Page 4 of 9 FirstFirst 12345678 ... LastLast
Results 31 to 40 of 89

Thread: Thousands of sites infected - archive

  1. #31
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Full list of Injected Sites ...updated

    FYI...

    Full list of Injected Sites
    - http://www.shadowserver.org/wiki/pmw...endar.20080514
    Page last modified on June 01, 2008, at 09:04 PM
    Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.
    Below is a list of domains used in the mass SQL injections that insert malicious javascript into websites. We've also included an approximate number of pages infected (according to Google)...
    Some of these have been re-injected by URL encoding the script names. So if a host/domain shows up in parentheses and also in the list unencoded, these were two separate injection runs..."

    ("Full list..." at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #32
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation New sql injection site with fastflux hosting

    FYI...

    New sql injection site with fastflux hosting
    - http://isc.sans.org/diary.html?storyid=4519
    Last Updated: 2008-06-02 22:13:22 UTC - "One of our frequent contributors notified us of a new sql injection site.
    hxxp ://en-us18 .com /b.js is being injected via sql into websites.
    When I googled for it I saw 560 injected webpages. “b.js injects an iFrame which points to
    hxxp ://en-us18 .com/cgi-bin/index.cgi?ad which in turn embeds two Flash files:

    advert.swf: http://www.virustotal.com/analisis/d...6f82c536abd0c7
    banner.swf: http://www.virustotal.com/analisis/8...72625634a3babc

    This appears to be fast fluxed or at least setup to change rapidly based on this dig output... A second dig a few minutes later produced similar but slightly different results. So this domain is changing. I guess they got tired of people blackholing their ip address. So in that case I would recommend you dns blackhole that domain."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #33
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    And the list just keeps on growing...

    Full list of Injected Sites
    - http://www.shadowserver.org/wiki/pmw...endar.20080514
    Page last modified on June 05, 2008, at 07:10 AM
    Page last modified on June 06, 2008, at 06:22 AM

    :(
    Last edited by AplusWebMaster; 2008-06-06 at 22:03. Reason: ...the list just keeps on growing...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #34
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://preview.tinyurl.com/64qke6
    June 17, 2008 (trustedsource.org/blog) - "MTV France has become another victim of the “Latest Wave of SQL Injection Attacks“. The web site and the RSS feed are heavily infected with several malicious scripts as seen in the screenshot... Each of the malicious domains are serving a script called ‘b.js’ which is related to the “Danmec” malware family (a.k.a. “Asprox”). These domains are hosted on a “fast-flux” network of compromised computers which could also relay spam messages... The biggest concern with the infected RSS feed is that every RSS reader or web site, including the content from MTV France, will host the malicious scripts on their web sites. In a quick test with a WordPress 2.1.3 installation, the full content (including the script) was included in the blog and not filtered out. This is one example of the threat posed by Web 2.0 content mash-ups, where someone is including generated content via feeds into his web site and thereby just spreading the malicious code further."

    (Screenshots available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #35
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation SQL Injection Prevention...

    FYI...

    Microsoft SQL Injection Prevention Strategy
    - http://forums.spybot.info/showpost.p...3&postcount=94
    2008-06-24

    Full list of Injected Sites
    - http://www.shadowserver.org/wiki/pmw...endar.20080514
    ...last modified on June 25, 2008, at 05:17 AM

    Last edited by AplusWebMaster; 2008-06-25 at 19:12.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #36
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation New wave of SQL-injection attacks

    FYI...

    - http://www.theregister.co.uk/2008/06...jection_tools/
    26 June 2008 - "...ScanSafe, a company that monitors websites for malicious behavior, reports* a new wave of SQL-injection attacks that harnesses infected PCs to search out and attack vulnerable websites. Sites that are compromised, in turn, install backdoors on visitors' machines, creating a worm-like characteristic. The so-called Asprox attacks are distinct from a recent swarm of SQL attacks that over the past few months... The entry of Asprox suggests other malware gangs may be adopting the technique after seeing the success of their competitors..."
    * http://preview.tinyurl.com/5cyo99
    June 26, 2008 (ScanSafe STAT blog) - "The Asprox botnet began pumping out a fresh round of SQL injection attacks yesterday... The Asprox botnet causes infected computers (bots) to become the attack mechanism. Some of the bots are instructed to upload the SQL injection attack tool, which then queries search engines to find susceptible sites and attempts to exploit any found. Successful exploit results in compromised websites that silently attempt to infect visitors' computers. Other bots are used as hosts for the malware; these hosts appear to be using the Neosploit framework. Asprox uses fast flux, thus a single malware domain called by the compromised site may resolve to one of a number of IP addresses (i.e. one domain name may resolve to any one of a number of attacker-controlled victim computers commandeered to act as malware hosts)... a large number of the trafficked compromised sites appear to be from the manufacturing sector, particularly among companies involved in the manufacture or distribution of heating and cooling systems... the malware dropped in the June SQL injection attacks has shifted to backdoors and proxy Trojans - infections which add to the overall size of the Asprox botnet. The June attacks also appear to have some roots in the Ukraine and Malaysia, rather than China..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #37
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation More SQL Injection with Fast Flux hosting

    FYI...

    More SQL Injection with Fast Flux hosting
    - http://isc.sans.org/diary.html?storyid=4645
    Last Updated: 2008-07-01 04:46:52 UTC ...(Version: 5) - "...More fast flux domains redirecting to other domains which then redirect to the malware site. What's interesting about this one is it doesn't look like they are using exploits to install the malware, they are redirecting to a fake AV site which fools users into installing the malware. Some of the domains hosting the injected js are as follows:
    hxxp :// updatead .com
    hxxp :// upgradead .com
    hxxp :// clsiduser.com
    hxxp :// dbdomaine.com
    b.js then redirects to several domains which host a cgi script
    hxxp :// kadport .com /cgi-bin/indes.cgi?ad
    hxxp :// hdadwcd .com /cgi-bin/index.cgi?ad
    Which then redirects to ad.js which redirects the user to
    hxxp :// spyware-quick-scan .com?wmid=1041&I=14&it=1&s=4t
    This site attempts to trick the user into installing installer.exe
    AV coverage is decent:
    http://www.virustotal.com/analisis/9...45cbff173e67d8
    ...This post has a nice running list of domains: http://infosec20.blogspot.com/2008/0...nd-iframe.html
    The cause seems to be the ASPROX bot kit, which got some SQL injection capabilities in mid-May, see http://www.heise-online.co.uk/securi...--/news/110742 .
    Dr. Ulrich's post http://isc.sans.org/diary.html?storyid=4565 lays out very nicely how it all happens... The folks at ShadowServer are keeping a comprehensive and updated list at:
    http://www.shadowserver.org/wiki/pmw...endar.20080514
    Page last modified on July 01, 2008, at 10:16 AM ..."

    Last edited by AplusWebMaster; 2008-07-02 at 00:17. Reason: Shadowserver list updated... again.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #38
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Sony PlayStation website hacked

    FYI...

    Sony PlayStation website hacked
    - http://www.theregister.co.uk/2008/07...ystation_hack/
    3 July 2008 - "Gamers visiting the US Sony PlayStation website risk malware infection after the site was hit by hackers. SQL injection vulnerabilities on the site were used by miscreants to load malicious code on pages showcasing the PlayStation games SingStar Pop and God of War, net security firm Sophos reports*. The code promotes scareware to visitors, which falsely claims that their computers are infected with computer viruses to frighten them into purchasing software of little or no security utility... Sophos informed Sony of the website vulnerabilities, which were purged by Thursday morning. The attack is the latest in a wave of SQL injection attacks that have turned the websites of legitimate organisations into conduits for drive-by download assaults. Recent victims have included the website of tennis regulators ITF and ATP, the professional players tour and Wal-Mart. Large-scale SQL Injection attacks starting around October 2007 have hit a large number of small sites as well as high-profile targets..."
    * http://www.sophos.com/security/blog/2008/07/1540.html

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #39
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down 6508 fastflux domains...

    Update... 7.4.2008

    - http://atlas.arbor.net/summary/fastflux
    "...Currently monitoring -6508- fastflux domains..."


    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #40
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Unhappy SQL injections, redirects, d-b-d, and client-side attacks...

    FYI...

    - http://www.shadowserver.org/wiki/pmw...endar.20080705
    5 July 2008 - "...People are saying they were compromised by SQL Injection, but when I dig a little deeper I find that what actually happened was some user went to somegoodsite.com and ended up compromised. If you're one of those people, this blog's for you...
    Understanding the Danmec/Asprox Attacks...
    Basically, the attacker launches an SQL injection attack against somegoodsite.com. SQL injection attacks try to exploit trust relationships between web applications and the databases that support them in order to add, remove or modify data in databases in ways it was never intended. In the case of the Danmec/Asprox attacks, the intent of the SQL injection is to add a single line of HTML code to the database so that somegoodsite.com will present it to every user who visits the site.
    The initial code has been an HTML "script" command, which is used to define a segment of code for your browser to run. The difference in the Asprox/Danmec attacks though, is that the code segment to run is malicious javascript hosted at evilsite.net. This is called a drive-by download.
    Innocent user wasn't targeted directly by the attacker's SQL injection. Instead, innocent user was harmlessly surfing the web during his 1 hour lunch break and got something more than he bargained for from somegoodsite.com. Evilsite.net then looks at the information presented by innocent user's system and determines that evilsite2.net is hosting an exploit that should be effective. Evilsite.net then issues an IFRAME redirect command telling innocent user's browser to contact evilsite2.net (all without any interaction from innocent user). Finally, evilsite2.net provides a working exploit which compromises innocent user's machine. These compromises can be in the form of keyloggers, botnets, backdoors, or any other nasiness an attacker can drum up. Since this exploit is reliant on innocent user's web client downloading and executing the malicious code on its own, we call this a client-side attack.
    So the moral of the story is that somegoodsite.com got compromised by SQL injection. Your users got compromised by redirects, drive-by-downloads and client-side attacks."

    (Graphic available at the Shadowserver URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •