More SQL Injection domains, this time pingadw.com, alzhead.com, pingbnr.com, coldwop.com, adwbnr.com, bnrcntrl.com and chinabnr.com. Probably a good idea to check your logs and/or block access to these sites.
No change in the method of attack, and the cleanup of SQL servers is proceeding pretty slowly. It's clear that some sites are not going to be fixed any time soon, so if you see a site that hasn't been secured then perhaps a complaint to their web host might help.
Excellent work. You seem to be one of the few people around tracking this surge. Here's my list of active domains as of this morning:
ReplyDeleteadwbnr.com
alzhead.com
bnradw.com
bnrcompro.com
clickbnr.com
clsiduser.com
clsidw.com
coldwop.com
datajto.com
dbdomaine.com
encode72.com
libid53.com
pingadw.com
script46.com
sslnet72.com
updatebnr.com
upgradead.com
This is ASPRox botnet and it is currently on a rampage, the domains host malicious javascript which inserts an iframe hosting malware
ReplyDeleteOur product Sentinel IPS defends against this attack in real time
www.networkcloaking.com
chkbnr
ReplyDeletechinabnr
....are also domains that are actively sucking. Thanks for being a good starting point on this info. Other good resources for this problem can be found at:
ReplyDeletehttp://www.cio.com.au/index.php/id;552560972
Any effective ways to block the attack? Any ideas?
ReplyDeleteThis keeps happening to my website, I've written a script to clean up the DB to remove the injections, but I don't understand how they're getting in. Is this a problem on my end, or my host (1and1), or what? Any help or tips would be VERY greatly appreciated. My email is avirocks [at] gmail (dot) com
ReplyDeleteavi,
ReplyDeleteYou said "I've written a script to clean up the DB to remove the injections"
Is that scription available as I have a big clean-up to do
Generally,
We have a WordPress MYSQL database that appears to have
had a SQL injection. We're attempting to clean the file and have
a few questions.
1) Are there any tools available that can scan a
backup of a MySQL table exported from phpMyAdmin
and clean out a SQL Injection?
2) Are there any tools available that can scan an online MySQL
database and clean out a SQL Injection?
3) Are there any tools that can detect any other problems
in regards to a WordPress installation that has been compromised?
We're new to this cleanup process and any help at all in
locating any tools would be greatly appreciated.
John
hi,
ReplyDeletei have a site which contains link to www.chinabnr.com,www.alzhead.com,www.bnrbtch.com
. i dont know how this file include in my pages as they re not present in the coding,are they coming from database.how can i clean my database.i have mssql server on windows.
any helo would be appreciated.
thanks for any help in advance
This is definitely coming from your database. What they did to us was to put the offending code into a search text box. the search was an update script which reads from your sys tables to find every text field in your database and then updates the value of that field to original_value + <script>...</script>.
ReplyDeleteThis generally happens because you have some code that looks like this:
SELECT field FROM table WHERE field2 = ' + user_entered_text
They put "; exec (update...);--" into the box which then turns your code into:
SELECT field FROM table WHERE field2 = ''; exec (update ...); --
which comments out anything that you had at the end of your sql so that it doesn't throw an error and is executed as perfectly legal sql. (lookup sql injection attacks)
The best way to avoid this is to not allow webpages to call sql directly. Always execute through stored procedures which don't allow this.