[nsp-sec] Distributed SQL Injection attemps
Rodolfo Baader
rbaader at arcert.gov.ar
Thu May 20 12:40:55 EDT 2010
Hi!
> Anyone has experienced a similar incident?
nope ...
But, maybe has some relation with "CZ32ts" ...
#All about current Attacks by the underground: CZ32ts - Auto SQL
#http://whitehatsecurityresponse.blogspot.com/2010/01/cz32ts-auto-sql-injection-attacks-and.html
Regards,
Carles Fragoso wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> A customer of us has detected a SQL injection attempt on their IPS from the following IPs:
>
> 3243 | 85.246.175.205 | 85.240.0.0/13 | PT | ripencc | 2005-01-03 | TELEPAC PT Comunicacoes, S.A.
> 3329 | 79.166.144.247 | 79.166.0.0/16 | GR | ripencc | 2007-08-08 | Hellas OnLine Electronic Communications S.A.
> 3352 | 83.50.95.49 | 83.50.0.0/16 | ES | ripencc | 2004-10-07 | TELEFONICA-DATA-ESPANA Internet Access Network of TDE
> 3352 | 95.120.141.22 | 95.120.0.0/16 | ES | ripencc | 2009-12-03 | TELEFONICA-DATA-ESPANA Internet Access Network of TDE
> 5769 | 66.130.209.82 | 66.130.192.0/18 | CA | arin | 2001-06-05 | VIDEOTRON - Videotron Telecom Ltee
> 5769 | 74.58.248.35 | 74.58.192.0/18 | CA | arin | 2006-03-02 | VIDEOTRON - Videotron Telecom Ltee
> 7132 | 69.37.2.180 | 69.37.0.0/16 | US | arin | 2003-04-08 | SBIS-AS - AT&T Internet Services
> 7303 | 190.30.85.49 | 190.30.80.0/21 | AR | lacnic | 2006-09-05 | Telecom Argentina S.A.
> 7738 | 201.19.113.240 | 201.19.96.0/19 | BR | lacnic | 2004-05-31 | Telecomunicacoes da Bahia S.A.
> 8151 | 187.143.1.220 | 187.143.0.0/19 | MX | lacnic | 2007-11-29 | Uninet S.A. de C.V.
> 8151 | 189.138.8.209 | 189.138.0.0/16 | MX | lacnic | 2006-05-08 | Uninet S.A. de C.V.
> 10318 | 190.16.66.116 | 190.16.64.0/19 | AR | lacnic | 2006-08-10 | CABLEVISION S.A.
> 10481 | 190.193.184.211 | 190.193.128.0/18 | AR | lacnic | 2009-02-02 | Prima S.A.
> 16735 | 189.41.9.195 | 189.41.0.0/20 | BR | lacnic | 2007-03-30 | Companhia de Telecomunicacoes do Brasil Central
> 16735 | 200.146.204.169 | 200.146.192.0/18 | BR | lacnic | 1995-01-04 | Companhia de Telecomunicacoes do Brasil Central
> 19262 | 71.253.192.36 | 71.253.192.0/18 | US | arin | 2004-11-09 | VZGNI-TRANSIT - Verizon Internet Services Inc.
> 21502 | 85.168.32.251 | 85.168.0.0/14 | FR | ripencc | 2004-12-21 | ASN-NUMERICABLE NUMERICABLE is a cable network operator in France, offering TV,VOICE and Internet services
> 21826 | 186.14.25.60 | 186.14.24.0/21 | VE | lacnic | 2008-09-10 | Internet Cable Plus C. A.
> 22927 | 190.178.22.17 | 190.178.0.0/15 | AR | lacnic | 2008-08-04 | Telefonica de Argentina
> 26599 | 187.90.127.56 | 187.90.96.0/19 | BR | lacnic | 2009-05-13 | Telesp Celular S.A.
> 28066 | 190.122.198.83 | 190.122.198.0/24 | AR | lacnic | 2009-07-03 | COOP. MARIANO ACOSTA
> 28573 | 189.35.164.145 | 189.35.160.0/21 | BR | lacnic | 2007-03-30 | NET Servicos de Comunicao S.A.
> 39651 | 80.217.104.153 | 80.216.0.0/15 | SE | ripencc | 2002-03-06 | COMHEM-SWEDEN Com Hem Sweden
>
> They seem to be infected boxes because they are using User-Agent: czxt2s.
>
> Anyone has experienced a similar incident?
>
> Thanks,
>
> --
> Carles Fragoso Mariscal
> Responsable de Resposta a Incidents
> Centre de Seguretat de la Informació de Catalunya (CESICAT)
> cert at cesicat.cat - +34 902112444
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list