Sponsored by..

Showing posts with label SQL Injection. Show all posts
Showing posts with label SQL Injection. Show all posts

Wednesday 1 August 2012

xinthesidersdown.com injection attack in progress

There is currently an injection attack using a script pointing to [donotclick]xinthesidersdown.com/sl.php  doing the rounds. The malicious code is hosted on 194.28.115.150, the same IP address as used in this attack yesterday.

Saturday 2 April 2011

alisa-carter.com, lizamoon.com and worid-of-books.com

The injection attacks from lizamoon.com and other domains continue.. and they link back to a popular blog post about a very different attack site at worid-of-books.com because at the moment, all these sites appear to be on the same server at 95.64.9.18 belonging to Intermedia TOP SRL.

The following sites are on that malicious server:
alexblane.com
alisa-carter.com
lizamoon.com
t6ryt56.info
tadygus.com
worid-of-books.com


Right now the safest thing to do is block traffic to 95.64.8.0/23 (95.64.8.0 - 95.64.9.255) at the very least. But given that there are several bad networks now within the mostly Romanian 95.64.0.0/16, there's very little to lose in blocking the whole /16 for now if you don't have dealings with Romania.

If you need to block by domain, then the list below is everything that I can identify in this block.

abrogatesdv.info
antiviric.net
atlaty.com
atydut.com
bancard.cc
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
buroti.com
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fileac.com
financeprogramm.com
fop22.info
fre94.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
itapos.com
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
lsrato.com
machmit.cc
mag20.info
memhys.com
mia16.info
mineral-beauty.net
morafu.com
mupoga.com
muposs.com
nlosaf.com
nuzzlefgf.info
nwolbcom.cc
nyb90.info
obduratexv.info
obfuscate98y.info
onfiro.com
online-security.cc
opa63.info
ova22.info
pes89.info
plauditaz.info
plethoradtb.info
podyme.com
poisor.com
posjuc.com
posunn.com
prettyharp.ru
qertys.com
reprieve8mf.info
scoolq.com
ser55.info
servat.cc
serwaz.com
testaz.cc
tmwars.com
usudom.com
xxxpornteensex.com
advancedwebanalytic.com
alexblane.com
alisa-carter.com
alternative-art-ltd.net
alternativeart-ltd.com
artmarket-llc.net
artsolveltd.cc
artsolveltdco.at
astech-groupde.cc
blitznet-de.eu
chelpgroup-llc.net
chepl-groupllc.biz
competitor-uk-group.net
competitorgroup-ltd.com
ddk100.com
ddk2200.com
deemno.com
drakulaworld.net
drysdale-antcorp.at
drysdale-group-inc.cc
findsubstantial.org
foto-album-mnck.tk
fotoshare-2dknc.com
google-1aa.com
googlesite.ws
joomlaext.org
kunde.ws
lizamoon.com
mailwbg6.com
micr0updates.com
myblog-search.com
ocservice-de.net
oregon-ltd-uk.net
qead-llc.biz
saleoke.com
squit-group-llc.biz
surprise-knsma.tk
surprise-knsmd.tk
surprise-knsmf.tk
surprise-knsmo.tk
surprise-knsmp.tk
surprise-knsmq.tk
surprise-knsmr.tk
surprise-knsms.tk
surprise-knsmt.tk
surprise-knsmu.tk
surprise-knsmw.tk
t6ryt56.info
tadygus.com
worid-of-books.com

Sunday 4 October 2009

Injection attacks: adbnr.ru

adbnr.ru seems to be the latest domain to be used by the bad guys in this current round of injection attacks. The injected code to look for is adbnr.ru/ads.js (obviously don't visit that page unless you know what you are doing). That leads to a heavily obfuscated piece of Javascript which I haven't dissected yet.. but really there is no doubt that it is going to try to do something very bad to your computer!

