Sponsored by..

Thursday, 5 June 2008

Googling for SQL injection infected sites

A very rough and ready Google search shows (warning: results may lead to malware) 792,000 pages that were infected when Google visited the site. Sites that say "This site may harm your computer." can be considered as persistent offenders. Note also that the search results may have some false positives.

All very interesting, you might think. But if you work in an IT department, it can be very useful to find sites that your users might visit so that you can take action.. or perhaps you can even check your own business.

In this current round of attacks, the bad javascript file is called b.js, so you can find a lot of infected sites by Googling for "script src" b.js (you need to include the quotes). That gives hundreds of thousands of matches.

One obvious check is to add your company name, for example "script src" b.js "oceanic airlines", but Google is cleverer than that. If you use the "inurl" function, then you can search for sites in certain TLDs or with certain names. For example "script src" b.js inurl:gov lists several government sites, "script src" b.js inurl:oceanic would find results on sites such as oceanic-air.com, oceanicair.net, oceanic-air.co.uk.

You can narrow down results by country by using the Advanced Search (or you could just use the "national" Google site such as google.co.uk, google.ca etc). You can use other search engines too, but really Google has the most powerful searching options.

Of course, if you want to confirm if the site is still infected, then you will need to visit it. If you don't want all the hassle of firing up a Linux box, then one safe tool is SamSpade for Windows which allows you to look at the underlying HTML safely. It's a pretty old tool, and not perfect, but very useful for a number of tasks. Alternatively, WGET for Windows is more powerful and it allows you to download files in a command line (although care needs to be taken once they are on your machine). I tend to use both.

No comments: