Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Hundreds of thousands of SQL injections

Published: 2008-04-24
Last Updated: 2008-04-25 13:47:50 UTC
by donald smith (Version: 2)
1 comment(s)

Hundreds of thousands of SQL injections UPDATE.
It is recommend that you block access to hxxp:/ and the IP it resolves to 219DOT153DOT46DOT28 at the edge or border of your network.

1.js is the file they are currently injecting. That could change and has been injected into thousands of legitimate websites. Visitors to this website are “treated” to 8 different exploits for many windows based applications including AIM, RealPlayer, and iTunes. DO NOT visit sites that link to this site as you are very likely to get infected. Trendmicro named the malware toj_agent.KAQ it watches for passwords and passes them back to contoller’s ip.

The crew over at shadowserver has published additional information related to SQL injected sites. They included the botnet controllers IP address and a content based snort signature for the bot control traffic that is not ip dependent. The bot controller is alive and communicating on port 2034 with some infected clients at this time.

They have hit city websites, commercial sites and even government websites. This type of injection pretty much null and voids the concept of “trusted website”. or "safe sites".

The register covered it stating their search returned 173k injected results:
The number I received doing the same search was 226k. Those are not all unique websites. Many sites got hit more then one time.

Lou a self described “accidental techie” has been discussing it as they have been reinjecting this into his database/website “every other day”.
Websense has good information on it here:

We covered the injection tool, the methods to prevent injections and other details here:

1 comment(s)
Diary Archives