Domain is registered to:
domain: ADBNR.RU
type: CORPORATE
nserver: ns1.adbnr.ru. 75.155.243.39
nserver: ns2.adbnr.ru. 173.93.171.160
nserver: ns3.adbnr.ru. 71.108.37.140
nserver: ns4.adbnr.ru. 67.84.154.208
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private person
phone: +7 812 5706062
e-mail: omit@blogbuddy.ru
registrar: REGRU-REG-RIPN
created: 2009.09.29
paid-till: 2010.09.29
source: TC-RIPN

Both the telephone number and email address have been connected with malware attacks before.

Looks like it is using a fast flux botnet for hosting, but blocking adbnr.ru should be effective.

Thursday 1 October 2009

ads-t.ru and adtcp.ru: Asprox is back

I haven't had time to look at this fully, but it seems that a fresh round of Asprox attacks have started after several months of inactivity - in this case the domains ads-t.ru and adtcp.ru are in use.

Read more at CyberCrime & Doing Time.

Wednesday 25 February 2009

SQL injection attack: telecom.dgnet.net

This seems to be an emergent threat at this moment - a number of ASP / SQL / Windows site have been hit with a SQL injection attack with the following injected Javascript: telecom.dgnet.net/images/pen.gif. Yeah it says GIF, but it isn't.

The site telecom.dgnet.net is at 121.14.137.36, this forwards to another site at www.batnigt.com/ver.htm (on obviously, do NOT visit that site) which tries to run a number of exploits on visitors PCs, including what appears to be an old ADODB.stream exploit (perhaps MS04-024), the Snapshot viewer exploit (MS08-041) and some sort of exploit for RealPlayer plus what MIGHT be an exploit for MS05-020 (but I need to look at this further). If a visitor's PC is up-to-date on Microsoft patches and does not have RealPlayer then it should probably be OK.

If you manage client PCs, then block or monitor for telecom.dgnet.net and batnigt.com. If your server has been infected with this attack then you need to clean up the database and then sanitize your SQL inputs.. try Googling for that term.

Sunday 8 February 2009

Good new. Bad news.

A couple of items of interest from The Register:

OpenDNS rolls out Conficker tracking, blocking
This seems like a great idea, especially for small organisations without IDS or traffic monitoring. The problem.. well, OpenDNS has been awfully slow recently and personally I had to stop using it.

Kaspersky breach exposes sensitive database, hacker claims
This looks like a case of an insecure SQL database, leading to a potentially nasty compromise. Kaspersky isn't the first AV vendor to be shown to have poor SQL security. Trend was hit last year, as was CA. In this case, it looks like a potential data breach which is embarrassing. There's no evidence that any Kaspersky product has been compromised, but you can see that it might be possible to leverage credentials exposed in the SQL injection attack and use them elsewhere.

Friday 23 January 2009

Asprox: dbrgf.ru

Another domain to look for in SQL injection attacks is dbrgf.ru, still calling script.js. Checking your proxy logs for ".ru/script.js" is a good idea at the moment.

It might also be worth checking for the string "google-analitycs" as the attacks redirect through a subdomain containing that mis-spelled phrase.

Wednesday 21 January 2009

Asprox: lijg.ru and dbrgf.ru

A fresh round of SQL injections seem to be on the march, with (at least) two new domains being injected into vulnerable sites: www.lijg.ru and www.dbrgf.ru, calling a script named script.js.

This script redirects through an IFRAME pointing to google-analitycs.lijg.ru, although the payload is unclear.

Including some older domains, the following list seem to be active, either calling script.js or style.js.

