Sponsored by..

Monday 22 December 2008

Asprox SQL injections are back

The Silent Noise blog reports that a fresh round of SQL injection attacks by the Asprox crew are under way. They seem to be using a variety of .ru and .kz domain names, although at the moment they all redirect to 79.135.168.18 in the Lebanon.. the whole 79.135.168.* block is pretty bad and has been covered here before.

inetnum: 79.135.168.0 - 79.135.168.255
netname: LB-NET
descr: Lebanon private dedicated service
country: LB
admin-c: MHB1111-RIPE
tech-c: MHB1111-RIPE
remarks: abuse mailbox: moh.b@lubnannetworks.biz
status: ASSIGNED PA
mnt-by: SISTEM-NET-MNT
source: RIPE # Filtered

person: Mohamed Baga
address: Basha Garden bldg, 5th floor LB
address: Jisr El Bacha Main Road
address: Beirut - Lebanon
e-mail: moh.b@lubnannetworks.biz
remarks: abuse mailbox: moh.b@lubnannetworks.biz
phone: +961 1 512341
nic-hdl: MHB1111-RIPE
source: RIPE # Filtered

route: 79.135.160.0/19
descr: Sistemnet Telecom
origin: AS44097
mnt-by: Sistem-Net-MNT
source: RIPE # Filtered
The endpoint appears to be a PDF exploit running on 79.135.168.18 - it's worth blocking or checking for anyaccess to this server, and also check your logs for accesses to ".kz/style.js" and ".ru/style.js" too.

Currently active domains are:
  • www.bnmd.kz
  • www.nvepe.ru
  • www.mtno.ru
  • www.wmpd.ru
Some notable impacted sites:
  • frontweb.vuse.vanderbilt.edu (Vanderbilt University)
  • maryvillecollege.edu (Maryville College)
  • guildford.ac.uk (Guildford University)
  • many .gov.ar (Argentina) and .gov.cn (China) sites
  • navigationusa.com (Online retailer)
  • worldcricketstore.com (Online retailer)
A Google search and Yahoo search indicate the extent of the problem (obviously, you don't want to visit any of these impacted sites).

No comments: