Sponsored by..

Friday 20 June 2008

SQL injection: pingadw.com, alzhead.com, pingbnr.com, coldwop.com, adwbnr.com, bnrcntrl.com, chinabnr.com

More SQL Injection domains, this time pingadw.com, alzhead.com, pingbnr.com, coldwop.com, adwbnr.com, bnrcntrl.com and chinabnr.com. Probably a good idea to check your logs and/or block access to these sites.

No change in the method of attack, and the cleanup of SQL servers is proceeding pretty slowly. It's clear that some sites are not going to be fixed any time soon, so if you see a site that hasn't been secured then perhaps a complaint to their web host might help.

9 comments:

Unknown said...

Excellent work. You seem to be one of the few people around tracking this surge. Here's my list of active domains as of this morning:

adwbnr.com
alzhead.com
bnradw.com
bnrcompro.com
clickbnr.com
clsiduser.com
clsidw.com
coldwop.com
datajto.com
dbdomaine.com
encode72.com
libid53.com
pingadw.com
script46.com
sslnet72.com
updatebnr.com
upgradead.com

Greg Martin said...

This is ASPRox botnet and it is currently on a rampage, the domains host malicious javascript which inserts an iframe hosting malware

Our product Sentinel IPS defends against this attack in real time

www.networkcloaking.com

PC-PDX.com said...

chkbnr
chinabnr

PC-PDX.com said...

....are also domains that are actively sucking. Thanks for being a good starting point on this info. Other good resources for this problem can be found at:
http://www.cio.com.au/index.php/id;552560972

DDMemphis said...

Any effective ways to block the attack? Any ideas?

Avi said...

This keeps happening to my website, I've written a script to clean up the DB to remove the injections, but I don't understand how they're getting in. Is this a problem on my end, or my host (1and1), or what? Any help or tips would be VERY greatly appreciated. My email is avirocks [at] gmail (dot) com

John D. Biethan Jr. said...

avi,

You said "I've written a script to clean up the DB to remove the injections"

Is that scription available as I have a big clean-up to do

Generally,

We have a WordPress MYSQL database that appears to have
had a SQL injection. We're attempting to clean the file and have
a few questions.

1) Are there any tools available that can scan a
backup of a MySQL table exported from phpMyAdmin
and clean out a SQL Injection?

2) Are there any tools available that can scan an online MySQL
database and clean out a SQL Injection?

3) Are there any tools that can detect any other problems
in regards to a WordPress installation that has been compromised?

We're new to this cleanup process and any help at all in
locating any tools would be greatly appreciated.

John

Unknown said...

hi,
i have a site which contains link to www.chinabnr.com,www.alzhead.com,www.bnrbtch.com
. i dont know how this file include in my pages as they re not present in the coding,are they coming from database.how can i clean my database.i have mssql server on windows.
any helo would be appreciated.
thanks for any help in advance

Tim Januario said...

This is definitely coming from your database. What they did to us was to put the offending code into a search text box. the search was an update script which reads from your sys tables to find every text field in your database and then updates the value of that field to original_value + <script>...</script>.

This generally happens because you have some code that looks like this:
SELECT field FROM table WHERE field2 = ' + user_entered_text

They put "; exec (update...);--" into the box which then turns your code into:

SELECT field FROM table WHERE field2 = ''; exec (update ...); --
which comments out anything that you had at the end of your sql so that it doesn't throw an error and is executed as perfectly legal sql. (lookup sql injection attacks)

The best way to avoid this is to not allow webpages to call sql directly. Always execute through stored procedures which don't allow this.