In the past couple of weeks, thousands of websites were hit with an injection attack pointing to gumblar.cn.. this week it has changed to martuz.cn. It's not a SQL injection attack as far as I can tell, the smart money is that it is using compromised FTP credentials, possibly harvested from end-user PCs rather than a problem with the web server itself.
A typical attack is that JS files on the victim's server are altered with an obfuscated (i.e. partly encrypted) script which might vector through martuz.cn/vid/?id=5718066 or martuz.cn/vid/?id=575730 or something similar, then leading to martuz.cn/vid/?id=3 or another similarly named page (the exact URLs may vary depending on the client software).
There's a writeup about martuz.cn here and here, in the meantime blocking traffic to the domain and the IP address 95.129.145.58 will probably be a good idea.
No comments:
Post a Comment