taiwan SQL attacks...

    More on the China/Taiwan SQL attacks...

    - http://preview.tinyurl.com/56u2m7
    May 19, 2008 (Computerworld) - "Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites... The attackers in the more recent outbreak aren't targeting a specific vulnerability. Instead, they are using an automated SQL injection attack engine that is tailored to attack Web sites using SQL Server, Huang said. The attack uses SQL injection to infect targeted Web sites with malware, which in turn exploits vulnerabilities in the browsers of those who visit the Web sites, he said, calling the attack "very well designed." The malware injected by the attack comes from 1,000 different servers and targets 10 vulnerabilities in Internet Explorer and related plug-ins that are popular in Asia, Huang said.

    The vulnerabilities are MS06-014 (CVE-2006-0003), MS07-017 (CVE-2007-1765), RealPlayer IERPCtl.IERPCtl.1 (CVE-2007-5601), GLCHAT.GLChatCtrl.1 (CVE-2007-5722), MPS.StormPlayer.1 (CVE-2007-4816), QvodInsert.QvodCtrl.1, DPClient.Vod (CVE-2007-6144), BaiduBar.Tool.1 (CVE-2007-4105), VML Exploit (CVE-2006-4868) and PPStream (CVE-2007-4748)."
    - http://nvd.nist.gov/nvd.cfm

    - http://blog.trendmicro.com/chinese-weekend-compromise/
    May 19, 2008

    Last edited by AplusWebMaster; 2008-05-19 at 21:05.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #28
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post

    Follow-up:

    - http://www.computerworld.com/comment...#comment-92914
    [China and Taiwan - SQL injection attacks]
    Submitted by Anonymous tech on May 19, 2008 - 16:11.
    " 'Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites...'

    That appears to be incorrect - the SQL injection plants a java-scripted IFRAME which re-directs the victim's browser to an attacker's site that performs the exploits. Please check the facts. More than one source would confirm it.

    Every other SQL injection attack to date has done that, using an Mpack-like exploit tool at the attackers' site - NOT the site that was the victim of the SQL injection."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #29
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Chinese weekend SQL injection attacks

    FYI... (apologies for the long post - needed for detail):

    - http://blog.trendmicro.com/yet-more-...-other-shores/
    May 19, 2008 - "...This discovery comes on the tail of the mass compromise* of APAC sites (China, Taiwan, Hong Kong, and Singapore). Curious is how some of the malicious URLs in this new set of compromises are the same as in the first mass compromise. The four sites — humanitarian, government, and news — were injected with the malicious JavaScript..."

    Chinese Weekend Compromise
    * http://blog.trendmicro.com/chinese-weekend-compromise/
    May 19, 2008 - "Just a week after half a million Web sites were compromised, here comes another mass Web threat... This time, Senior Threat Analyst Aries Hsieh, together with our research team in Taiwan, picked up on another script injection attack aimed at Web sites in the Chinese language... A visit to any compromised site would install and execute a malicious script on a system. This said script, which Trend Micro detects as JS_IFRAME.AC, may be downloaded from the remote site hxxp ://{BLOCKED} .us /s.js

    JS_IFRAME.AC then downloads JS_IFRAME.AD, which exploits several vulnerabilities to further insert scripts in Web sites. TrendLabs Threats analyst Jonathan San Jose identifies the following exploit routines of JS_IFRAME.AD:
    1. Exploits a vulnerability in Microsoft Data Access Components (MDAC) MS06-14, which allows for remote code execution on an affected system
    2. Uses the import function IERPCtl.IERPCtl.1 or IERPPLUG.DLL to send the shell code to an installed RealPlayer
    3. Checks for GLAVATAR.GLAvatarCtrl.1
    4. Exploits a BaoFeng2 Storm and MPS.StormPlayer.1 ActiveX control buffer overflow
    5. Takes advantage of an ActiveX control buffer overflow in Xunlei Thunder DapPlayer
    Notice that the last two exploits are related to Chinese-language software, suggesting to our researchers that this malicious activity was targeted specifically to China, Taiwan, Singapore, and Hong Kong. These vulnerabilities trigger JS_IFRAME.AD to redirect users to one of the following URLs:
    * hxxp ://{BLOCKED}and.cn/real11.htm - detected as JS_REALPLAY.AT
    * hxxp ://{BLOCKED}and.cn/real.htm - detected as JS_REALPLAY.CE
    * hxxp ://{BLOCKED}and.cn/lz.htm - detected as JS_DLOADER.AP
    * hxxp ://{BLOCKED}and.cn/bfyy.htm - detected as JS_DLOADER.GXS
    * hxxp ://{BLOCKED}and.cn/14.htm - detected as JS_DLOADER.UOW
    JS_IFRAME.AD was found to download the following:
    * VBS_PSYME.CSZ
    * JS_VEEMYFULL.AA
    * JS_LIANZONG.E
    * JS_SENGLOT.D
    These four malware, in turn, download and execute
    hxxp ://{BLOCKED}c.52gol.com/xx.exe, which is detected as TROJ_DLOADER.KQK.
    As of this writing, Google search results show some 327,000 pages that contain the malicious script tag..."

    (Screenshots available at both TrendMicro URLs above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #30
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Shadowserver - mass SQL injection attack domain list

    Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

    - http://isc.sans.org/diary.html?storyid=4439
    Last Updated: 2008-05-20 16:55:25 UTC ...(Version: 3) - "...Shadowserver has published a list of domains used in past -and- recent massive SQL injections* that insert malicious javascript into websites. The list is just focused on mass SQL injection attacks... plans to maintain this list as we come across new domains over time. The list also contains an estimated number of current number of infected Web sites based on Google stats. This is a great initiative and a very useful resource..."
    * http://www.shadowserver.org/wiki/pmw...endar.20080514
    Full list of Injected Sites ...last modified date/time at bottom of page

    Last edited by AplusWebMaster; 2008-05-22 at 01:17.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •