[nsp-sec] SQL injections in focus as 23724

Smith, Donald Donald.Smith at qwest.com
Mon May 12 14:52:17 EDT 2008 

Extra credit for replying to my own email:)

I just rechecked wwwDOTkisswow.com.cn and wwwDOTririwow.cn.

They have nothing but exploits on them and a small rant explaining WHY
they are doing injections:
In index.html is the "rant".

"This is a mass invasion.        Safeguard the motherland's dignity!
FUCK FRANCE!  FUCK CNN!  I WILL ATTACK you ALWAYS  !
I love my motherland!
sorry
Please understand that I
IF YOU WANT TO SAY SOMETHING .
PLEASE SEND EMAIL TO kiss117276 at 163.com "

It appears kiss117276 AT 163.com is behind at least these two injection
sites.

RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i]))}
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: Smith, Donald 
> Sent: Monday, May 12, 2008 8:56 AM
> To: 'Huopio Kauto'; 'nsp-security at puck.nether.net'
> Subject: RE: [nsp-sec] SQL injections in focus
> 
> I think we have to keep playing wack-a-mole and get these 
> sites down but the root cause also has to be addressed.
> Otherwise we will continue to see new secondary sites setup 
> for the exploits/malware and the wack-a-mole game will become 
> an infinite loop operation:)
> 
> From Dominic's write-up:
> 
> "Several of the sites in South Africa I've been watching have 
> been re-infected. I spoke to several of the admins, but it 
> seems they are just restoring from backup and not fixing the 
> root cause."
> 
> 
> I interested in suggestions but I think the handlers are 
> going to recommend people run one of (or several of) the sql 
> "mapping/injection" tools such as sqlmap.
> http://sqlmap.sourceforge.net/
> 
> 
> RM=for(1)
> {manage_risk(identify_risk(product[i++]) && 
> (identify_threat[product[i]))}
> Donald.Smith at qwest.com giac 
> 
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net 
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> > Huopio Kauto
> > Sent: Monday, May 12, 2008 6:13 AM
> > To: nsp-security at puck.nether.net
> > Subject: [nsp-sec] SQL injections in focus
> > 
> > ----------- nsp-security Confidential --------
> > 
> > Hello all, 
> > 
> > Dominic White has written an update at his blog 
> > on the SQL injection attack situation:
> > 
> > http://singe.za.net/blog/archives/906-SQL-injections-going-mad.html
> > 
> > A quick analysis on the domains mentioned at the blog entry:
> > 
> > nihaorr1.com.           2843    IN      A       60.169.3.130
> > 4134    | 60.169.3.130     | CHINANET-BACKBONE No.31,Jin-rong Street
> > 
> > 2117966.net	is NXDOMAIN at the moment
> > 
> > aspder.com.             3600    IN      A       60.172.219.4
> > 4134    | 60.172.219.4     | CHINANET-BACKBONE No.31,Jin-rong Street
> > 
> > haoliuliang.net.        7200    IN      A       0.0.0.0
> > 
> > nmidahena.com is NXDOMAIN at the moment
> > 
> > free.hostpinoy.info.    86400   IN      A       209.51.196.254
> > 10297   | 209.51.196.254   | COLUMBUSNAP - The Columbus 
> Network Access
> > Point, Inc.
> > 
> > xprmn4u.info.           14400   IN      A       217.199.217.9
> > 34221   | 217.199.217.9    | QL-AS JSC QUICKLINE Autonomous System
> > 
> > winzipices.cn.          3600    IN      A       60.191.239.221
> > 4134    | 60.191.239.221   | CHINANET-BACKBONE No.31,Jin-rong Street
> > 
> > wowgm1.cn.                     IN      A 
> > blank A-record
> > 
> > killwow1.cn.            3600    IN      A       60.169.3.130
> > 4134    | 60.169.3.130     | CHINANET-BACKBONE No.31,Jin-rong Street
> > 
> > wowyeye.cn.                    IN      A
> > blank A-record
> > 
> > Any comments/observations on this issue?
> > 
> > --Kauto
> > 
> > Kauto Huopio - kauto.huopio at ficora.fi
> > Senior information security adviser
> > Finnish Communications Regulatory Authority  / CERT-FI
> > tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
> >  
> > 
> > 
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> > Please do not Forward, CC, or BCC this E-mail outside of the 
> > nsp-security
> > community. Confidentiality is essential for effective 
> > Internet security counter-measures.
> > _______________________________________________
> > 
> > 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list