[nsp-sec] Distributed SQL Injection attemps

Carles Fragoso cfragoso at cesicat.cat
Thu May 20 02:48:45 EDT 2010 

Hi,

A customer of us has detected a SQL injection attempt on their IPS from the following IPs:

3243    | 85.246.175.205   | 85.240.0.0/13       | PT | ripencc  | 2005-01-03 | TELEPAC PT Comunicacoes, S.A.
3329    | 79.166.144.247   | 79.166.0.0/16       | GR | ripencc  | 2007-08-08 | Hellas OnLine Electronic Communications S.A.
3352    | 83.50.95.49      | 83.50.0.0/16        | ES | ripencc  | 2004-10-07 | TELEFONICA-DATA-ESPANA Internet Access Network of TDE
3352    | 95.120.141.22    | 95.120.0.0/16       | ES | ripencc  | 2009-12-03 | TELEFONICA-DATA-ESPANA Internet Access Network of TDE
5769    | 66.130.209.82    | 66.130.192.0/18     | CA | arin     | 2001-06-05 | VIDEOTRON - Videotron Telecom Ltee
5769    | 74.58.248.35     | 74.58.192.0/18      | CA | arin     | 2006-03-02 | VIDEOTRON - Videotron Telecom Ltee
7132    | 69.37.2.180      | 69.37.0.0/16        | US | arin     | 2003-04-08 | SBIS-AS - AT&T Internet Services
7303    | 190.30.85.49     | 190.30.80.0/21      | AR | lacnic   | 2006-09-05 | Telecom Argentina S.A.
7738    | 201.19.113.240   | 201.19.96.0/19      | BR | lacnic   | 2004-05-31 | Telecomunicacoes da Bahia S.A.
8151    | 187.143.1.220    | 187.143.0.0/19      | MX | lacnic   | 2007-11-29 | Uninet S.A. de C.V.
8151    | 189.138.8.209    | 189.138.0.0/16      | MX | lacnic   | 2006-05-08 | Uninet S.A. de C.V.
10318   | 190.16.66.116    | 190.16.64.0/19      | AR | lacnic   | 2006-08-10 | CABLEVISION S.A.
10481   | 190.193.184.211  | 190.193.128.0/18    | AR | lacnic   | 2009-02-02 | Prima S.A.
16735   | 189.41.9.195     | 189.41.0.0/20       | BR | lacnic   | 2007-03-30 | Companhia de Telecomunicacoes do Brasil Central
16735   | 200.146.204.169  | 200.146.192.0/18    | BR | lacnic   | 1995-01-04 | Companhia de Telecomunicacoes do Brasil Central
19262   | 71.253.192.36    | 71.253.192.0/18     | US | arin     | 2004-11-09 | VZGNI-TRANSIT - Verizon Internet Services Inc.
21502   | 85.168.32.251    | 85.168.0.0/14       | FR | ripencc  | 2004-12-21 | ASN-NUMERICABLE NUMERICABLE is a cable network operator in France, offering TV,VOICE and Internet services
21826   | 186.14.25.60     | 186.14.24.0/21      | VE | lacnic   | 2008-09-10 | Internet Cable Plus C. A.
22927   | 190.178.22.17    | 190.178.0.0/15      | AR | lacnic   | 2008-08-04 | Telefonica de Argentina
26599   | 187.90.127.56    | 187.90.96.0/19      | BR | lacnic   | 2009-05-13 | Telesp Celular S.A.
28066   | 190.122.198.83   | 190.122.198.0/24    | AR | lacnic   | 2009-07-03 | COOP. MARIANO ACOSTA
28573   | 189.35.164.145   | 189.35.160.0/21     | BR | lacnic   | 2007-03-30 | NET Servicos de Comunicao S.A.
39651   | 80.217.104.153   | 80.216.0.0/15       | SE | ripencc  | 2002-03-06 | COMHEM-SWEDEN Com Hem Sweden

They seem to be infected boxes because they are using User-Agent: czxt2s.

Anyone has experienced a similar incident?

Thanks,

--
Carles Fragoso Mariscal
Responsable de Resposta a Incidents
Centre de Seguretat de la Informació de Catalunya (CESICAT)
cert at cesicat.cat - +34 902112444

More information about the nsp-security mailing list