[nsp-sec] AS 16265 (leaseweb) upstreams 1299, 3354, 3549, 10310 mass SQL injections ( not robint.us) 2677.in
Smith, Donald
Donald.Smith at qwest.com
Fri Jun 11 14:09:16 EDT 2010
This was reported via the handlers list.
The mass sql injection site has moved.
$ whois -h whois.cymru.com 95.211.130.71
AS | IP | AS Name
16265 | 95.211.130.71 | LEASEWEB LEASEWEB AS
$ whois -h upstream-whois.cymru.com 95.211.130.71
PEER_AS | IP | AS Name
1299 | 95.211.130.71 | TELIANET TeliaNet Global Network
3356 | 95.211.130.71 | LEVEL3 Level 3 Communications
3549 | 95.211.130.71 | GBLX Global Crossing Ltd.
10310 | 95.211.130.71 | YAHOO-1 - Yahoo!
"I found a new domain being injected and this time I was able to pull a bunch of the related files. I've updated my blog with a list of the latest domains.
The domain being injected is hxxp://2677.in/yahoo.js<http://2677.in/yahoo.js> and from following that I was able to generate the list.
http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-mass-iisasp-infection.html
regards,
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com
________________________________________
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list