111 replies to this topic

[AplusWebMaster]

FYI...

Websense in error blaming WordPress ...
- http://www.whitefird...press-hackings/
November 15, 2010 - "In Websense’s 2010 Threat Report they listed WordPress Attacks as one of the significant events of the year**... The hacks they refer to were actually hacks that targeted hosting providers that would allow malicious code to be added to websites hosted with the provider whether they were running WordPress, other software, or no software at all. In most of the hacks the malicious code was placed in all files that had a .php extension. WordPress, by the nature of being the most popular web software, was the most of often affected, but all web software that have files with a .php extension were also affected. In other cases the hacks targeted database fields specific to WordPress, but they could have affected any other software that utilized a database if the hacker had chose to target them instead of WordPress. Websense is not alone is making these false claims, other supposed security experts also made similar claims and some hosting provider have attempted to lame blame on WordPress. Network Solutions was the only one to later apologize for blaming WordPress...*"
* http://blog.networks...-not-the-issue/

** http://www.websense....-wordpress.aspx

[AplusWebMaster]

FYI...

MySQL and Sun hacked...
- http://nakedsecurity...-sql-injection/
March 27, 2011 - "Proving that no website is ever truly secure, it is being reported that MySQL.com has succumbed to an SQL injection attack. It was first disclosed to the Full Disclosure mailing list*... Several accounts had passwords like "qa". The irony is that they weren't compromised by means of their ridiculously simple passwords, but rather flaws in the implementation of their site... MySQL's parent company Sun/Oracle has also been attacked**. Both tables and emails were dumped from their databases, but no passwords. It does not appear to be a vulnerability in the MySQL software, but rather flaws in the implementation of their websites... It was noted on Twitter that mysql .com is also subject to an XSS (cross-site scripting) vulnerability that was reported in January 2011 and has not been remedied."
* http://seclists.org/..._medium=twitter

** http://tinkode27.bay...-sql-injection/

- http://blog.sucuri.n...ompromised.html
March 27, 2011 - "... If you have an account on MySQL.com, we recommend changing your passwords ASAP..."

- https://www.computer...njection_attack
March 28, 2011

Edited by AplusWebMaster, 02 December 2011 - 11:30 AM.

[AplusWebMaster]

FYI...

SQL mass injection hits over 28,000 URLs including iTunes
- http://community.web...ing-itunes.aspx
29 Mar 2011 - "Websense... has identified a new malicious mass-injection campaign that we call LizaMoon...
The LizaMoon mass-injection is a SQL injection attack...
< script src=hxxp ://lizamoon .com/ur.php></script >
According to a Google Search, over 28,000 URLs have been compromised. This includes several iTunes URLs... The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer. So good job, Apple. The URL that is injected is unavailable right now, but the server is still up and running, so that could change at any time. While it was up, the script contained simple JavaScript code that redirected the user to a well-known Rogue AV site:
hxxp ://defender-uqko .in. That site is also unavailable right now, so we don't have the actual binary analysis information available yet. The domain lizamoon .com was registered three days ago with clearly fake information... We'll keep monitoring this mass-injection attack and provide updated information as it's available."
(Screenshots and more detail available at the Websense URL above.)
___

urgent block: lizamoon .com and defender-uqko .in
- http://www.malwaredo...rdpress/?p=1728
March 30th, 2011 - "Websense... is reporting a mass sql injection attack of over 28000 sites... We’ll be adding this site (and defender-uqko .in) on tonight’s update, but you shouldn’t wait... add these sites to your blocklists ASAP."

Edited by AplusWebMaster, 02 December 2011 - 10:35 AM.

[AplusWebMaster]

FYI...

380,000 226,000 28000 URLs whacked...
- http://community.web...ing-itunes.aspx
2011-03-31 01:58
"UPDATE1: A Google Search now returns over 226,000 results. Do note that this is a count of unique URLs, not infected hosts. Still, it makes it one of the bigger mass-injection attacks we have ever seen.
UPDATE2: We have been monitoring the attack since it came out and noticed that the number of the compromised URLs is still increasing, 380,000 URLs so far, moreover, more domains started to be involved except for lizamoon .com."

Edited by AplusWebMaster, 31 March 2011 - 05:38 PM.

[AplusWebMaster]

FYI...

- http://blog.sucuri.n...hp-updates.html
April 4, 2011 - "... good way to check if your site is infected, is by using our malware scanner*. If you see IIS:4 as the malware code, you know what happened..."
* http://sitecheck.sucuri.net/scanner/
___

Update on LizaMoon mass-injection...
- http://community.web...-injection.aspx
31 Mar 2011 - "The LizaMoon mass-injection campaign is still ongoing and more than 500,000 URLs have a script link to lizamoon .com according to Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a Google Search reveals over 1,500,000 URLs that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down... All the code does is a redirect to a rogue AV site..."
(Screenshots and more detail at the Websense URL above.)

- http://isc.sans.edu/...l?storyid=10642
Last Updated: 2011-04-01 21:49:17 UTC - "... There doesn't seem to be anything particularly new about the infection mechanism (aside of the scope of its success) and the injection itself only inserts a random snippet of HTML to redirect victims to a rogue AV site that tells the user they are infected. One of the domains implicated in this attack was registered in October and showed up on the radar in December, so it appears the preparation of this attack has taken some time... Infected sites tend to use the same URL structure including a file "ur.php". It appears this is only affecting sites using Microsoft SQL Server 2003/2005. Defense against your sites getting infected is the standard things we ought to be doing anyway in regards to SQL injection (i.e. filter input for control characters, whitelist if possible, blacklist if not). Webserver administrators should also be checking for sudden appearance of files in their httpdocs directory..."
- http://isc.sans.edu/...g=sql injection

- http://www.theregist...jection_attack/
"... The count only looks at unique URLs, not infected hosts, a more meaningful metric. Even so the assault still counts as among the most widespread mass-injection attacks on record..."

- http://blog.trendmic...still-on-going/
March 31, 2011 - "... monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certain URLs that lead to malware such as FAKEAV... We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others..."

- http://ddanchev.blog...ion-attack.html
March 31, 2011 - "... the used domains are all responding to the same IPs, including the portfolios of scareware domains, which the cybercriminals naturally rotate on a periodic basis... Upon successful redirection, the campaign attempts to load the scareware domains..."
(More detail at the ddanchev.blogspot URL above.)
- http://www.virustota...e95c-1301586582
File name: freesystemscan.exe
Submission date: 2011-03-31 15:49:42 (UTC)
Current status: finished
Result: 9/41 (22.0%)
There is a more up-to-date report...
- http://www.virustota...e95c-1301722562
File name: a.exe
Submission date: 2011-04-02 05:36:02 (UTC)
Result: 24/42 (57.1%)
___

Lizamoon SQL Injection: 7 Months Old and Counting
- http://blog.scansafe...d-counting.html
April 1, 2011 - "...part of a continuous SQLi attack that spans the past seven months... 40+ malware domains... have been used in the ongoing injection attacks..."

- http://nakedsecurity...-sql-injection/
April 1, 2011

Edited by AplusWebMaster, 04 April 2011 - 08:42 AM.

[AplusWebMaster]

FYI...

Database Injection on Joomla Websites...
- http://blog.sucuri.n...nter-cz-cc.html
April 6, 2011 - "It seems that a good amount of Joomla sites are being infected with malware from the infamous “.cc” domains. All of the hacked sites have the malicious code injected directly in to their databases (SQL injection), via an unknown source (probably a vulnerable extension, but we are still researching the entry point). This is what is being added to the infected sites (at the top of every post in the jos_content table):
< script type="text/javascript" src="http://yourstatscoun...scounter307.js" >< /script >
There are many others domains being used in this attack, including:
http ://faststatscounter.co.cc/statscounter01935 .js
http ://yourstatscounter.cz.cc/statscounter301 .js
http ://yourstatscounter.co.cc/statscounter307 .js
http ://easystatscounter.co.cc/statscounter12 .js
http ://supergoogleanalytics.co.cc/
Note that those are different from the Lizamoon SQL injection of a few days ago. The Lizamoon was targeting IIS/ASP.net sites, while this one seems to be targeted only to Joomla sites.... site might be hacked(?), check it using our malware scanner*..."
* http://sitecheck.sucuri.net/

- http://google.com/sa...scounter.cz.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/sa...scounter.co.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/sa...scounter.co.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/sa...scounter.co.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/sa...nalytics.co.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
___

Thousands of osCommerce sites infected...
- http://blog.sucuri.n...-khcol-com.html
April 5, 2011 - "... we are seeing thousands of osCommerce sites infected with a malware pointing to http ://khcol .com...
> Update 1: Google already blacklisted more than 1 thousand sites because of this malware. We have identified a lot more already, so this number should grow very soon...
> Update 2: Other domains being used in this attack: solomon-xl .cz.cc, thescannerantiv .com, searchableantiv .com, www1 .checker-network-hard .cz.cc and many others."

- http://safebrowsing....site=khcol.com/
"... last time suspicious content was found on this site was on 2011-04-08... Malicious software includes 2861 scripting exploit(s), 64 trojan(s), 1 exploit(s)... Over the past 90 days, khcolm .com appeared to function as an intermediary for the infection of 1149 site(s)... This site was hosted on 1 network(s) including AS17408..."
- http://safebrowsing....c?site=AS:17408
"... over the past 90 days, 50 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... The last time Google tested a site on this network was on 2011-04-07, and the last time suspicious content was found was on 2011-04-07... we found 5 site(s) on this network... that appeared to function as intermediaries for the infection of 1152 other site(s)..."

- http://google.com/sa...lomon-xl.cz.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/sa...annerantiv.com/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/sa...hableantiv.com/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/sa...ork-hard.cz.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."

Edited by AplusWebMaster, 08 April 2011 - 03:05 PM.

[AplusWebMaster]

FYI...

Barracuda Networks - hacked via a SQL injection attack
- http://www.darkreadi...le/id/229401358
Apr 11, 2011 - "... Barracuda Networks*... confirmed that its corporate website indeed had been hacked via an SQL injection attack, and names and emails of customer and partners, including some hashes of salted passwords, exposed..."
* http://blog.barracud...waf-importance/

[AplusWebMaster]

FYI...

Mass Injections Leading to g01pack Exploit Kit
- http://community.web...xploit-Kit.aspx
19 Apr 2011 - "... detected a new injection attack which leads to an obscure Web attack kit. The injection has three phases... The first phase of the attack is a typical vector** for exploit kits to drive traffic to their sites: script injections. Script HTML code is put on legitimate Web sites meant to drive traffic to the attack kits without the victim's knowledge. In this case, legitimate sites are injected with malicious JavaScript... In the second phase, this script injection then pulls obfuscated content from another site. The obfuscated content creates an iframe that is used to pull content from the exploit kit site... The exploit kit can basically be described as a drive-by download site used in the third and final phase of this attack. Its intent is to scan, attack, and run malicious code on the visitor's computer. If -one- of the exploit kit's Web attacks is successful, it could put malware on a victim's computer that is meant to remotely control the computer. The binary that this kit tries to run on target computers has low detection* as a Rogue AV installation. As is typical, the exploit kit's Web attack code is obfuscated... We were able to access the admin panel and confirm that this site is hosting an installation of g01pack malware tool..."
* http://www.virustota...56a1-1303197157
File name: JwWeagugDQKT.exe
Submission date: 2011-04-19 07:12:37 (UTC)
Result: 15/42 (35.7%)
There is a more up-to-date report...
- http://www.virustota...56a1-1303729645
File name: JwWeagugDQKT.exe
Submission date: 2011-04-25 11:07:25 (UTC)
Result: 30/40 (75.0%)

** http://community.web...ing-itunes.aspx
29 Mar 2011

Edited by AplusWebMaster, 07 May 2011 - 04:33 AM.

[AplusWebMaster]

FYI...

Mass SQL Injection attack hits 1 million sites
- http://www.darkreadi...le/id/231901236
Oct 19, 2011 - "A mass-injection attack similar to the highly publicized LizaMoon attacks this past spring has infected more than 1 million ASP.NET Web pages, Armorize researchers said*... According to database security experts, the SQL injection technique used in this attack depends on the same sloppy misconfiguration of website servers and back-end databases that led to LizaMoon's infiltration. "This is very similar to LizaMoon," says Wayne Huang, CEO of Armorize, who, with his team, first reported of an injected script dropped on ASP.NET websites that load an iFrame to initiate browser-based drive-by download exploits on visitor browsers to the site. Initial reports by Armorize showed that 180,000 Web pages had been hit* by the offending script, but Huang told Dark Reading that a Google search resulted in returns for more than 1 million Web pages containing the injected code..."
* http://blog.armorize...-infection.html
"... The scripts causes the visiting browser to load an iframe first from www3 .strongdefenseiz .in and then from www 2.safetosecurity .rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser... if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc). This wave of mass injection incident is targeting ASP ASP.NET websites..."
> https://www.virustot...77aa-1319203779
File name: file-2979089_
Submission date: 2011-10-21 13:29:39 (UTC)
Result: 30/42 (71.4%)
___

Dissecting the Ongoing Mass SQL Injection Attack
- http://ddanchev.blog...-injection.html
Oct 20, 2011

- https://encrypted.google.com/ ...
Oct. 25, 2011 - "... about 1,610,000 results..."

Edited by AplusWebMaster, 26 October 2011 - 10:37 AM.

[AplusWebMaster]

FYI...

Urgent Block: lilupophilupop-dot-com (SQL Injection)
- http://www.malwaredo...rdpress/?p=2213
December 2nd, 2011 - "(The ISC*) is reporting that there’s a SQLi campaign going on right now with the malicious domain lilupophilupop .com being injected into sites running MSSQL. We will block that domain on the next update but you shouldn’t wait…"
* https://isc.sans.edu...l?storyid=12127
Last Updated: 2011-12-02 11:24:01 UTC - "... discovered yesterday about 80 sites showed in Google... and a few minutes ago 4000+. Targets include ASP sites and Coldfusion... The attack seems to work on all versions of MSSQL..."
___

Diagnostic page for AS:48691 (SPECIALIST)
- http://google.com/sa...c?site=AS:48691
"... The last time Google tested a site on this network was on 2011-12-10, and the last time suspicious content was found was on 2011-12-10... Over the past 90 days, we found 15 site(s) on this network, including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com, sweepstakesandcontestsnow .com... that appeared to function as intermediaries for the infection of 190 other site(s)... We found 30 site(s), including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com, sweepstakesandcontestsnow .com, that infected 2052 other site(s)..."

- http://blog.dynamoo....specialist.html
11 October 2010 - "...blocking 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) is probably a good idea..."
inetnum: 194.28.112.0 - 194.28.115.255
netname: Specialist-ISP-PI2
descr: Specialist, Ltd.
Country: MD (Moldova)

- https://blogs.msdn.c...c...&GroupKeys=
"... malware that connects using an IP address instead of a domain name will -not- be blocked when you use just domain name lists..."

Edited by AplusWebMaster, 10 December 2011 - 09:31 PM.

[AplusWebMaster]

FYI... Significant SQLi inroads/growth continue... status update:

RE: https://isc.sans.edu...l?storyid=12127
UPDATE 8/12/2011 - "... number of sites infected is about 160,000 sites..."

Updated 2011-12-29: Diagnostic page for AS:48691 (SPECIALIST)
- http://google.com/sa...c?site=AS:48691
"... The last time Google tested a site on this network was on 2011-12-29, and the last time suspicious content was found was on 2011-12-29... Over the past 90 days, we found 124 site(s) on this network, including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com... that appeared to function as intermediaries for the infection of 507 other site(s)... We found 300 site(s), including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com... that infected 5064 other site(s)..."
___

- http://blog.dynamoo....ialist-ltd.html
12 December 2011 - "... the number of malicious sites has dropped, but there is still not a legitimate site in sight... you should -block- access to 194.28.112.0/22 (194.28.112.0 - 194.28.115.255) if you can, because this range of IP addresses is nothing but trouble..."

- https://blogs.msdn.c...c...&GroupKeys=
"... malware that connects using an IP address instead of a domain name will -not- be blocked when you use just domain name lists..."

i.e.: https://zeustracker....h/blocklist.php
"... some ZeuS hosts are just hosted on an ip address and not on a domain..."

Edited by AplusWebMaster, 29 December 2011 - 05:30 AM.

[AplusWebMaster]

FYI...

- http://blog.imperva....-injection.html
January 05, 2012
___

Lilupophilupop tops 1 million infected pages
- https://isc.sans.edu...l?storyid=12304
Last Updated: 2011-12-31 07:33:00 UTC - "... SQL injection attacks... about 1,070,000 in fact... to give you a rough idea of where the pages are:
UK - 56,300, NL - 123,000, DE - 49,700, FR - 68,100, DK - 31,000, CN - 505, CA - 16,600, COM - 30,500, RU - 32,000, JP - 23,200, ORG - 2,690..."

Updated: 2012-01-05: Diagnostic page for AS48691 (SPECIALIST)
- http://google.com/sa...c?site=AS:48691
"... The last time Google tested a site on this network was on 2012-01-05, and the last time suspicious content was found was on 2012-01-05... Over the past 90 days, we found 148 site(s) on this network, including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com... that appeared to function as intermediaries for the infection of 591 other site(s)... We found 452 site(s), including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com... that infected 5522 other site(s)..."

- http://blog.dynamoo....ialist-ltd.html
12 December 2011 - "... No UN members recognise Transnistria*, and effectively it sits beyond the reach of international law enforcement... you should -block- access to 194.28.112.0/22 (194.28.112.0 - 194.28.115.255)..."

* https://en.wikipedia...ional_relations
___

- http://www.malwaredo...rdpress/?p=2338
January 3rd, 2012

- http://centralops.ne...ainDossier.aspx
... Information related to '194.28.112.0 - 194.28.115.255'...
netname: Specialist-ISP-PI2
descr: Specialist, Ltd.
country: MD ...
route: 194.28.112.0/22
origin: AS48691 ...

Edited by AplusWebMaster, 06 January 2012 - 08:14 AM.

[AplusWebMaster]

FYI...

Injection code masquerades as Google Analytics
- http://community.web...-analytics.aspx
7 Feb 2012 - "Websense... has discovered a new wave of injection of malicious code disguising itself as Google Analytics, by adopting similar code snippets and malicious domains... We found other similar domains like google-analytics[dot]su in this attack... it is highly obfuscated, hard to understand, but after all tricks it finally will -redirect- to IP address 37.59.74.145 which hosts Black Hole Exploit..."
(More detail at the websense URL above.)

[AplusWebMaster]

FYI...

Plesk admin software actively exploited...
- http://h-online.com/-1446587
1 March 2012 - "A critical security vulnerability in the Plesk administration program is currently being actively used to compromise affected servers. Plesk is used most often by hosting providers and provides a web front-end for administering rented servers. The vulnerability seems to be an SQL injection problem, which an attacker can exploit to gain full administrative access to a system. Linux and Windows versions of Parallels Plesk Panel 7.6.1 - 10.3.1 are affected. Parallels, the company that publishes the software, has already fixed the vulnerability in the current versions and is even offering micro-updates whose only purpose is to fix the problem. Administrators should check the status of their Plesk version* immediately."
* http://kb.parallels.com/en/9294

Security advisory from Parallels: http://kb.parallels.com/en/113321

Edited by AplusWebMaster, 01 March 2012 - 03:52 PM.

[AplusWebMaster]

FYI...

Mass SQL injection campaign (180k+ pages compromised)
- http://blog.sucuri.n...ompromised.html
April 17, 2012 - "... tracking a new mass SQL injection campaign that started early this month. So far more than 180,000 URLs have been compromised. We will keep posting updates as we get them. Nikjju is a mass SQL injection campaign targeting ASP/ASP.net sites (very similar to lizamoon from last year). When successful, it adds the following javascript to the compromised sites:
<script src= http ://nikjju .com/r.php ></script>
This is used to redirect anyone visiting the infected websites to Fake/Rogue AVs (best-antiviruu .de .lv – mostly targeting Windows users). All the sites we analysed so far are Windows-based servers running ASP/ASP.net compromised via SQL injection... So far Google has identified 188,000 pages infected with that javascript call, but the number is growing really fast. It was less than 130,000 yesterday afternoon... The domain Nikjju .com (31.210.100.242) was registered April 1st and we started to see the first batch of compromised sites a few days after (April 4th)... If your suspect your site has been compromised, you can verify it on Sucuri SiteCheck (free scanner*). You will also need to audit your code to make sure that any user input is sanitized before use...
We are seeing a few small .gov sites compromised as well (mostly from China):
jnd .xmchengdu .gov .cn
study .dyny .gov .cn
cnll .gov .cn
bj .hzjcy .gov .cn
mirpurkhas .gov .pk
tdnyw .gov .cn
gcjs .kaifeng .gov .cn ..."

* http://sitecheck.sucuri.net/scanner/

Urgent Block: nikjju .com and best-antiviruu .de .lv
- http://www.malwaredo...rdpress/?p=2606
April 17th, 2012

Nikjju Mass injection campaign (150k+ sites compromised)
> http://atlas.arbor.net/briefs/
Severity: Elevated Severity
Published: Thursday, April 19, 2012 15:40
Another mass SQL injection campaign is underway, affecting vulnerable ASP and ASP.NET sites.
Analysis: While SQL injection vulnerabilities have been known for years, they continue to cause problems ranging from mass injection attacks used to install malware on vulnerable site vistors to more serious attacks that exfiltrate sensitive data for personal, political or financial means. Attackers can also leverage a SQL injection issue to penetrate deeper into a network and move laterally, compromising targeted resources along the way. Code review and proper web application security assessment can help detect such bugs before criminals use them for malicious ends...

Edited by AplusWebMaster, 23 April 2012 - 05:54 PM.