The ISC has warned about another
SQL Injection attack, following on from
this one a few weeks ago. This time the injection is inserting a script pointing to the
winzipices.cn and
bbs.jueduizuan.com domains.
The malicious script is pointing to winzipices.cn/1.js, winzipices.cn/2.js, winzipices.cn/3.js, winzipices.cn/4.js and winzipices.cn/5.js and also bbs.jueduizuan.com/ip.js. As ever, don't visit these sites unless you know what you are doing.
Right at the moment, winzipices.cn is coming up with a server error, but bbs.jueduizuan.com is functioning just fine. This tries to attack visiting systems using the
MS07-004 vulnerability, a RealPlayer vulnerability plus it attempts to download an executable from www.bluell.cn/ri.exe possibly using a shell vulnerability (VirusTotal analysis
here, mostly detected as Trojan.Win32.Agent.lpv, Trojan.MulDrop.origin or TR/Dropper.Gen).
Some IP addresses:
www.bluell.cn is 60.191.239.219
winzipices.cn is 60.191.239.229
bbs.jueduizuan.com is 60.191.239.219
My recommendation is to block access to the entire 60.191.239.x range if you can.
The the moment, a
Google search for winzipices.cn shows 1790 matches, for
jueduizuan.com it is 1640 matches. Expect those figures to climb sharply.
If you are running an impacted SQL server, then you need to secure it and perform better validation, else the problem will happen again. Client machines should be protected if they are fully up-to-date on patches, if you have been infected then use the excellent
Secunia Software Inspector to check your system for vulnerable apps.
As always, there are some high profile sites that have been compromised. They may well have been cleaned up by now, so inclusion here
does not mean that they are unsafe or safe to visit.
bbs.jueduizuan.com- safecanada.ca (Canadian Homeland Security again).
- breastcanceradvice.com, arthritisissues.com, menssexhealth.com, www.bipolardepressioninfo.com (Health)
- dubaicityguide.com (Travel)
- classicdriver.com (Motoring)
winzipices.cn- imo.org (International Maritime Organisation)
- cifas.org.uk (Fraud Prevention)
- hmdb.org (Historical Marker Database)
- abbyy.com (OCR software)
- cancerissues.com, adhdissues.com, depressionissues.com, diabeticdiets.org, erectilefacts.com, prostatecancerissues.com, digestivefacts.com (Health)
- www.asiamedia.ucla.edu, www.international.ucla.edu, www.asiaarts.ucla.edu, www.isop.ucla.edu (UCLA)
- newmarket.travel (Travel)
- discoverireland.ie (Travel)
- gay.tv (Lifestyle)
Some of these sites are regularly infected with SQL injection attacks, and
safecanada.ca was infected with the
last major outbreak. The problem is that once a site has been attacked and enumerated, then it will be attacked again and again until it is fixed.
As mentioned before, there is no such thing as a safe site.