Sponsored by..

Showing posts with label Asprox. Show all posts
Showing posts with label Asprox. Show all posts

Tuesday 15 July 2008

Asprox domains: 15/7/08

Another bunch of Asprox SQL Injection domains, new ones are in bold.

  • adpzo.com
  • adwnetw.com
  • ausbnr.com
  • bkpadd.mobi
  • butdrv.com
  • cdport.eu
  • cdrpoex.com
  • cliprts.com
  • gbradde.tk
  • gbradp.com
  • gitporg.com
  • hdrcom.com
  • loopadd.com
  • movaddw.com
  • nopcls.com
  • porttw.mobi
  • pyttco.com
  • tctcow.com
  • tertad.mobi
  • usabnr.com
These are still using ngg.js in the injected code.

Thursday 10 July 2008

Asprox domains: 10/7/08

These seem to be the currently active Asprox SQL Injection domains to block or check for. New ones are in bold.

  • adwnetw.com
  • ausadd.com
  • ausbnr.com
  • bnsdrv.com
  • butdrv.com
  • cdrpoex.com
  • crtbond.com
  • destad.mobi
  • destbnp.com
  • drvadw.com
  • gbradw.com
  • loopadd.com
  • movaddw.com
  • nopcls.com
  • porttw.mobi
  • pyttco.com
  • tertad.mobi
  • usaadw.com
  • usabnr.com
No prizes for guessing that Vivids Media GmbH handled the registrations.

Two more new ones as well:

  • bkpadd.mobi
  • tctcow.com

Wednesday 9 July 2008

Asprox domains: 9/7/08

Another shift in the Asprox SQL Injection domains, still registered with Vivids Media GmbH. As ever, check your logs or block them.

  • adwnetw.com
  • ausadd.com
  • ausbnr.com
  • bnsdrv.com
  • butdrv.com
  • cdrpoex.com
  • cliprts.com
  • crtbond.com
  • destbnp.com
  • drvadw.com
  • gbradp.com
  • gbradw.com
  • hdrcom.com
  • loopadd.com
  • movaddw.com
  • nopcls.com
  • tctcow.com
  • usaadp.com
  • usaadw.com
  • usabnr.com

Monday 7 July 2008

Asprox domains: 7/7/08 and another SQL Injection mitigation article

Another batch of Asprox domains are active today - it also seems that those from 3rd July are still running too. I advise that you check your logs for these or block them:

  • adbtch.com
  • aladbnr.com
  • allocbn.mobi
  • adwadb.mobi
  • apidad.com
  • appdad.com
  • asodbr.com
  • asslad.com
  • blcadw.com
  • blockkd.com
  • bnradd.mobi
  • bnrbase.com
  • bnrbasead.com
  • bnrbtch.com
  • browsad.com
  • brsadd.com
  • canclvr.com
  • catdbw.mobi
  • clrbbd.com
  • dbgbron.com
  • ktrcom.com
  • loctenv.com
  • lokriet.com
  • mainadt.com
  • mainbvd.com
  • portadrd.com
  • portwbr.com
  • stiwdd.com
  • ucomddv.com
  • upcomd.com
If you're looking at ways of protecting your server against these SQL injection attacks, then Sophos has a blog entry called Avoiding SQL injection attacks which looks like a good starting point.

Thursday 3 July 2008

Asprox domains: 3/7/08 and ngg.js

The Asprox domains used in the current round of SQL Injection attacks have shifted again, the ones to check for or block are:

  • adwadb.mobi
  • allocbn.mobi
  • canclvr.com
  • catdbw.mobi
  • ktrcom.com
  • lokriet.com
  • mainbvd.com
  • portwbr.com
  • stiwdd.com
  • testwvr.com
  • upcomd.com
  • ucomddv.com
The malicious javascript file has also changed to ngg.js (usually it is b.js or m.js or similar). If you're using Google Alerts or similar to monitor your own site or sites of interest, you might want to change the search string to something like "script src=http:" .js site:oceanic-air.com (replace the domain name with the site you want to monitor).

Wednesday 2 July 2008

Asprox domains: 2/7/08

These seem to be the currently active domains used in the Asprox SQL Injection attack. Registrar of choice at the moment is Vivids Media GMBH (if they really exist) via Directi Internet Solutions (publicdomainregistry.com).

  • adupd.mobi
  • adwste.mobi
  • bnrupdate.mobi
  • cntrl62.com
  • config73.com
  • cont67.com
  • csl24.com
  • debug73.com
  • default37.com
  • get49.net
  • pid72.com
  • pid76.net
  • web923.com

Best advice to to block access to these sites and check your logs.

Monday 30 June 2008

Asprox: new domains including .mobi

Another set of domains used in the Asprox SQL Injection attack: bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adwsupp.com,supbnr.com, suppadw.com, dl251.com, aspx49.com, kadport.com, tid62.com, and batch29.com.

It's the first time that I've seen .mobi used in this way. Blocking access to all .mobi domains will probably do little harm.

Thursday 26 June 2008

Asprox: list of domains and mitigation steps

The folks over at Bloombit Software have a useful article called ASCII Encoded/Binary String Automated SQL Injection Attack which explains some of the technical details behind these attacks and also has another list of domains serving up malware which is useful to keep an eye on.

Asprox: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com

Another bunch of domains coming up in the latest batch of Asprox SQL Injection attacks: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com - check your logs for these.