[nsp-sec] Thoughts on the mass SQL injections

[Chris Morrow]

On Mon, 23 Jun 2008, Smith, Donald wrote:

> Chris, do you mean they disabled the query being used by the sql
> injection tool.
> Infected site queries still seem to be working.
>

I believe someone disabled the query that lists out the sites to infect...

>
>
> Security through obscurity WORKS against some worms and ssh attacks:)
> Donald.Smith at qwest.com giac
>
>> -----Original Message-----
>> From: Chris Morrow [mailto:morrowc at ops-netman.net]
>> Sent: Monday, June 23, 2008 9:59 AM
>> To: Smith, Donald
>> Cc: Seth Hall; nsp-security NSP
>> Subject: Re: [nsp-sec] Thoughts on the mass SQL injections
>>
>>
>>
>> On Mon, 23 Jun 2008, Smith, Donald wrote:
>>
>>> ----------- nsp-security Confidential --------
>>>
>>> The main tool being used uses google to find .asp enabled sites.
>>> http://isc.sans.org/diary.html?storyid=4294
>>>
>>> I have used google to find infections. However I have not
>> begun any type
>>> of notification as there are just too many sites.
>>> I suspect your correct about the usefulness of the google
>> results to the
>>> bad guys.
>>
>> I think, thought someone chunked the particular query type 2+
>> weeks ago so
>> it'd return nothing or some interstitial page... if there's
>> an example
>> query I can take a poke around.
>>
>>>
>>>
>>> Security through obscurity WORKS against some worms and ssh
>> attacks:)
>>> Donald.Smith at qwest.com giac
>>>
>>>> -----Original Message-----
>>>> From: nsp-security-bounces at puck.nether.net
>>>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> Seth Hall
>>>> Sent: Monday, June 23, 2008 7:48 AM
>>>> To: nsp-security NSP
>>>> Subject: [nsp-sec] Thoughts on the mass SQL injections
>>>>
>>>> ----------- nsp-security Confidential --------
>>>>
>>>> I was doing a search on google for one of the domain names being
>>>> injected to add malicious javascript to web pages and I suddenly
>>>> realized that the combination of these domain names[1] and google
>>>> searches, malicious individuals could easily hunt for verified SQL
>>>> injection vulnerabilities.  Based on my attacks against
>> sites on our
>>>> network, I can only imagine how many of these sites have sensitive
>>>> data which is just waiting for someone to come along and take
>>>> advantage of it.
>>>>
>>>> To the Google guys, is anyone there working to remove or hide these
>>>> results from searches?  It seems like it could be a boon to the
>>>> internet community at large if these vulnerable sites weren't
>>>> quite so
>>>> easy to find.
>>>>
>>>>    .Seth
>>>>
>>>> 1. http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
>>>>
>>>> ---
>>>> Seth Hall
>>>> Network Security - Office of the CIO
>>>> The Ohio State University
>>>> Phone: 614-292-9721
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> nsp-security mailing list
>>>> nsp-security at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>>
>>>> Please do not Forward, CC, or BCC this E-mail outside of the
>>>> nsp-security
>>>> community. Confidentiality is essential for effective
>>>> Internet security counter-measures.
>>>> _______________________________________________
>>>>
>>>>
>>>
>>>
>>> This communication is the property of Qwest and may contain
>> confidential or
>>> privileged information. Unauthorized use of this
>> communication is strictly
>>> prohibited and may be unlawful.  If you have received this
>> communication
>>> in error, please immediately notify the sender by reply
>> e-mail and destroy
>>> all copies of the communication and any attachments.
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of
>> the nsp-security
>>> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>>> _______________________________________________
>>>
>>
>