Sponsored by..

Thursday 10 July 2008

Asprox domains: 10/7/08

These seem to be the currently active Asprox SQL Injection domains to block or check for. New ones are in bold.

  • adwnetw.com
  • ausadd.com
  • ausbnr.com
  • bnsdrv.com
  • butdrv.com
  • cdrpoex.com
  • crtbond.com
  • destad.mobi
  • destbnp.com
  • drvadw.com
  • gbradw.com
  • loopadd.com
  • movaddw.com
  • nopcls.com
  • porttw.mobi
  • pyttco.com
  • tertad.mobi
  • usaadw.com
  • usabnr.com
No prizes for guessing that Vivids Media GmbH handled the registrations.

Two more new ones as well:

  • bkpadd.mobi
  • tctcow.com

4 comments:

Unknown said...

I wonder if you have seen this site:

http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

Note the domain and JS listed - hiwowpp.cn/ri.js - have you come across this one before?

Sandi

Conrad Longmore said...

That's a new one on me - I'm pretty certain that there are two crews here, one in China and one in Russia. The Russians seem to be the most prolific. The currentl bunch of .cn domains aren't resolving for me, could be that the registrar has nuked them.

Unknown said...

I have been hit pretty badly.

Ngg.js is the one that's called, domain names seem to be changed daily.

I managed to prevent some vital tables of my DB to be infected but I don't knwo where the source is and how to stop this.

I have sent an e-mail to VIVIDS, of course no answer. Is there any way we could get back at them, file a complaint, etc.?

Conrad Longmore said...

Vivids Media is just a reseller, you can report the domain for false WHOIS data (they are always false) to the actual registrar here:

http://www.publicdomainregistry.com/contactus/report-false-whois/

Yes, ngg.js is the current name for most of these scripts, although it does change (last week it was b.js).