  • www.lijg.ru
  • www.dbrgf.ru
  • www.bnmd.kz
  • www.nvepe.ru
  • www.mtno.ru
  • www.wmpd.ru
  • www.msngk6.ru
  • www.dft6s.kz
For the record, the domain registrations are as follows:

domain: LIJG.RU
type: CORPORATE
nserver: ns2.lijg.ru. 68.4.124.142
nserver: ns5.lijg.ru. 74.129.255.164
nserver: ns1.lijg.ru. 68.6.180.109
nserver: ns3.lijg.ru. 67.38.2.113
nserver: ns4.lijg.ru. 76.240.151.177
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN


domain: DBRGF.RU
type: CORPORATE
nserver: ns5.dbrgf.ru. 74.196.121.117
nserver: ns4.dbrgf.ru. 68.105.25.64
nserver: ns1.dbrgf.ru. 75.156.152.67
nserver: ns2.dbrgf.ru. 68.197.137.239
nserver: ns3.dbrgf.ru. 146.57.249.100
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN

Tuesday 6 January 2009

Ongoing injection attacks against Chinese domains

This looks like a case of the Chinese hacking the Chinese again, with a very large number of domains being injected into legitimate sites. Two IPs to block are 121.14.152.154 and 59.34.197.15. For most companies outside of AsiaPac it may well be feasible to block or monitor all traffic to .cn domains.

The following domains are being used in the injection attacks (there are probably many others in a similar format):

  • Aznylsf.cn
  • Bznylsf.cn
  • Ccswzx3.cn
  • Ccswzx9.cn
  • Cznylsf.cn
  • Eqw002.cn
  • Eqw003.cn
  • Eqw004.cn
  • Eqw006.cn
  • Eqw008.cn
  • Eqw009.cn
  • Eznylsf.cn
  • Falaliee.cn
  • Falaliii.cn
  • Falalioo.cn
  • Falaliqq.cn
  • Falalitt.cn
  • Fznylsf.cn
  • Gznylsf.cn
  • Hhj2.cn
  • Hhj3.cn
  • Hryspac.cn
  • Hryspah.cn
  • Hryspan.cn
  • Hryspao.cn
  • Hryspap.cn
  • Hryspaq.cn
  • Hryspav.cn
  • Hznylsf.cn
  • Iznylsf.cn
  • Jym562.cn
  • Jzll-1.cn
  • Jzll-2.cn
  • Jzll-4.cn
  • Jzll-9.cn
  • Jznylsf.cn
  • Kznylsf.cn
  • Rxgsslla.cn
  • Rxgsslld.cn
  • Rxgsslll.cn
  • Rxgssllt.cn
  • Sllanmb.cn
  • Sllbnmb.cn
  • Slldnmb.cn
  • Sllinmb.cn
  • Sznylsf.cn
  • Tznylsf.cn
  • Vvk2.cn
  • Wrmfwa.cn
  • Wrmfwb.cn
  • Wrmfwc.cn
  • Wrmfwd.cn
  • Wrmfwe.cn
  • Wrmfwf.cn
  • Wrmfwg.cn
  • Wrmfwi.cn
  • Wrmfwj.cn
  • Wrmfwl.cn
  • Wrmfwn.cn
  • Wrmfwo.cn
  • Wrmfwp.cn
  • Wrmfwq.cn
  • Wrmfwt.cn
  • Wrmfwu.cn
  • Wrmfwz.cn
  • Wxjyb.cn
  • Wznylsf.cn
  • Xznylsf.cn
  • Yznylsf.cn
  • Zdq004.cn
  • Zdq005.cn
  • Zdq009.cn
  • Zdq010.cn
  • Zgcgsslle.cn
  • Zgcgssllf.cn
  • Zghncsa.cn
  • Zghncsi.cn
  • Zghncsj.cn
  • Zghncsl.cn
  • Zghncsm.cn
  • Zghncsp.cn
  • Zghncsr.cn
  • Zghncst.cn
  • Zgynkmb.cn
  • Zgynkmd.cn
  • Zgynkmf.cn
  • Zgynkmg.cn
  • Zgynkmk.cn
  • Zgynkms.cn
  • Zznylsf.cn

Monday 29 December 2008

SQL injection: msngk6.ru, dft6s.kz and mcuve.cn

A new bunch of domains being used in SQL injection attacks at the moment:
  • www.msngk6.ru
  • www.dft6s.kz
These are calling a script called style.js and follow on from these, most likely the work of the Asprox gang. The registration details are probably fake, but for the record are:

domain: MSNGK6.RU
type: CORPORATE
nserver: ns2.msngk6.ru. 75.63.155.106
nserver: ns3.msngk6.ru. 146.57.249.100
nserver: ns1.msngk6.ru. 76.240.151.177
nserver: ns4.msngk6.ru. 24.247.215.75
state: REGISTERED, DELEGATED
person: Aleksandr A Zamaraev
phone: +7 495 7412992
e-mail: zamaraev@namebanana.net
registrar: NAUNET-REG-RIPN
created: 2008.12.17
paid-till: 2009.12.17
source: TC-RIPN
The domain mcuve.cn is different, calling 1.js. This is related to the recent 17gamo.com domain which exploits a number of things including this recent IE7 vulnerability.

Check your proxy logs for .cn/1.js and .ru/style.js plus .kz/style.js to keep on top of these. It is often worth monitoring all traffic to .cn, .ru and .kz domains for manual review.

Monday 22 December 2008

Asprox SQL injections are back

The Silent Noise blog reports that a fresh round of SQL injection attacks by the Asprox crew are under way. They seem to be using a variety of .ru and .kz domain names, although at the moment they all redirect to 79.135.168.18 in the Lebanon.. the whole 79.135.168.* block is pretty bad and has been covered here before.

inetnum: 79.135.168.0 - 79.135.168.255
netname: LB-NET
descr: Lebanon private dedicated service
country: LB
admin-c: MHB1111-RIPE
tech-c: MHB1111-RIPE
remarks: abuse mailbox: moh.b@lubnannetworks.biz
status: ASSIGNED PA
mnt-by: SISTEM-NET-MNT
source: RIPE # Filtered

person: Mohamed Baga
address: Basha Garden bldg, 5th floor LB
address: Jisr El Bacha Main Road
address: Beirut - Lebanon
e-mail: moh.b@lubnannetworks.biz
remarks: abuse mailbox: moh.b@lubnannetworks.biz
phone: +961 1 512341
nic-hdl: MHB1111-RIPE
source: RIPE # Filtered

route: 79.135.160.0/19
descr: Sistemnet Telecom
origin: AS44097
mnt-by: Sistem-Net-MNT
source: RIPE # Filtered
The endpoint appears to be a PDF exploit running on 79.135.168.18 - it's worth blocking or checking for anyaccess to this server, and also check your logs for accesses to ".kz/style.js" and ".ru/style.js" too.

Currently active domains are:
  • www.bnmd.kz
  • www.nvepe.ru
  • www.mtno.ru
  • www.wmpd.ru
Some notable impacted sites:
  • frontweb.vuse.vanderbilt.edu (Vanderbilt University)
  • maryvillecollege.edu (Maryville College)
  • guildford.ac.uk (Guildford University)
  • many .gov.ar (Argentina) and .gov.cn (China) sites
  • navigationusa.com (Online retailer)
  • worldcricketstore.com (Online retailer)
A Google search and Yahoo search indicate the extent of the problem (obviously, you don't want to visit any of these impacted sites).

Wednesday 19 November 2008

ISC: Large quantity SQL Injection mitigation

The ISC have given some good guidance on SQL injection mitigation, in case your server has been hit by Asprox or something similar. It's complicated stuff, and if you don't understand it, then it is definitely worth hiring a professional to fix your database.

Friday 24 October 2008

Asprox: 47mode.name, berjke.ru, 81dns.ru

There has been a shift overnight in the domains used in the Asprox SQL injection attack, the ones to look for are:

  • 47mode.name
  • berjke.ru
  • 81dns.ru
Registration for the .ru domains looks like this:

domain: 81DNS.RU
type: CORPORATE
nserver: ns1.81dns.ru. 76.240.151.177
nserver: ns2.81dns.ru. 76.182.187.206
nserver: ns3.81dns.ru. 69.62.229.141
state: REGISTERED, DELEGATED
person: Private Person
phone: +3 212 7721130
fax-no: +3 212 7721130
e-mail: igorlsoloti@yahoo.com
registrar: NAUNET-REG-RIPN
created: 2008.10.23
paid-till: 2009.10.23
source: TC-RIPN
47mode.name is different:

Registration Service Provided By: RESELL.BIZ
Contact: +1.3124476810
Website: http://Resell.biz

Domain Name: 47MODE.NAME

Registrant:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Creation Date: 21-Oct-2008
Expiration Date: 21-Oct-2009

Domain servers in listed order:
ns3.47mode.name
ns2.47mode.name
ns1.47mode.name

Administrative Contact:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Technical Contact:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Billing Contact:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Status:ACTIVE
It looks like "Kimberly Maupin" might well be a real person living in Sneads Ferry, who's identity has been "borrowed". However, the ZIP code is incorrect and the telephone number appears to be in Bolivia.

Anyway, block these domains or check your logs for them.

Thursday 16 October 2008

Asprox: lang42.ru

Another Asprox SQL injection domain to block / check for is lang42.ru. The following domains have been active in the past 24 hours:
  • 53refer.ru
  • chk06.ru
  • driver95.ru
  • errghr.ru
  • lang42.ru
  • netcfg9.ru
  • sitevgb.ru
  • vrelel.ru
As I've said before, completely blocking access to .ru domains for most businesses would be a huge problem. Most .ru sites are in Russian, and if you don't use Russian in your business they you can probably live without them.

Wednesday 15 October 2008

Asprox: new domains

After being stable for some time, the Asprox SQL injection hacks are now redirecting through a new bunch of .ru domains.
  • 30area.ru
  • 4log-in.ru
  • 53refer.ru
  • chk06.ru
  • driver95.ru
  • errghr.ru
  • netcfg9.ru
  • sitevgb.ru
  • vrelel.ru
WHOIS details are:

domain: ERRGHR.RU
type: CORPORATE
nserver: ns2.errghr.ru. 68.6.180.109
nserver: ns3.errghr.ru. 68.12.194.192
nserver: ns1.errghr.ru. 199.126.149.144
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 772 7727727
fax-no: +7 772 7727727
e-mail: retyi111@yahoo.com
registrar: NAUNET-REG-RIPN
created: 2008.10.09
paid-till: 2009.10.09
source: TC-RIPN

retyi111@yahoo.com has been used before for these domains and various other nasties. As usual, block these domains and/or check your logs for them.

Monday 6 October 2008

Asprox: deryv.ru still active

The Asprox botnet is still active but has been remarkable stable with no new domains in the past week, and 88% of the traffic going to deryv.ru.

  • ctiry.ru (3%)
  • deryv.ru (88%)
  • mentoe.ru (4%)
  • mheop.ru (3%)
  • pormce.ru (2%)

Consistently, the malware code is encrypted with eval(function(p,a,c,k,e,d) presumably to avoid detection by anti-virus software. So, if you only check your logs for / block ONE Asprox domain, then deryv.ru seems to be the one to look at.

Monday 29 September 2008

Asprox: ctiry.ru, deryv.ru, mentoe.ru, mheop.ru, pormce.ru and xenbv.ru

Another bunch of Asprox domains that have been active over the past few days are listed below. As usual, block these or check your logs for activity.

  • ctiry.ru
  • deryv.ru
  • mentoe.ru
  • mheop.ru
  • pormce.ru
  • xenbv.ru

Thursday 25 September 2008

Asprox: "eval(function(p,a,c,k,e,r)"

There has been a slight shift in tactics by the Asprox gang in their SQL Injection Attacks in that they are now using a packer on their javascript. This doesn't seem to be for obfuscation reasons, as the script is relatively easy to decode. Presumably it's a way to get around virus and link scanners. (Click the image below for an example)

You can decode it easily enough by adding eval=alert; to the start of the script (follow the instructions here), but never mess around with malware scripts on a vulnerable production system because it is very easy to get infected.

mnicbre.ru and vtg43.ru seem to be two active domains, although perhaps check for all the ones on this list to be safe.

Packing tools are an easy way to avoid detection.. at least temporarily. But given the prevalence
of Javascript-based malware and the ever-increasing availability of bandwidth, Javascript packing is becoming an increasingly bad practice. There have been a couple of high-profile cases where a packing tool has effectively been blacklisted by anti-virus products (here and here), so perhaps if you use Javascript extensive and use a packing tool you might want to reconsider how you deploy Javascript on your site.

Wednesday 24 September 2008

Asprox: h3x.info

Briefly popping up on the Asprox SQL Injection radar yesterday was h3x.info, specifically a call to h3x.info/index.php [dangerous site, do not visit].

h3x.info doesn't fit the normal pattern, perhaps it has been rotated in as a test. What's certain is that this is a malware distribution site.. and a pretty scary one at that.

Let's look at the domain details first of all. As you might expect, they're mostly bogus:

Domain ID
D23859712-LRMS
Domain Name
H3X.INFO
Created On
19-Feb-2008 22:04:56 UTC
Last Updated On
27-Aug-2008 12:38:06 UTC
Expiration Date
19-Feb-2009 22:04:56 UTC
Sponsoring Registrar
Registrar Company, INC (R315-LRMS)
Status
OK
Registrant ID
DI_7764637
Registrant Name
Alex
Registrant Organization
Vteam
Registrant Street1
vol. str. 221-122, 12
Registrant Street2

Registrant Street3

Registrant City
Novie
Registrant State/Province
Aveiro
Registrant Postal Code
19923
Registrant Country
PT
Registrant Phone
+12.56231321
Registrant Phone Ext.

Registrant FAX

Registrant FAX Ext.

Registrant Email
cy@bk.ru

[..snip..]

Name Server
ns1.mbhost.ru
Name Server
ns2.mbhost.ru
The domain itself is on 80.90.114.13 which appears to be a general purpose server belonging to Smartlogic Ltd in Moscow. There's no evidence to connect Smartlogic to this site, other than it belongs to a customer.. overall they seem to be a pretty clean outfit.

Visiting the top level of the h3x.info site (or the index.php page) reveals a very impressive bit of obfuscated scripting (a copy is here - h3x-info.zip - ZIP password is virus). There are some recognisable references to Outlook Express, Snapshot (probably MS08-041), Apple QuickTime (take your pick), plus an infected PDF (from hxxp:||h3x.info|cache|doc.pdf) variously identified as Exploit.HTML.Agent.AO [BitDefender] and Mal/JSShell-B [Sophos] (full VirusTotal report here) but otherwise detection rates are very poor.

Looking at the WHOIS history, it's quite possible that the h3x.info domain has been hijacked, so perhaps it will be cleaned up in the future. At the moment it does seem to be an interesting repository of malware if you're a researcher.

It was only active for a short while at about 1000 UTC (1100 BST, 1200 CET) on 23rd September before reverting to the same .ru domains that have been active for a few days.


Thursday 18 September 2008

Asprox: mnbenio.ru

mnbenio.ru is a new Asprox SQL injection domain that has been active in the past 24 hours, the following four domains are the most active:

  • mnbenio.ru
  • mnicbre.ru
  • pkseio.ru
  • vtg43.ru
It does seem that the SQL injection attacks are becoming less widespread, probably partly because SQL servers are being hardened, but some vulnerable SQL servers have remained untouched by the latest round of attacks. Possibly the SQL injection gangs are concentrating on bigger fish? Like the recent attack on BusinessWeek.com perhaps?