ASPROX SQL Injection Botnet and iFrame/Malware

We first noticed this attack when one of our larger clients saw a barrage of SQL injection alerts in the report of their Sentinel IPS (6,000 in one week). We looked into and found the extremely clever attack which hides the SQL Injection payload in a hexidecimal string to evade IDS/IPS. Well our device caught the attack at the initial injection stage hence the hex evasion portion of the attack failed.

So what is the good news? Sentinel IPS our managed security product protects against this attack even before it reaches your webserver by catching the initial SQL injection. This means instant protection from this ASP/SQL Injection threat without having to re-write your ASP code over night.

Grab our ASPROX toolkit for information on cleaning and defending from this attack.


***UPDATE*** I met with Dallas US Secret Service office today and this issue is much more wide spread than we previously thought. We want to help so if you have any information for us or need assistance cleaning up this mess give us a call.

How do you know if your site was compromised? Check your ASP application with your browser by viewing source and seeing if their is javascript which loads an iframe containing any of the following domains:

***UPDATE*** Maybe faster to search for the string "/b.js"

nihaorr1.com, free.hostpinoy.info, xprmn4u.info, nmidahena.com, winzipices.cn, sb.5252.ws, aspder.com, 11910.net, bbs.jueduizuan.com, bluell.cn, 2117966.net, s.see9.us, xvgaoke.cn, 1.hao929.cn, 414151.com, cc.18dd.net, yl18.net, kisswow.com.cn, urkb.net, c.uc8010.com, rnmb.net, ririwow.cn, killwow1.cn, xiaobaishan.net, qiqigm.com, wowgm1.cn, wowyeye.cn, 9i5t.cn, c11.8866.org, computershello.cn, tlcn.net, z008.net, b15.3322.org, qiqicc.cn, direct84.com, heihei117.cn, caocaowow.cn, qiuxuegm.com, locale48.com, firestnamestea.cn, fami4ka.net, redir94.com, rexec39.com, en-us18.com, ck1.in, adjuncnet.com, rundll92.com, sysid72.com, n.uc8010.com, libid53.com, qiqi111.cn, heartgames.cn, logid83.com, datajto.com, adw95.com, tjwh202.162.ns98.cn, jetadwor.com, cookieadw.com, bannerupd.com, nb88.cn, bigadnet.com, 1.cool0.biz, updatebnr.com, flyzhu.9966.org, sslnet72.com, advertbnr.com, script46.com, fengnima.cn, tag58.com, banner82.com, smeisp.cn, hoursebuilds.cn, hyperadw.com, adsitelo.com, okey123.cn, b.kaobt.cn, getadw.com, nihao112.com, al.99.vc, aidushu.net, a.13175.com, chliyi.com, free.edivid.info, 52-o.cn, fucksb.net, 0.actualization.cn, d39.6600.org, h28.8800.org, 001yl.com, ucmal.com, t.uc8010.com, dota11.cn, pingbnr.com, bnrcompro.com, y66.us, m11.3322.org, bc0.cn, clsidw.com, adword71.com, killpp.cn, bnradw.com, cmiia.com, sslput4.com, exe94.com, bnrcntrl.com, w11.6600.org, usuc.us, hlpadw.com, jumpbnr.com, advabnr.com, siteid38.com, msshamof.com, refer68.com, newasp.com.cn, wowgm2.cn, mm.jsjwh.com.cn, updatead.com, win496.com, usuc.us, view89.com, 17ge.cn, err68.com, upgradead.com, adword72.com, kk6.us, clickbnr.com, 117275.cn, c23.2288.org, sysid72.com, encode72.com, exec51.com, pingadw.com, vb008.cn, wow112.cn, nihaoel3.com, p060523.info, o7n9.cn, rundll841.com, jetdbs.com, dbdomaine.com, domaincld.com, clsiduser.com, heiheinn.cn, coldwop.com, alzhead.com, chinabnr.com, adwbnr.com, chkbnr.com, chkadw.com