Sponsored by..

Tuesday, 3 June 2008

xiaobaishan.net - yet another SQL injection attack

It looks like the sites hit by the chliyi.com attack have been hit again, this time with an injection to a script pointing at www.xiaobaishan.net/dt/us/Help.asp. Right at the moment, the www.xiaobaishan.net domain is not resolving, but it does appear to be hosted on 219.146.128.119 in China.

It looks like the domain may well be a legitimate one that has somehow been compromised and 219.146.128.119 looks like a pretty standard shared server.

It's possible that the chliyi.com infected sites were deliberately targeted, the resulting HTML is an awful mess though (see below).

Some notable infected sites:

  • kcsg.com (again)
  • sciencescotland.org (again)
  • paramountcomedy.com (again)
  • drdrew.com (again)
  • gisp.org (again)
  • legis.state.ia.us (Iowa State legislature)
  • modernamuseet.se (Stockholm Museum)
  • calbears.berkeley.edu (University)
  • reportchildsex.com (Child protection)
  • cas.org.uk (Citizen's Advice Scotland)
  • tcpmap.com (Technlogy magazine)
  • randomhouse.com.au (Random House publishers, Australia)
  • ispyni.com (Northern Ireland tourism)
There are a number of other sites, notably in Ireland, Australia and Canada hit too.

This is not the only SQL injection attack doing the rounds today, and I suspect that some of them have been hit by another one pointing at en-us18.com/b.js

As an aside, these multiple SQL injections are really messy. A code snippet from sciencescotland.org demonstrates this:





2 comments:

rumblepup said...

we where hit with this attack.
check out
http://www.rumblepup.com/the-xiaobaishan-bomb-thousands-of-sites-hacked/

rumblepup said...

UPDATE:
http://www.rumblepup.com/the-xiaobaishan-bomb-is-now-the-flyzhu-bomb/