A fresh round of SQL injections seem to be on the march, with (at least) two new domains being injected into vulnerable sites:
www.lijg.ru and
www.dbrgf.ru, calling a script named
script.js.
This script redirects through an IFRAME pointing to
google-analitycs.lijg.ru, although the payload is unclear.
Including some older domains, the following list seem to be active, either calling script.js or style.js.
- www.lijg.ru
- www.dbrgf.ru
- www.bnmd.kz
- www.nvepe.ru
- www.mtno.ru
- www.wmpd.ru
- www.msngk6.ru
- www.dft6s.kz
For the record, the domain registrations are as follows:
domain: LIJG.RU
type: CORPORATE
nserver: ns2.lijg.ru. 68.4.124.142
nserver: ns5.lijg.ru. 74.129.255.164
nserver: ns1.lijg.ru. 68.6.180.109
nserver: ns3.lijg.ru. 67.38.2.113
nserver: ns4.lijg.ru. 76.240.151.177
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN
domain: DBRGF.RU
type: CORPORATE
nserver: ns5.dbrgf.ru. 74.196.121.117
nserver: ns4.dbrgf.ru. 68.105.25.64
nserver: ns1.dbrgf.ru. 75.156.152.67
nserver: ns2.dbrgf.ru. 68.197.137.239
nserver: ns3.dbrgf.ru. 146.57.249.100
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN