This SQL Injection attack seems to be aimed at Chinese language sites. The code injected points to
http://%61%76%65%32%2E%63%6E which is trivially encoded and is a reference to
ave2.cn hosted on 219.129.239.251.
ave2.cn then calls
asp-18.cn,
asp-12.cn and
www.hxg006.cn (all hosted on 219.129.239.251).
Between them, these sites carry a VERY wide variety of exploits, including MS06-014, GLIEDown (for the Baofeng Storm StormPlayer), MS snpvw.Snapshot viewer (Outlook Express), DPClient.Vod (Xunlei Thunder DapPlayer), Flash Player and RealPlayer. There are possibly other exploits mixed in, so I would regard
ave2.cn as being VERY dangerous.
Robtex
reports the following domains on 219.129.239.251, all of which are probably worth avoiding:
- hs7yue.cn
- hxg008.cn
- jzm015.cn
- doups.cn
- hxg008.cn
- jzm013.cn
- jzm014.cn
- jzm015.cn
- qingfeng01.cn