[nsp-sec] SQL injections in focus
Lawrence Baldwin
baldwinl at mynetwatchman.com
Mon May 12 17:45:18 EDT 2008
The thing that is actually much more concerning to me is not that miscreants
are using SQL injection to inject malicious code into generic web sites, but
that they are using them to attack what I classify as 2nd tier sources of ID
theft data. Since Jan 2008 I have been investigating a small gang of
Russian (surprise) ID thieves who have successfully used SQL injection to
compromise and get at ID data...for example, this gang is responsible for
the following breaches (in the later two cases I was actually the person
that notified the victim of the breach):
Omni American Bank:
http://fergdawg.blogspot.com/2008/01/hackers-steal-omniamerican-bank-account
.html
Advance Auto Parts:
http://fergdawg.blogspot.com/2008/04/advance-auto-parts-breach-included.html
Okemo/Killington Ski Resort:
http://www.okemo.com/okemowinter/security_update.asp
What's scary is that there are at least 30 other organizations who were
owned by this same gang...most that have NOT been publicized...this
includes:
* 3-4 US card processors
* At least one payroll processors (who uses debit cards for payroll distro)
* Two non-US banks, one being the largest bank in their respective country
* A large European card processors
etc...
I don't exactly understand it, but I believe the SQL Inject trend is up
because miscreants have added significant automation to what is otherwise a
laborious process. In my case, miscreants where using the SqlNinja attack
kit with some added PHP scripting/automation wrapped around it.
Another intriguing technique is that I observed miscrents using Archive.org
it locate non-production pages on victim's websites...and then injecting
attacked those pages too. In one case, this is how the miscreants got in.
SQL Inject penetration testing isn't too meaningfull if there are de-linked
pages floating around on the site that won't even be tested!
Regards,
Lawrence.
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Huopio Kauto
Sent: Monday, May 12, 2008 08:13
To: nsp-security at puck.nether.net
Subject: [nsp-sec] SQL injections in focus
----------- nsp-security Confidential --------
Hello all,
Dominic White has written an update at his blog on the SQL injection attack
situation:
http://singe.za.net/blog/archives/906-SQL-injections-going-mad.html
A quick analysis on the domains mentioned at the blog entry:
nihaorr1.com. 2843 IN A 60.169.3.130
4134 | 60.169.3.130 | CHINANET-BACKBONE No.31,Jin-rong Street
2117966.net is NXDOMAIN at the moment
aspder.com. 3600 IN A 60.172.219.4
4134 | 60.172.219.4 | CHINANET-BACKBONE No.31,Jin-rong Street
haoliuliang.net. 7200 IN A 0.0.0.0
nmidahena.com is NXDOMAIN at the moment
free.hostpinoy.info. 86400 IN A 209.51.196.254
10297 | 209.51.196.254 | COLUMBUSNAP - The Columbus Network Access
Point, Inc.
xprmn4u.info. 14400 IN A 217.199.217.9
34221 | 217.199.217.9 | QL-AS JSC QUICKLINE Autonomous System
winzipices.cn. 3600 IN A 60.191.239.221
4134 | 60.191.239.221 | CHINANET-BACKBONE No.31,Jin-rong Street
wowgm1.cn. IN A
blank A-record
killwow1.cn. 3600 IN A 60.169.3.130
4134 | 60.169.3.130 | CHINANET-BACKBONE No.31,Jin-rong Street
wowyeye.cn. IN A
blank A-record
Any comments/observations on this issue?
--Kauto
Kauto Huopio - kauto.huopio at ficora.fi
Senior information security adviser
Finnish Communications Regulatory Authority / CERT-FI tel. +358-9-6966772,
fax +358-9-6966515, mobile +358-50-5826131
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
More information about the nsp-security
mailing list