[nsp-sec] SQL injections in focus
Smith, Donald
Donald.Smith at qwest.com
Mon May 12 10:56:24 EDT 2008
I think we have to keep playing wack-a-mole and get these sites down but
the root cause also has to be addressed.
Otherwise we will continue to see new secondary sites setup for the
exploits/malware and the wack-a-mole game will become an infinite loop
operation:)
>From Dominic's write-up:
"Several of the sites in South Africa I've been watching have been
re-infected. I spoke to several of the admins, but it seems they are
just restoring from backup and not fixing the root cause."
I interested in suggestions but I think the handlers are going to
recommend people run one of (or several of) the sql "mapping/injection"
tools such as sqlmap.
http://sqlmap.sourceforge.net/
RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i]))}
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Huopio Kauto
> Sent: Monday, May 12, 2008 6:13 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] SQL injections in focus
>
> ----------- nsp-security Confidential --------
>
> Hello all,
>
> Dominic White has written an update at his blog
> on the SQL injection attack situation:
>
> http://singe.za.net/blog/archives/906-SQL-injections-going-mad.html
>
> A quick analysis on the domains mentioned at the blog entry:
>
> nihaorr1.com. 2843 IN A 60.169.3.130
> 4134 | 60.169.3.130 | CHINANET-BACKBONE No.31,Jin-rong Street
>
> 2117966.net is NXDOMAIN at the moment
>
> aspder.com. 3600 IN A 60.172.219.4
> 4134 | 60.172.219.4 | CHINANET-BACKBONE No.31,Jin-rong Street
>
> haoliuliang.net. 7200 IN A 0.0.0.0
>
> nmidahena.com is NXDOMAIN at the moment
>
> free.hostpinoy.info. 86400 IN A 209.51.196.254
> 10297 | 209.51.196.254 | COLUMBUSNAP - The Columbus Network Access
> Point, Inc.
>
> xprmn4u.info. 14400 IN A 217.199.217.9
> 34221 | 217.199.217.9 | QL-AS JSC QUICKLINE Autonomous System
>
> winzipices.cn. 3600 IN A 60.191.239.221
> 4134 | 60.191.239.221 | CHINANET-BACKBONE No.31,Jin-rong Street
>
> wowgm1.cn. IN A
> blank A-record
>
> killwow1.cn. 3600 IN A 60.169.3.130
> 4134 | 60.169.3.130 | CHINANET-BACKBONE No.31,Jin-rong Street
>
> wowyeye.cn. IN A
> blank A-record
>
> Any comments/observations on this issue?
>
> --Kauto
>
> Kauto Huopio - kauto.huopio at ficora.fi
> Senior information security adviser
> Finnish Communications Regulatory Authority / CERT-FI
> tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list